<<< Date Index >>>     <<< Thread Index >>>

Youtube Clone Xross Site Scripting (load_message.php)



Discovered by Smasher
CMS: Youtube Clone Script
Site: http://warwolfz.altervista.org
WarWolfZ Security Crew.

Hello i don't know if this vuln is already out , but i've searched in 
securityfocus and is not present.

Bug found in load_message.php at line 4:

<?php echo $lang['please_wait']; ?>

Ex: 
http://localhost/youtube/siteadmin/editor_files/includes/load_message.php?lang[please_wait]=[XSS]

Fix:

<?php echo htmlspecialchars($lang['please_wait']); ?>

Greetz.
Smasher.