the url is like this http://website.com/?msg=Message sent successfully
but anyone can come and change "Message sent successfully" to whatever they want.
try this... SORRY EZYFILE
Code: Select all
http://www.ezyfile.net/?msg=%3Cscript%3Ealert(%22CROSS SITE SCRIPTING%22)%3C/script%3E
i'll post them here
Code: Select all
LINE: 446 $ses->redirect("$c->{site_url}/?msg=Message sent successfully");
LINE: 1581 $ses->redirect("$c->{site_url}/?msg=Report sent successfully");