The acknow.php page is vulnerable to reflected XSS attacks. The following section of code doesn't sanitize data properly:

if(isset($_REQUEST['saveandreturn']))

{ $url = new CUrl(urldecode($_REQUEST['backurl'])); jsRedirect($url->getUrl()); exit(); }

The $_REQUEST['backurl'] parameter can be manipulated to perform the XSS attack. Using a proxy capture the parameters request and replace the backurl parameter with the following: </script><script>alert('XSS');</script> (see attachment for PoC).

Fix: Sanitze the backurl request parameter and don't assume the user is going to leave the <url>.php in place