vendor site: http://wheatblog.sourceforge.net/ product : Wheatblog bug: multiple xss (post) & full path disclosure risk : medium xss post : /add_comment.php vulnerable fieds : - Name - WWW - Comment impact: an attacker can steal the cookie from every persons who is watching at the comments. full path disclosure : /index.php?postPtr[]=1&next=1 laurent gaffié & benjamin mossé http://s-a-p.ca/ contact: saps.audit@xxxxxxxxx