[原文]Cross-site scripting (XSS) vulnerability in FreeScripts VisitorBook LE (visitorbook.pl) allows remote attackers to inject arbitrary HTML or web script via (1) the "do" parameter, (2) via the "user" parameter from a host with a malicious reverse DNS name, (3) via quote marks or ampersands in other parameters.
Visitorbook LE visitorbook.pl Multiple Parameter XSS
Remote / Network Access
Loss of Integrity
VisitorBook LE contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate variables upon submission to the visitorbook.pl script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
1. An administrator could modify the script to validate the contents of the 'do' and 'user' variables passed to the script before storing or presenting the data. At the very least, this would include escaping all special characters, including quotes, ampersands and triangular brackets.
2. Modifying the script to not accept or use reverse DNS data would prevent the use of the 'user' variable to exploit the flaw.
NOTE: Modifying the script(s) in any way would appear to explicitly violate your licence agreement.