Executive Summary

Summary
Title Washington Courts website vulnerable to SQL injection and cross-site scripting
Informations
Name VU#807665 First vendor Publication 2010-09-09
Vendor VU-CERT Last vendor Modification 2010-10-20
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#807665

Washington Courts website vulnerable to SQL injection and cross-site scripting

Overview

The Washington Courts website (http://www.courts.wa.gov/) is vulnerable to SQL injection and cross-site scripting. An attacker could gain access to information stored on the site or manipulate how the site appears to victims who browse to an attacker-supplied URL.

I. Description

The Washington Courts website (http://www.courts.wa.gov/) is vulnerable to SQL injection and cross-site scripting. More information is available in an advisory from IOActive.

II. Impact

Based on information from the Washington Courts, there appears to be little or no consequence to the SQL injection vulnerability. The Washington Courts system has stated that there is no sensitive information on the site and that the site has read-only access to back-end databases. Assuming there are no exceptions, an attacker could only gain read access to publicly available information.

An attacker could exploit the cross-site scripting vulnerability to manipulate the site's appearance to a victim who browsed to an attacker-supplied URL. An attacker may be able to entice a victim to provide sensitive information in the context of the Washington Courts website. It does not appear that the site features user authentication, and no authentication information appears in cookies.

III. Solution

We are currently unaware of a solution to this problem.

Do not access untrusted URLs; instead, use trusted bookmarks or type URLs directly. Consider disabling scripts from untrusted domains, and generally follow secure browsing practices.

Vendor Information

VendorStatusDate NotifiedDate Updated
Washington CourtsAffected2010-04-132010-08-31

References

http://www.ioactive.com/pdfs/SQL_Injection_and_XSS.pdf
http://www.courts.wa.gov/
http://www.us-cert.gov/reading_room/securing_browser/
http://www.us-cert.gov/cas/tips/ST04-014.html

Credit

These vulnerabilities were reported by IOActive.

This document was written by Art Manion.

Other Information

Date Public:2010-09-07
Date First Published:2010-09-09
Date Last Updated:2010-10-20
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:0.00
Document Revision:18

Original Source

Url : http://www.kb.cert.org/vuls/id/807665