I can't remember if I posted another xss found (probably fond by someone else as well but I thought you might like to know) in the search box or url oyu can put xss eg. http://www.target.com/index.php?mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=15&cntnt01searchinput="><script>alert('hi')</script>&cntnt01submit=Submit obviously this doesn't count for much as it is non permanent... but still enjoy NanoyMaster