Open
Description
During a security test I found that routers2.cgi has a Cross-Site Scripting (XSS) vulnerability, affecting the rtr GET parameter in the request below. This may enable attackers to inject malicious scripts into client browser.
http://www.steveshipway.org/cgi-bin/routers2.pl?rtr=--><script>alert("XSS")</script>&bars=Cami&xgtype=d&page=graph&xgstyle=l2&xmtype=routers
Cause:
print "<!-- R:[$router]\n I:[$interface]\n A:[$archive]\n U:[$authuser] -->\n";
All the params returned in the HTML should be escaped.

