Skip to content

GitLab

Open
Created by Administrator@rootMaintainer

Privacy Violation: Autocomplete - http://zero.webappsecurity.com:80/adcenter.cgi

Created by: armorcodegithubapp[bot]

Category: Privacy Violation: Autocomplete Instance Id: 50d978fa-ff66-4ce9-b399-6f8e3fb9f398 Vulnerability Id: "de0227ad-14ae-4363-9dc5-68a544c54cfb" Scan Type: Dynamic CheckType: Best Practices Abstract: Most recent browsers have features that will save form field content entered by users and then automatically complete form entry the next time the fields are encountered. This feature is enabled by default and could leak sensitive information since it is stored on the hard drive of the user. The risk of this issue is greatly increased if users are accessing the application from a shared environment. Recommendations include setting autocomplete to "off" on all your forms. Request: GET /adcenter.cgi HTTP/1.1 Referer: http://zero.webappsecurity.com:80/pindex.asp User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Accept: / Pragma: no-cache Host: zero.webappsecurity.com X-Scan-Memo: Category="Crawl"; Function="CreateStateRequest"; SID="8B91FAA33009378BA04E34B6FD189311"; PSID="DDAF520E2E30901117999914F5CB2876"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="51"; ThreadType="CrawlBreadthFirstDBReader"; Connection: Keep-Alive Cookie: CustomCookie=WebInspect69383ZXB3FCEA2CCD6849B0A63D3EFF65615601Y3637;status=yes;username=;userid=;sessionid=;ASPSESSIONIDCARBTACT=BFDJMBECKAHAMJENBDMOPBPC;state=;passes3=;passes=;passes2=

Response:

Content-Length: 3118
Content-Type: application/octet-stream
Last-Modified: Sun, 15 Jul 2001 22:38:20 GMT
Accept-Ranges: bytes
ETag: "016f4d87edc11:277c"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Fri, 13 May 2011 19:45:00 GMT

<HTML>
<HEAD>
<TITLE>AdCenter Login Page</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" LINK="#0000FF" VLINK="#0000FF">
<CENTER>
<TABLE CELLPADDING=0 CELLSPACING=0 WIDTH=625 BORDER=0 BGCOLOR="#33CC99">
<TR>
<TD>
<IMG SRC="http://www.heardinthehive.com/adimages/account_header.gif" WIDTH="625" HEIGHT="45" BORDER=0>
</TD>
</TR>
</TABLE>
<TABLE CELLPADDING=4 CELLSPACING=0 WIDTH=625 BORDER=0 BGCOLOR="#33CC99">
<TR>
<TD>
<CENTER>
<iframe src="http://pluto.adcycle.com/go/adcycle.cgi?group=1&media=1&id=681&delivery=iframe" height=60 width=468 border=0 marginheight=0 scrolling=no marginwidth=0 frameborder=no>
<a href="http://pluto.adcycle.com/go/adclick.cgi?manager=adcycle.com&id=681" target="_top"><img src="http://pluto.adcycle.com/go/adcycle.cgi?group=1&media=1&id=681" width=468 height=60 border=1 ALT="Click to Visit"></a>
</iframe><BR>
</CENTER>
</TD>
</TR>
</TABLE>
<TABLE CELLPADDING=0 CELLSPACING=0 WIDTH=625 BORDER=0>
<TR>
<TD BGCOLOR="#33CC99" VALIGN="TOP">
<IMG SRC="http://www.heardinthehive.com/adimages/clear.gif" WIDTH=20 HEIGHT=55><BR>
</TD>
<TD>
<IMG SRC="http://www.heardinthehive.com/adimages/top_blend.gif" WIDTH=585 HEIGHT=15><BR>
<TABLE CELLPADDING=20 CELLSPACING=0 width="100%" BORDER=0>
<TR>
<TD BGCOLOR="#FFFFFF">
&nbsp;<BR>
<FORM NAME="form1" ACTION="http://www.heardinthehive.com/cgi-bin/adcycle/adcenter.cgi" METHOD="GET">
<TABLE CELLPADDING=3 CELLSPACING=0 BORDER=0 BGCOLOR="000000">
<TR>
<TD ALIGN=LEFT WIDTH=95%>
<FONT FACE="VERDANA,ARIAL" SIZE=2 COLOR="WHITE"><STRONG>&nbsp;Account Login</STRONG></FONT>
</TD>
</TR>
<TR>
<TD BGCOLOR="FFFFFF">
<FONT FACE="VERDANA,ARIAL" SIZE=2>
User Name: <FONT FACE="VERDANA,ARIAL" SIZE=3><INPUT TYPE="TEXT" NAME="account" VALUE="" SIZE=14></FONT><BR>
<IMG SRC="http://www.heardinthehive.com/adimages/clear.gif" WIDTH=1 HEIGHT=4><BR>
<FONT FACE="VERDANA,ARIAL" SIZE=2>
Password: <FONT FACE="VERDANA,ARIAL" SIZE=3><INPUT TYPE="PASSWORD" NAME="pwd" VALUE="" SIZE=12></FONT><BR>
<FONT SIZE=2 FACE="VERDANA,ARIAL"><b>
&nbsp;<BR>
<INPUT TYPE="SUBMIT" NAME="change" VALUE="Login">
</TD>
</TR>
</TABLE>
<INPUT TYPE="HIDDEN" NAME="cache" VALUE="681">
</FORM>

<SCRIPT LANGUAGE="JavaScript">
<!--
var MC=document.cookie;
var temp;
if(MC){
	var start=MC.indexOf("!!");
	var end=MC.indexOf("!!",start+2);
	temp=MC.substring(start+2,end);
	if(temp.length > 1 && temp.length < 20){
		document.form1.account.value=temp;
	}
}
// -->
</SCRIPT>

&nbsp;<BR>
</TD>
</TR>
</TABLE>
<IMG SRC="http://www.heardinthehive.com/adimages/bottom_blend.gif" WIDTH=585 HEIGHT=15><BR>
</TD>
<TD BGCOLOR="#33CC99"><IMG SRC="http://www.heardinthehive.com/adimages/clear.gif" WIDTH=20 HEIGHT=1><BR></TD>
</TR>
</TABLE>
<IMG SRC="http://www.heardinthehive.com/adimages/account_footer.gif" WIDTH=625 HEIGHT=25><BR>
<TABLE CELLPADDING=0 CELLSPACING=0 WIDTH=625 BORDER=0>
<TR>
<TD align=right>
<font face=arial size=1>powered by <a href="http://www.adcycle.com">adcycle.com</a> v0.77b <IMG SRC="http://www.heardinthehive.com/adimages/clear.gif" WIDTH=20 HEIGHT=1><BR>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>

File Path: //zero.webappsecurity.com:0

https://app.armorcode.com/#/findings/69499988