HTTP parameter pollution

Vulnerability description

This script is possibly vulnerable to HTTP Parameter Pollution attacks.

HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If the web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either clientside or server-side attacks.

This vulnerability affects /news/events/.

Discovered by: Scripting (HTTP_Parameter_Pollution.script).

Attack details

URL encoded GET input city was set to 156&n973845=v906453

Parameter precedence: last occurrence

Affected link: /retail/?city=156&n973845=v906453&shop=1572&map=yes

Affected parameter: city=156

--------------------------------------------------------------------------------------------

Cross site scripting (verified)

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects /admin/login.php.

Discovered by: Scripting (XSS.script).

Attack details

URL encoded POST input login was set to ticmeuga'"()&%prompt(923610)

---------------------------------------------------------------------------