I don't know about exploitability, but it's certainly true that an account named AUTH_" produces this little pile of invalid XML on GET:
<?xml version="1.0" encoding="UTF-8"?> <account name="AUTH_""> </account>
I don't know about exploitability, but it's certainly true that an account named AUTH_" produces this little pile of invalid XML on GET:
<?xml version="1.0" encoding="UTF-8"?>
<account name="AUTH_"">
</account>