← Advisories

NASA Tri-Agency Climate Education (TrACE) v1.0 SQL Injection Vulnerability

High

Advisory ID

ZSL-2012-5112

Release Date

26 October 2012

Vendor

NASA - http://www.nasa.gov

Affected Version

1.0

CVE

N/A

Tested On

Apache/2.2.21, PHP 5.2.17

Summary

The Tri-Agency Climate Education (TrACE) Catalog provides search and browse access to a catalog of educational products and resources. TrACE focuses on climate education resources that have been developed by initiatives funded through NASA, NOAA, and NSF, comprising a tri-agency collaboration around climate education.

Description

The application suffers from an SQL Injection vulnerabilities when input is passed to the 'product_id' and 'grade' GET parameters in 'trace_results.php' script which is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Proof of Concept

nasatrace_sqli.txtTXT

Disclosure Timeline

03.10.2012Vulnerability discovered.

03.10.2012Initial contact with the vendor.

04.10.2012No reply from vendor.

05.10.2012Tried contacting the vendor again.

12.10.2012No reply from vendor.

13.10.2012Last try contacting the vendor.

15.10.2012Vendor replies stating that the problem is solved?!

16.10.2012Replied to vendor that no problems are solved because no details were sent nor problems explained.

17.10.2012Vendor decides to talk serious and asks for details, cynically.

18.10.2012Sent detailed information and PoC files to the vendor.

22.10.2012Asked vendor for status report.

22.10.2012No reply from vendor.

23.10.2012Vendor silently patches the application (v2.0).

23.10.2012Asked vendor to have proper communication.

25.10.2012No reply from vendor.

25.10.2012Pointed out to the vendor about disclosure policy and ethical communication.

26.10.2012Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://packetstormsecurity.org/files/117693

[2]http://cxsecurity.com/issue/WLB-2012100237

Changelog

26.10.2012Initial release

11.11.2012Added reference [1] and [2]