[Woc-notify] [CM Request for Change - AWS 0011641]: Cross Site Scripting Vulnerabilities
Mantis Bug Tracker
noreply at newadmin.awids
Tue Jul 3 18:31:27 UTC 2012
The following issue has been UPDATED.
======================================================================
https://mantis.awids/view.php?id=11641
======================================================================
Reported By: Adrian Noland
Assigned To: Adrian Noland
======================================================================
Project: CM Request for Change - AWS
Issue ID: 11641
Category: 22.1.2) AviationWeather.gov
Reproducibility: always
Severity: major
Priority: immediate
Status: assigned
TIN Required? (If "YES" please upload):
Deadline:
Disposition:
Configuration Change Authority:
Disposition Date:
Level of Change: Level 2 (Moderate)
Change Notification:
======================================================================
Date Submitted: 06-27-2012 17:24 UTC
Last Modified: 07-03-2012 18:31 UTC
======================================================================
Summary: Cross Site Scripting Vulnerabilities
Description:
---------- Forwarded message ----------
From: *Chris Hornbrook* <chris.f.hornbrook at noaa.gov
<mailto:chris.f.hornbrook at noaa.gov>>
Date: Tue, Jun 26, 2012 at 5:36 PM
Subject: NOAA Aviation Weather XSS
To: Sean Wink <sean.wink at noaa.gov <mailto:sean.wink at noaa.gov>>,
Graham Stork <graham.stork at noaa.gov <mailto:graham.stork at noaa.gov>>
Saw this article that mentions that the NOAA Aviation Weather site
has XSS vulnerabilities:
http://news.softpedia.com/news/Team-Digi7al-Leaks-Data-from-San-Jose-State-University-Stanford-Others-277614.shtml
======================================================================
----------------------------------------------------------------------
(0030296) Adrian Noland (developer) - 06-27-12 17:26
https://mantis.awids/view.php?id=11641#c30296
----------------------------------------------------------------------
FYI: Ticket for XSS vulnerabilities
----------------------------------------------------------------------
(0030346) Adrian Noland (developer) - 07-02-12 18:04
https://mantis.awids/view.php?id=11641#c30346
----------------------------------------------------------------------
Summary:
It was reported that the CAWS site was vulnerable to XSS attacks. This
could allow a malicious user to use www.aviationweather.gov as a vector in
attacks on end users.
An initial report was made on Dec11 at http://www.xssed.com/mirror/74530/
that we found after we began researching the problem. We found further
evidence in the resources sent from the user contact form. An audit found
more vulnerable pages.
Files changed:
library/AWC/Application/Controller/Plugin/XssFilter.php
application/configs/application.ini
application/modules/default/controllers/ErrorController.php
application/modules/popups/controllers/TafsmetarsController.php
application/modules/adds/controllers/IcingController.php
application/modules/adds/controllers/PhputilsController.php
application/modules/adds/views/scripts/phputils/airportweather.phtml
doc-root/exp/pirep_submit/select.php
doc-root/exp/pirep_submit/accesslist.php
doc-root/exp/ellrod/rap/index.php
doc-root/exp/ellrod/ruc/index.php
doc-root/exp/ellrod/nam/index.php
doc-root/gis/makepirepkml.php
doc-root/jump/index.php
doc-root/testbed/afd/index.php
doc-root/testbed/cwsu/tafboard/additional.php
doc-root/testbed/cwsu/tafboard/index.php
doc-root/testbed/cwsu/tafboard/tafboard_nomenu.php
doc-root/testbed/cwsu/tafboard/tstation.php
doc-root/testbed/cwsu/tafboard/tstation_nomenu.php
doc-root/testbed/cwsu/tstatus/index.php
doc-root/testbed/avwx/index.php
doc-root/testbed/cwsu/tstatus/tstatus_nomenu.php
doc-root/testbed/globalgrids/displaygrid.php
doc-root/testbed/wxoutlook/index.php
Technical Impact:
High: Many pages were modified as a result of the audit as well as a front
crontroller plugin (XssFilter.php) to make sure all areas of user input are
clean.
User Impact:
High: The changes will prevent www.aviationweather.gov from being used as
an attack vector.
Testing:
The reported page was /products/tafs and /products/metars. Further
analysis found the airport weather lookup on front page as well as some
other pages that were vulnerable. Using the string '/"><script>alert('Xss
ByAtm0n3r')</script>' in any of the page queries should, at a minimum, not
execute the javascript alert, and in most cases show an error page.
More information about the Woc-notify
mailing list