NASA Tri-Agency Climate Education (TrACE) v1.0 Multiple XSS Vulnerabilities

Title: NASA Tri-Agency Climate Education (TrACE) v1.0 Multiple XSS Vulnerabilities
Advisory ID: ZSL-2012-5111
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 26.10.2012
Summary
The Tri-Agency Climate Education (TrACE) Catalog provides search and browse access to a catalog of educational products and resources. TrACE focuses on climate education resources that have been developed by initiatives funded through NASA, NOAA, and NSF, comprising a tri-agency collaboration around climate education.
Description
The application suffers from a reflected cross-site scripting vulnerability when input is passed to the 'product_id', 'pi', 'project_id' and 'funder' GET parameters in 'trace_results.php' script which is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
NASA - http://www.nasa.gov
Affected Version
1.0
Tested On
Apache/2.2.21
PHP 5.2.17
Vendor Status
[03.10.2012] Vulnerabilities discovered.
[03.10.2012] Initial contact with the vendor.
[04.10.2012] No reply from vendor.
[05.10.2012] Tried contacting the vendor again.
[12.10.2012] No reply from vendor.
[13.10.2012] Last try contacting the vendor.
[15.10.2012] Vendor replies stating that the problem is solved?!
[16.10.2012] Replied to vendor that no problems are solved because no details were sent nor problems explained.
[17.10.2012] Vendor decides to talk serious and asks for details, cynically.
[18.10.2012] Sent detailed information and PoC files to the vendor.
[22.10.2012] Asked vendor for status report.
[22.10.2012] No reply from vendor.
[23.10.2012] Vendor silently patches the application (v2.0).
[23.10.2012] Asked vendor to have proper communication.
[25.10.2012] No reply from vendor.
[25.10.2012] Pointed out to the vendor about disclosure policy and ethical communication.
[26.10.2012] Public security advisory released.
PoC
nasatrace_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://packetstormsecurity.org/files/117692
[2] http://cxsecurity.com/issue/WLB-2012100236
Changelog
[26.10.2012] - Initial release
[11.11.2012] - Added reference [1] and [2]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk