Equibase.com HTML Injection

`Vulnerability Type:  
HTML Injection (Possible XSS)  
  
Title:  
Equibase.com HTML Injection  
  
Site Description:  
  
Equibase.com is the official source for horse racing results, mobile  
racing data, statistics as well as all other horse racing and  
thoroughbred racing information.  
  
  
Details:  
  
The page http://www.equibase.com/profiles/results.cfm has a parameter  
called type (e.g.  
http://www.equibase.com/profiles/Results.cfm?type=Horse) that has a  
limited set of valid values. The input for this parameter is render  
unmodified in the output. This allows for reflected HTML injection and  
content spoofing such as:  
  
http://www.equibase.com/profiles/Results.cfm?type=%3Ch1%3E%3Cb%3EAn%20error%20occured.%20%20Please%20visit%20www.badguysite.com%20and%20log%20in%20to%20your%20equibase%20account%20to%20continue.%3C/b%3E%3C/h1%3E  
  
  
Various other HTML tags were accepted and rendered. Some limited  
filtering did appear to be in place for XSS mitigation, as basic XSS  
attacks did not work. Since this was not a sanctioned test by the  
site owner, extensive reflected XSS testing in this parameter was not  
tested but based on observation the filtering in place did not appear  
to be sufficient to stop an advanced reflected XSS attack.  
  
Vulnerability Severity: Medium  
  
Vendor Interaction:  
  
Vendor notified on 1/17 with full report. No response received.  
  
  
`