Vulnerable Vulnerability Databases.

Since these issues are already corrected after my -responsible disclosure- I want make it public here so that we can all learn from it. The last couple of months I disclosed numerous vulnerabilities to high profile companies. The vulnerabilities ranged from XSS to serious SQL injection. Today, I like to show you a surprising XSS vulnerability that affected NIST. The National Institute of Standards and Technology is a federal technology agency that develops and promotes measurement, standards, and technology. And also maintains a vulnerability database that keeps track of almost any vulnerability that they can get their hands on.

http://nvd.nist.gov/ was vulnerable to cross site scripting. The user-agent is not properly sanitized and being echoed back in the case an error occurs in the website. To trigger an error in the NIST site is simple, just inject a (int) parameter with a (string) to trigger the error message.

like: POSTDATA=Action=Update+Scores&AccessVectorVar=0.395">
like: &ConfImpactVar=0">
like: &ConfidentialityRequirementVar=-1">

Exploiting this issue requires a spoofed user-agent in the header. A malicious iframe can make requests for the user and thereby abusing the hole inside NIST, like in this manner:

User-Agent="><script>alert(document.cookie);</script><"

NIST was notified and has fixed the issue very timely.

Mitre was vulnerable as well to a low level impact of XSS. Mitre was vulnerable on one of the most known spots to trigger an XSS, the search field which looks awful like the Google search appliance, but I'm not sure. Mitre has fixed the issue, and is investigating how this could have happened since they told me that they just had a security sweep.

http://www-search.mitre.org/search?client=mitre&site=mitre&proxystylesheet=mitre&oe=utf8
&q=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E%3C%22&output=xml_no_dtd
&submit.x=0&submit.y=0&submit=Search 

XSS is known, and not very post worthy. But I think that both examples show that security vulnerabilities can pop up everywhere. It can popup after you make code changes, or replace your search functionality with a 3rd party search function, or when one just forget that the user-agent can be forged too. In either case, food for thought if you wasn't aware of that. In my next article we'll go on to the more juicy vulnerabilities.