Proof of Concept, Stored XSS, SmarterStats 6.2.4100 - Reported May 5, 2011
Many Sites use the API exposed via the SmarterTools Web Server on a Public IP Address and/or for Backend Provisioning Systems and then have IIS on Port 80 for Public / End User Access, such as Plesk Control Panel for Windows.
This is the cut and paste from the Helpfile: (Quoting) By default, SmarterStats installs a basic Web server that allows companies to start using the application immediately after installation. However, SmarterTools recommends moving to a more robust and secure Web server, such as Microsoft IIS.
Cross-site scripting (stored) + Cross-site scripting (reflected) SmarterStats 6.x
Cleartext submission of password - SmarterStats 6.x
Password field with autocomplete enabled - SmarterStats 6.x
Cross-domain Referer leakage - SmarterStats 6.x
Cookie without HttpOnly flag set - SmarterStats 6.x
Content type incorrectly stated - SmarterStats 6.0
Content type incorrectly stated - SmarterStats 6.x (6.2.4100)/Client/frmCustomReport.aspx