eTicket v.126.96.36.199 Multiple Cross-Site Scripting
Author: Attila Gerendi (Darkz)
Date: June 29, 2007
Package: eTicket (http://eticket.sourceforge.net/)
Versions Affected: v.188.8.131.52 (Other versions may also be affected)
Input passed to "$_SERVER['REQUEST_URI']" in various scrips and includes is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when malicious data is viewed.
Vulnerable code pieces:
user_login.php on line 7: