I found a new xss in php-stats 0.1.9.2 http://phpstats.net/ http://www.example.com/php-stats-path/tracking.php?what=online&ip=[XSS] Stats must have public access for this (difference from whois.php XSS).