I know its basic, but I am a supporter of FD and therefore planetluc.com has to be blamed now! I checked their script MyNews in version 1.6.4 today and then some other versions, all are vulnerable to HTML and JS injection. --- ADVISORY --- ---------------------------- || WWW.SMASH-THE-STACK.NET || ----------------------------- || ADVISORY: MyNews 1.6.X HTML/JS Injection Vulnerability _____________________ || 0x00: ABOUT ME || 0x01: DATELINE || 0x02: INFORMATION || 0x03: EXPLOITATION || 0x04: GOOGLE DORK || 0x05: RISK LEVEL ____________________________________________________________ ____________________________________________________________ _________________ || 0x00: ABOUT ME Author: SkyOut Date: February 2008 Contact: skyout[-at-]smash-the-stack[-dot-]net Website: http://www.smash-the-stack.net/ _________________ || 0x01: DATELINE 2008-02-06: Bug found 2008-02-06: Advisory released ____________________ || 0x02: INFORMATION The MyNews script by planetluc.com in all versions of the 1.6.X tree is vulnerable to HTML and JS injection due to no sanitation of the "hash" value in combination with the action "admin". _____________________ || 0x03: EXPLOITATION No exploit is needed to test this vulnerability. You just need a working web browser. 1: HTML Injection To make a HTML injectioni, visit the websites main page. The name might differ from the original name "mynews.inc.php", mostly its called "index.php". Now construct a malformed URL as follows: http://www.example.com/index.php?hash=">