Mobilkom Austria Cross Site Scripting

`G'Day Ladies and Gents,  
  
it has been already over 3 weeks now, since they've told me they're   
going to fix this flaws, as soon as they've resolved more important   
tasks... I think they had enough time, so here is my first   
disclosure.  
  
  
Just a little, not that important non-persistent XSS. Cookie   
hijacking possible:  
  
http://www.a1.net/forum/?module=mkaSearch&action=search&wo=-  
1&search_eforum=<img src=http://wtfhub.com/wp-  
content/uploads/2010/12/y-u-no-template1.jpg>  
  
===========================  
  
It gets funnier. They even DO allow HTML in a posting or thread.   
  
http://www.a1.net/forum/mkaPosts/insert/2207.page  
  
Proof: http://i.imgur.com/0h5IM.jpg  
  
  
===========================  
  
  
As you can see in the Screenshot, they even allow HTML in your   
Signature.   
  
And yet another non-persistent XSS (search form), Cookie hijacking   
possible:  
  
http://www.a1.net/musikfreizeichen/index.htm?action=browseSearchResu  
lt&exact=false&searchString=<script>alert("wat")</script>  
  
===========================  
  
some fun: http://i.imgur.com/1F141.png  
and even more: http://i.imgur.com/GMqcm.png  
  
First disclosure, keep that in mind. Now let's hope they fix the   
flaws soon. And btw, I also know they're not critical, so don't   
bitch about it.  
  
Greets,  
HypoX  
`