https://www.cacert.org/wot.php?id=9 multiple POST[subject] and POST[message] XSS
This is part of a code audit on cacert sources. Francesco 'ascii' Ongaro - www.ush.it
HTML POC 1
 >>> POST XSS and external source load POC <<<
I'm a gateway page, as used in post xss attacks.

 Click send to trigger the event.

 

HTML POC 2
 >>> POST XSS and external source load POC <<<
I'm a gateway page, as used in post xss attacks.

 Click send to trigger the event.

 

Fast check

 curl -ki "https://www.cacert.org/wot.php?id=9&userid=1" -H "Cookie: cacert=2d57e030c022c7b9b152127c482bb01e" -d "subject=AD&message=AD" | grep "AD"
    
    A<S>D

Vulnerable code

./pages/wot/9.php

<?=$_POST['message']?>

Summary
- POST XSS
- magic quotes gpc ON
- affected by user role (only logged in)
- you need to know a user id (1 is okay :P)