Type: Non-persistent
Criteria: None
http://bbs.ijji.com/forumView.nhn?bbsId=gunz_free&page=&id=999999999&ordering=%22;alert(%27xss%27);//
Note that the exploit will execute twice.
Since the entire BBS system was exposed a few months back as being vulnerable to SQL injection, the variable id is now very picky about what data has been supplied. However, this exploit will still accept an id which doesn’t yet exist (less data is returned when it doesn’t exist, but this exploit will still work or without a valid id variable).
The XSS relies on the value of ordering, which is blindingly printed into the main page, and in both instances, directly into a SCRIPT tag (the phrase “script” has been blacklisted from all scripts, which is why I’ve been using an alternative).
