Content Server is a web content management from Divine (www.divine.com) A Cross Site Scripting in this product allows injection of hostile HTML/script into the error page. Example : http://www.mouffleton.com/servlet/ContentServer?pagename=<body%20onload=alert(document.cookie);> Workaround : Catch error and display a standard error page without echo of the file name. Valgasu http://valgasu.rstack.org http://www.rstack.org