vendor site: http://www.rockfordarea.com/ product : The Classified Ad System bug: multiple xss (get) & injection sql risk : medium injection sql (get): /default.asp?action=view&main='[sql] injection sql (post) : just post your query into the search engine xss : /default.asp?action=view1&cat=[xss] /default.asp?action=view1&cat=40&main=[xss] laurent gaffié & benjamin mossé http://s-a-p.ca/ contact: saps.audit@xxxxxxxxx