vendor site: http://www.4u2ges.com/ product : Rapid Classified v3.1 bug: multiple xss (get) & injection sql risk : medium injection sql : /viewad.asp?id='[sql] xss : /reply.asp?id=[xss] /view_print.asp?id=[xss] /search.asp?categoryName=1&SH1=[xss] /reply.asp?id=50120815480100001&name=[xss] /advsearch.asp?zipr=1&D1=0&D4=1&zipOpt=20&dosearch=[xss] laurent gaffié & benjamin mossé http://s-a-p.ca/ contact: saps.audit@xxxxxxxxx