Javascript Injection?

OK, so i have found a site which has a javascript injection hole. i can write any html or javascript to it and it'll execute it. one problem, its only on one students page. everything has to be done there. plus no one can see it unless they log in as that user. so basically, it doesnt do me any good, does it? i mean, what, am i going to get the password of the user i already have control over?

Any help is appreciated, thanks.

~n30

If you can only run the JS for yourself then, yes, you're stuffed. IF you can force others to run that JS code too (showing them that page, forcing them to submit a form to create that JS on their page, whatever) then you're sorted.

can you post on that student page? or if not are they on myspace? you could probably get away with yet another "go to this page and put this in and your screen will flash gold and hot lesbians bill have sex in your front yard" type thing

oh, another thing, i can spoof emails with that site, but spoofed has a "[QUAR]" in front of the subject that might alert the admin that its fake. any clue? its a barracuda mail server.