eTicket v.184.108.40.206 Multiple Cross-Site Scripting
Author: Attila Gerendi (Darkz)
Date: June 29, 2007
Package: eTicket (http://eticket.sourceforge.net/)
Versions Affected: v.220.127.116.11 (Other versions may also be affected)
Input passed to "$_SERVER['REQUEST_URI']" in various scrips and includes is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when malicious data is viewed.
Vulnerable code pieces:
user_login.php on line 7: