Jump to content
Aerosol

NASA.gov Cross Site Scripting

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

######################################################################
# Exploit Title: NASA.gov sub-domains Multiple vulnerabilities
# Date: 27/01/2015
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.nasa.gov
# Version: /
# Category: Multiple vulnerabilities
# Google dork:
# Tested on: NASA.gov sub-domains
######################################################################

NASA description :
=======================================================================================

The National Aeronautics and Space Administration (NASA) is the United States government agency responsible for the civilian space program as well as 
aeronautics and aerospace research.

There are several sub-domains and independent projects within NASA.
Those affected by this advisory are :

- Planetary Data System (PDS) : Reflected Cross-Site Scripting (RXSS)
- NASA’s Archive of Data on Energetic Phenomena (HEASARC) : Reflected Cross-Site Scripting (RXSS)
- Direct Readout Laboratory (directreadout) de la NASA : Reflected Cross-Site Scripting (RXSS) and potential SQLi.


Vulnerability description :
=======================================================================================
Reflected XSS are available in each nasa.gov sub-domain above.
Through this kind of vulnerability, an attacker could tamper with page rendering, redirect victims to fake NASA portals, or capture NASA's users credentials such cookies. 
These reflected XSS are on GET variables and are not properly sanitized before being used in pages.


Planetary Data System (PDS) - pds.nasa.gov - PoC :
=======================================================================================

A non-persistent XSS (RXSS) in "INSTRUMENT_HOST_ID" GET param is available in the pds.nasa.gov sub-domain.
Tested on Firefox 33.0.

PoC:

http://pds.nasa.gov/ds-view/pds/viewHostProfile.jsp?INSTRUMENT_HOST_ID=NH<img src='x' onerror='alert(/Reflected XSS - Yann CAM @asafety/);' /> for CFSQLTYPE CF_SQL_INTEGER. <br>The error occurred on line 13.


Screenshots :
=======================================================================================

- [url]http://www.asafety.fr/data/20140824-nasa001.png[/url]
- [url]http://www.asafety.fr/data/20140824-nasa002.png[/url]
- [url]http://www.asafety.fr/data/20140824-nasa003.png[/url]
- [url]http://www.asafety.fr/data/20140824-nasa004.png[/url]
- [url]http://www.asafety.fr/data/20140824-nasa005.png[/url]


Solution:
=======================================================================================

Fixed by each NASA Portal's team.


Additional resources :
=======================================================================================

- [url]http://www.nasa.gov/[/url]
- [url]http://pds.nasa.gov/[/url]
- [url]http://heasarc.gsfc.nasa.gov/[/url]
- [url]http://directreadout.sci.gsfc.nasa.gov/[/url]
- [url]http://www.asafety.fr/vuln-exploit-poc/contribution-nasa-sous-domaines-multiples-vulnerabilites/[/url]
- [url]http://www.synetis.com[/url]


Report timeline :
=======================================================================================

2014-10-31 : Each NASA Portal's team was alerted by email.
2014-10-31 : PDS team feedback with thanks.
2014-11-04 : PDS and HEASEARC portals fixed.
2014-12-04 : Second email to DRL team to get a status.
2014-12-27 : Account creation on DRL portal to send tp the DRL team through contact form.
2015-01-07 : DRL portal seems to be fixed. All vulnerabilities are fixed on each portal.
2015-01-27 : Public advisory

Credits :
=======================================================================================

    88888888
   88      888                                         88    88
  888       88                                         88
  788           Z88      88  88.888888     8888888   888888  88    8888888.
   888888.       88     88   888    Z88   88     88    88    88   88     88
       8888888    88    88   88      88  88       88   88    88   888
            888   88   88    88      88  88888888888   88    88     888888
  88         88    88  8.    88      88  88            88    88          888
  888       ,88     8I88     88      88   88      88   88    88  .88     .88
   ?8888888888.     888      88      88    88888888    8888  88   =88888888
       888.          88
                    88    [url]www.synetis.com[/url]
                 8888  Consulting firm in management and information security

Yann CAM - Security Consultant @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: [url]www.synetis.com[/url] | [url]www.asafety.fr[/url]

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...