I see someone *FINALLY* got around to fixing the XSS vulnerability on the blog titles. You are wrong about the data I collected being benign, though; look closer: It includes the PHPSESSIONID. I was able to alter mine to match each one and be logged in as each. This was possible because I could inject Javascript code into the title of a blog entry, and I just output document.cookie right to the URL I directed them to (before immediately directing them to your forum post.)

If I had not posted the data I collected on your users (their session ID, IP address, browser/OS type, date/time of their visit to your site) you would have had no clue at all... and it's nice to see that someone over there FINALLY woke up and realized that there really was a vulnerability that needed to be fixed. (obviously not you, since you don't know shit about any of this).

However, the XSRF vulnerabilities still appear to exist, and I'll be stepping up what I do with those too, to get you all to act. This time, I'll be proving that I meant what I said when I said I could perform Administrative functions with it. Remember: I can make you virtually "click" ANY LINK I WANT with this, until someone fixes it.

 

http://blogs.sans.org/appsecstreetfighter/2010/03/03/top-25-series-%e2%80%93-rank-4-%e2%80%93-cross-site-request-forgery/