Ctrip master XSS vulnerability

Vulnerability Details

Disclosure status ：

2010-08-02： The details have been notified to the manufacturer and are waiting for the manufacturer to process
2010-08-02： The manufacturer has confirmed , The details are only disclosed to the manufacturer
2010-08-12： The details are disclosed to the core white hat and experts in related fields
2010-08-22： The details are open to ordinary white hats
2010-09-01： The details are disclosed to the white hat
2010-09-06： The details are made public

A brief description ：

The master station exists XSS, Non storage

Detailed instructions ：

Vulnerability to prove ：

http://www.ctrip.com/rp/uiserver2.asp?action=<script>alert(/xss/)</script>

Repair plan ：

Copyright notice ： Please quote source for reprint   Second master of Huo family @ Dark clouds