An Information Security Expert Narendra Bhati, from Sheoganj, India has discovered Reflected Cross site scripting vulnerability in the official website of MTS website(mtsindia.com).
MTS group is an Indian mobile network operator headquartered in New Delhi, that provides wireless voice, messaging and data services in India.
The vulnerability exists in the Search field of the website. Injecting the xss code in the Search box will execute successfully the injected code.
For instance, injecting the following code in the search box will display the alert box:
"><script>alert("E Hacking News")</script>Narendra also found that the field allows user to run the iframe code also. So , possibly, a hacker can inject phishing page to scam innocent visitors.
"/><iframe src="http://www.google.com" width=1000 height=1000></iframe>
