Ad Rotator AdPeeps 8.6.9 Cross Site Scripting

`Advisory: Ad Rotator AdPeeps 8.6.9 Persistent XSS Vulnerability  
Version:8.6.9  
Vendor URL: http://adpeeps.com/  
Demo Link:http://demo.adpeeps.com/  
  
Author: Viknesvaran Sittaramane  
Category: Webapp  
Twiiter: https://twitter.com/csvsn  
  
~.~.~.~.~.~.~.~.~.~.~.  
Product Description  
~.~.~.~.~.~.~.~.~.~.~.  
Ad Peeps is a banner rotator and text ad server - all in one that allows  
you to fully automate displaying, selling and managing banner  
advertisement, rich-media/flash ads and text ads on your website. Built  
using PHP/MYSQL, Ad Peeps provides you and your advertisers with highly  
detailed real-time statistics and is capable of delivering millions of  
impressions on a typical shared ad server.  
  
~.~.~.~.~.~.~.~.~.~.~.~.~  
Vulnerability Description  
~.~.~.~.~.~.~.~.~.~.~.~.~  
  
Ad Peeps suffers from Persistent Cross site Vulnerability  
  
~.~.~.~.~.~.  
PoC-Exploit  
~.~.~.~.~.~.  
  
Step1 : Go to View Visitor Log -> Click any one of Ad Number -> Edit  
Setting ->Add New Text add  
  
Demo url :  
http://demo.adpeeps.com/index.php?loc=createadvertad&uid=100000&campaignid=1105&adno=99&adtype=banner  
  
Step2 : Enter the malicious script on those fields and save all changes  
  
Step3 : Persistent Cross site script is Confirmed  
  
Parameter used : '"--><script>alert(0x000872)</script>  
  
Screenshot -> http://i49.tinypic.com/xq077.png  
  
~.~.~.~.~.~.~.~.~.~.  
Disclosure Timeline  
~.~.~.~.~.~.~.~.~.~.  
  
14th January 2013 -> Vendor Notified  
  
  
  
--   
Regards,  
Viknesvaran Sittaramane [ VSN ]  
`