lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090420034857.10299.qmail@securityfocus.com>
Date: 20 Apr 2009 03:48:57 -0000
From: reportback@...dthepost.com
To: bugtraq@...urityfocus.com
Subject: Sungard Banner System XSS

_|      _|    _|_|_|    _|_|_|  
  _|  _|    _|        _|        
    _|        _|_|      _|_|     By: gamr
  _|  _|          _|        _|  
_|      _|  _|_|_|    _|_|_|   


# Header #

Product - Banner Student System by SunGard
Specific Page - http://www.EXAMPLE.com/PATH/twbkwbis.P_SecurityQuestion (Change Security Question)
Version - 7.4 / earlier versions could be effected also 
Product URL - http://www.sungardhe.com/Products/Product.aspx?id=1024
Bug Type - Cross Site Scripting (XSS)
Discovery Date - 04/06/2009
Notification Date - 04/06/2009

# Contact #

Author - gmar
Website - yougotxssed.com

# Bug in a nut shell #

Students that use this system could inject malicious code into the "New Question: " field (NAME="question"). When saving the changes, the system does not strip out HTML entities.

# Bug scenario #

Jim does not like his teacher / administrator at his school. He changes his forgotten pin security question. He puts in a specially crafted piece of code in the field to call a remote javascript file. He emails his teacher administrator and tells them he has forgotten his password and wonders if they could walk him through out to retrieve it. He tells them that he can not get it to work and asks them if the could try to retrieve his password. They enter in his username and hit the "forget password?" button. The next screen comes up and the script is launched. Jim could steal the session of the teacher / administrator, he could fake a login page and wait for his teacher /administrator to authenticate, or he could just do malicious things to their browser. 

# Bug PoC #

Enter ANY html into the "New Question" field and hit submit.
Logout and then go to the login screen again.
Enter in your username and hit forget password.

# Fix #

Sanitize the user input in all fields to make sure there is no unwanted characters ( html entities ).  You could encode them on POST.






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ