Multiple vulnerabilities have been identified in VisitorBook LE, allowing malicious people to conduct Cross Site Scripting attacks or send SPAM mails anonymously.

If the "$mailuser" parameter is 1, it is possible to inject mail headers using line breaks through the email address. This can be exploited to alter the mail and send SPAM mails anonymously.

It is possible to cause a Denial of Service and fill the log file with empty entries by sending entries with a large number of line breaks (more than the number of entries, which the log can hold). This fills up the log and may cause the system to respond with internal server error messages.

The "do" parameter isn't properly verified in "visitorbook.pl", allowing malicious people to insert arbitrary characters. This can be exploited to conduct Cross Site Scripting attacks.

VisitorBook LE trusts responses from reverse DNS lookups. This can be exploited to use the VisitorBook anonymously by altering the response from the reverse record of the IP address.

Solution
Set the "mailuser" parameter to "0". Edit the source code to ensure that input is validated before it is returned to the user or written to database files. Disable hostname lookups in your web server.

Provided and/or discovered by
Paul Johnston

Deep Links
Links available to Secunia VIM customers