[原文]Multiple cross-site scripting (XSS) vulnerabilities in PHP-Post (PHPp) 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the subject in a post, or the user parameter to (2) profile.php and (3) mail.php.
PHP-Post contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the subject field upon submission to the post script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
trueend5 is credited with the discovery of this vulnerability.
PHPPost PHPPost 1.0
PHP-Post is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. The attacker may also be able to steal cookie-based authentication credentials and launch other attacks.