[原文]Cross-site scripting (XSS) vulnerability in guestbook.cgi in ftls.org Guestbook 1.1 allows remote attackers to inject arbitrary web script or HTML via the (1) comment, (2) name, or (3) title field.
Guestbook does not adequately filter HTML tags from various fields. This may enable an attacker to inject arbitrary script code into pages that are generated by the guestbook.
The attacker's script code may be executed in the web client of arbitrary users who view the pages generated by the guestbook, in the security context of the website running the software.
The following proof of concept was provided by inserting malicious HTML code into the Title, Name and Comment fields:
FTLS.org Guestbook contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'comment', 'name', or 'title' parameters upon submission to the 'guestbook.cgi' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.