E107 eCaptcha Cross Site Scripting

`Hello Bugtraq!  
  
I want to warn you about Cross-Site Scripting vulnerability in eCaptcha   
(plugin for E107). I found this hole in July 2008 and disclosed it at   
25.09.2008.  
  
XSS:  
  
POST query at page   
http://site/path/ecaptcha/?key=b7c9bf99e763252105f047a5ca5681d0  
  
<script>alert(document.cookie)</script>  
in field: Type Here.  
  
Working key (ecaptcha_key) is required, which can be retrieved by script.   
Every key works only for one time.  
  
Exploit:  
  
http://websecurity.com.ua/uploads/2008/eCaptcha%20XSS.html  
  
I mentioned about this vulnerability at my site   
(http://websecurity.com.ua/2253/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
`