Pinoy Hack News – PHN
Bad thing, it is not just simple XSS but a stored one where his commands ( usually javascripts) will be stored to the server.
A visit to the page he claimed to suffers XSS denr.marinduque.ph/upload.php javascript alert message will popup , “explored by Hitman,” then will redirect to the Pinoy Vendetta website – PV-hosting.com.
Multiple Vulnerabilities
We also tried to browse into the website and check for other vulnerability, what we found is that, it can also be exploited by SQL injection. A MySQL error displays on the page as it is triggered by a quote in the news page.
Another browse, now into the gallery page shows it is indeed vulnerable to XSS. A click on any shown photo icon is either javascript or html code injected.
There is also a reflected xss, you may visit this link.
