I had a look at JPortal 2.3.1 source code. I found lots of bugs. Here I report only some of them : - XSS in "theme/Default/index.php" : <? echo $site_name ?> - <? echo $site_title ?> style.css" type="text/css"> If registers_global=On it is possible to control variables $site_name, $site_title, $head_info, $meta_info, and $theme and trigger the XSS. The same thing can be done with theme/Default/normal.php and theme/Default/no_menu.php. You will find lots of XSS everywhere! - Local File Inclusion in "module.php", here the bugged code : function module($op) { global $error; if(file_exists('module/'.$op.'.aim.php')) { include('module/'.$op.'.aim.php'); /* (2) */ } elseif($op=='') { header("Location: index.php"); exit; } else { $error = 'e1'; } } [...] module($op); /* (1) */ In (1) module() function is called, and variable $op rappresents the "op" GET request prameter. In (2) we have an inclusion() function that uses $op variable without sanitize it. - SQL Injection : I can only say that most of the query are injectable ! Thats all. Have fun.