Re: GamePlay.co.uk XSS

[Patrick Morris <patrick.morris () hp com>]

On Sat, 10 Jun 2006, charlie () thehackersplace org wrote:

> The current password is not necessary for a successful password change for members of gameplay.co.uk which makes 
> changing passwords through scripts as easy as tying your shoe lace.
> (https://shop.gameplay.co.uk/gameplay/changepassword.asp)
>
> I tried emailing these clowns about their silly flaws, but I had no joy.

If you are not logged in, that URL takes you to a login page, where you
*do* need to enter a correct username and password.

I'm not sure what happens if you've already logged in with a valid
account.