Multiple cross-site scripting (XSS) vulnerabilities in Milkeyway Captive Portal 0.1 and 0.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) ipAddress, (2) act, (3) username, and (4) unspecified other parameters in (a) authuser.php; and the (5) username and (6) unspecified other parameters in (b) userstatistics.php.
secunia.com/advisories/19258
securitytracker.com/id?1015778
www.osvdb.org/23932
www.osvdb.org/23933
www.securityfocus.com/archive/1/427890/100/0/threaded
www.securityfocus.com/bid/17127
www.ush.it/team/ascii/hack-milkeway/advisory.txt
www.ush.it/team/ascii/hack-milkeway/milkeyway.txt
www.vupen.com/english/advisories/2006/0968
exchange.xforce.ibmcloud.com/vulnerabilities/25288