NASA Tri-Agency Climate Education (TrACE) v1.0 Multiple XSS Vulnerabilities Vendor: NASA Product web page: http://www.nasa.gov Affected version: 1.0 Summary: The Tri-Agency Climate Education (TrACE) Catalog provides search and browse access to a catalog of educational products and resources. TrACE focuses on climate education resources that have been developed by initiatives funded through NASA, NOAA, and NSF, comprising a tri-agency collaboration around climate education. Desc: The application suffers from a reflected cross-site scripting vulnerability when input is passed to the 'product_id', 'pi', 'project_id' and 'funder' GET parameters in 'trace_results.php' script which is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache/2.2.21 PHP 5.2.17 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Zero Science Lab - http://www.zeroscience.mk Vendor status: [03.10.2012] Vulnerabilities discovered. [03.10.2012] Initial contact with the vendor. [04.10.2012] No reply from vendor. [05.10.2012] Tried contacting the vendor again. [12.10.2012] No reply from vendor. [13.10.2012] Last try contacting the vendor. [15.10.2012] Vendor replies stating that the problem is solved?! [16.10.2012] Replied to vendor that no problems are solved because no details were sent nor problems explained. [17.10.2012] Vendor decides to talk serious and asks for details, cynically. [18.10.2012] Sent detailed information and PoC files to the vendor. [22.10.2012] Asked vendor for status report. [22.10.2012] No reply from vendor. [23.10.2012] Vendor silently patches the application (v2.0). [23.10.2012] Asked vendor to have proper communication. [25.10.2012] No reply from vendor. [25.10.2012] Pointed out to the vendor about disclosure policy and ethical communication. [26.10.2012] Public security advisory released. Advisory ID: ZSL-2012-5111 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5111.php 03.10.2012 PoC: ---- - https://www.example.com/trace/trace_results.php?product_id=117">&project_id=40&funder=31&pi=43 - https://www.example.com/trace/trace_results.php?product_id=117&project_id=40">&funder=31&pi=43 - https://www.example.com/trace/trace_results.php?product_id=117&project_id=40&funder=31">&pi=43 - https://www.example.com/trace/trace_results.php?product_id=117&project_id=40&funder=31&pi=43">