4shared.com does not filter their filename input which allows us to inject HTML code into the filename variable, being shown on the “Upload succes” page. This page is (by going to the page’s URL) viewable for other people as well. I’m not sure how long this page remains visible.

This kind of XSS probably works at a lot more upload services (as proven below)!

Source
http://pastebin.com/Yx8qihha