Profile

Cover photo
Muhd Hafiz Ahmad
74 followers|56,709 views
AboutPostsPhotosVideos+1's

Stream

 
Found some interesting article somewhere on the Net regarding SharePoint weakness...

~~~~~~~~~~~~~~~~~~~~~~~

Hacktics Research Group Security Advisory
http://www.hacktics.com/#view=Resources%7CAdvisory

By Irene Abezgauz, Hacktics.
22-Feb-2010

===========
I. Overview
===========
During a penetration test performed by Hacktics' experts, a persistent
cross-site scripting vulnerability was identified in the SharePoint document
handling module. This vulnerability allows attackers to gain control over
valid user accounts, perform operations on their behalf, redirect them to
malicious sites, steal their credentials, and more. 

A friendly formatted version of this advisory, including a video
demonstrating step-by-step execution of the exploit, is available in: 
   http://www.hacktics.com/content/advisories/AdvMS20100222.html

===============
II. The Finding
===============
The document module of the SharePoint server allows attackers to inject
malicious scripts into dynamically generated web content through file
uploading. These scripts will be executed in the browser of any user viewing
the infected content (persistent cross site scripting).

Further research and correspondence with Microsoft Security Response Center
has identified that a partial mention of this vulnerability appears in
CVE-2008-5026. However, as this is only partial, there is no bugtraq record
for this vulnerability and there is no fix (making it still valid on most
SharePoint deployments), we have decided to release this to the list. 

============
III. Details
============
The Documents module is vulnerable to persistent cross site scripting: 
   https://<mySharePointServer>/<id>/_layouts/Upload.aspx

An attacker can inject malicious scripts into a file and upload it. When any
user will access the uploaded file, it will be displayed directly on their
browser (rather than having the file downloaded to the computer), and the
malicious script will be executed in the context of the vulnerable
SharePoint site. 

This vulnerability can obviously be exploited with HTML files (as mentioned
in CVE-2008-5026), but can also be exploited with any other file type parsed
as HTML by the browser. In our testing we were able to reproduce this with
uploads of TXT files as well.

===========
IV. Exploit
===========
An attacker can embed a malicious script (for example -
<script>alert("XSS")</script> in a document uploaded to the SharePoint site.
When any other user (an administrative user or a regular user who views
documents in the system) opens the file - the malicious script will be
executed on their browser. 

==================
V. Vendor Response
==================
We have contacted the Microsoft Security Response Team on 13-Dec-2009.
Microsoft response to the point was that this is a known issue, and is
considered a low impact vulnerability by Microsoft for the following
reasons:

1. Authentication and the ability to write to the SharePoint site are
required to exploit this scenario.
2. Significant workarounds exist that allow SharePoint server configurations
to be isolated from cross domain exploitation.
3. SharePoint administrators can restrict the uploading of files to
SharePoint servers.

Hacktics' research team has reviewed this response and has certain
reservations with this response. Having users authenticate and upload
documents is the inherent functionality of SharePoint. Many organizations
have implemented complex environments on top of this functionality, with
need for strict authorization separation which is easily circumvented using
this exploit.

Moreover, although the proposed workaround does indeed reduce the risk of
this vulnerability, it requires a rather complex configuration to setup and
maintain, especially with internet-facing environments. Such a solution may
not be easily adopted by most SharePoint administrators. 

Finally, restriction of uploading files may indeed provide a solution, but
may very well not be acceptable by the system's users.

It is important to note that despite this response, Microsoft has fixed this
problem entirely in SharePoint 2010. 

=======================
VI. Solution/Workaround
=======================
There is currently no fix to the problem and Microsoft has no plan of
releasing one for SharePoint 2007. Once SharePoint 2010 is officially
released this could be resolved by upgrading to SharePoint 2010.

Nonetheless, in case this poses a security risk, a suggested workaround is
proposed by Microsoft, to build the SharePoint site with separate host name
for each collection, as described in:
   http://technet.microsoft.com/en-us/library/cc262778.aspx#section6

As already mentioned, this may involve complex configuration and
maintenance, and does not provide a full solution to the risk. It is
therefore recommended that uploading of HTML files, as well as any text type
files will be disabled in the SharePoint configuration. 

=====================
VII. Affected Systems
=====================
Microsoft Office SharePoint Server 2007.

============
VIII. Credit
============
The vulnerability was discovered by Irene Abezgauz, Hacktics Ltd.


---
Ofer Maor
CTO, Hacktics
Chairman, OWASP Israel

Web: www.hacktics.com



_____________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
1
Add a comment...

Muhd Hafiz Ahmad

Shared publicly  - 
 
Who would like to give a shot first?
 
For developers accepting the challenge:
Schedule. Entrance. Register on location, find your seat, connect to the test-server (plan enough time for this purpose). 14:00–18:00 (local time) Contest. The exciting part in which you fight through the levels. after 18:00. Award ceremony and buffet; Prizes are awarded, we provide snacks+beer.
View original post
1
Add a comment...
 
I love the idea, great innovation n i appreciate it
 
Would you use a Microsoft Surface computer if it ran Android?

I'm not sure, but three ex-Google employees have made what looks very much like a Microsoft Surface clone and equipped it with Android in hopes that you'll answer yes to that question. The Remix computer comes with detachable keyboard cover, a kickstand, and a UI that seems like a mix between Android, Chrome OS, and Microsoft's Metro Modern UI.
Microsoft Surface is thin, powerful, portable, and has a keyboard that doesn't add any bulk. The only problem for some people is that it runs Windows. Three
66 comments on original post
2
Add a comment...
 
For my fellow friends in Malaysia (cause they can understand this) from Chinese or Indian doesn't matter, I share this with you...

#chines #indian #mualaf #muslim
1
Add a comment...
 
For those who bashing on Islam about womens rights in Islam, please watch this till end.

#Islam #WomensRights #DrZakirNaik  #Conference
1
Add a comment...
 
I wish to own one of this...

#aquarium #fishtank
When it comes to pimping out a fish tank, a novice might purchase a bag of brightly colored gravel and a few plastic ornaments.
1
Add a comment...
Have them in circles
74 people
Abu Saifur's profile photo
izzuddin saufi's profile photo
Hasmizal Hashim's profile photo
afnan muhd's profile photo
Shafizan Cevalogistics's profile photo
Adam Maxwell's profile photo
Razin Ong's profile photo
Zurik Azaham Aris's profile photo
Zhi Hao Zhuang's profile photo

Communities

11 communities

Muhd Hafiz Ahmad

Shared publicly  - 
 
 
#Sony seems ready for Lollipop on its #Xperia lineup.
Learn more about some minor changes that it seems Sony is planning for its Android 5.0 Lollipop update, as the navigation keys seem different.
17 comments on original post
1
Add a comment...
 
Hi guys, I would like to ask you guys about such script to be put on Client Side level, what is the impact or loophole that can interrupt the actual payment calculation process inside an online payment form. Care to discuss this guys?

I give you an example which I manage to get from an online payment form from a company. I believe this script exposed to some potential threat.

* I'm not a hacker ;-P


#script #clientside #javascript #programming #security #codes #oracle  #asp.net 
1
1
Derrick Slopey's profile photoMuhd Hafiz Ahmad's profile photoNospi r's profile photo
4 comments
 
+Derrick Slopey thanks Derrick, very informative.
Add a comment...
 
Watch this to learn about IS (Islamic State)...

#IS #ISIS #IslamicState #DaulahIslamiyah #Mujahidin
1
1
carl erlington (ysnysn)'s profile photo
Add a comment...
 
Hey guys, feel free to share your opinion by answering this simple question.

#Smartphone  #Android #iPhone #Apple #Google #Blackberry  #WindowsPhone
Drive
Android or iPhoneShare your pro's and con's regarding this battle, why and why and why?
1
Add a comment...
People
Have them in circles
74 people
Abu Saifur's profile photo
izzuddin saufi's profile photo
Hasmizal Hashim's profile photo
afnan muhd's profile photo
Shafizan Cevalogistics's profile photo
Adam Maxwell's profile photo
Razin Ong's profile photo
Zurik Azaham Aris's profile photo
Zhi Hao Zhuang's profile photo
Communities
11 communities
Basic Information
Looking for
Friends, A relationship, Networking
Story
Tagline
Should I tell the whole world who I am?
Work
Occupation
Sharepoint, .Net Programmer & System Administrator
Links
Contributor to
Muhd Hafiz Ahmad's +1's are the things they like, agree with, or want to recommend.
How to Share Content on Whatsapp using jQuery
w3lessons.info

My readers keep on asking me that How to share information directly from the web page into WhatsApp? So I thought to write a simple tutorial

:-:-: Bersabarlah dengan sesuatu yg kamu benci...-:-:: Benteng Pertahana...
abimuhaimin.blogspot.com

キャサリン妃のメイク(オフの日) - どこへ行くときにも同じメイクのかたもいらっしゃるようですが、せっかく女性に生まれたのであれば、TPOに合わせてメイクの仕方も変えて、いろいろと楽しみたいとは思いませんか。 洋服にあわせて、色を変えてみるだけでも、感じが違 […] 9 bula

Riyadh us Saliheen - Melayu
market.android.com

بسم الله الرحمن الرحيمAlhamdulillah we are please to release Riyad us Saliheen in Malay Translation Free for our Malay readers. The book was

Generate SQL Server Connection String - developer Fusion
www.developerfusion.com

Use our free online tool to generate your SQL Server connection string - and never have to remember the correct parameter name again.

Angry Birds Epic
market.android.com

NOTE: ART (the KitKat experimental runtime feature) is not currently supported by Angry Birds Epic! We hope to include ART support in future

Qotak
market.android.com

******************************************************************************************* This is ALPHA VERSION. Please give it a try and

Google engineer: We need more Web programming languages
www.pcworld.com

The creator behind Google Dart showed developers at QCon some other nascent Web development languages

Dual Boot Windows 7 dan OS X Snow Leopard Menggunakan Chameleon ~ Songkar13
songkar13.blogspot.com

Menggunakan Chameleon sebagai bootloader Anda, Anda dapat boot jumlah tak terbatas sistem operasi pada PC Anda. Ini sederhana untuk mengguna

Whatsapp Plus for Android Free Download (Latest Version)
www.crazytechsolutions.org

Blogging, Wordpress, SEO Tips, Make Money Online &amp; more...

Britain needs 'national debate' about banning Muslim girls from wearing ...
www.telegraph.co.uk

Britain should consider banning Muslim girls and young women from wearing veils in schools and public places, a Home Office minister has sai

Navy has confirmed plane crashed into sea, says Vietnam media
my.news.yahoo.com

Malaysia Airlines said it has lost contact with a plane carrying 227 passengers and 12 crew on its way from Kuala Lumpur to Beijing.

The Deep Web, Browsing without a trace and Calyphrox Webproxy | Xenode S...
blog.xenodesystems.com

Disclaimer: The information shared here may contain sensitive data or material that may be considered unsuitable for readers of a given coun

Benelli BN 600 GT 2014 Live Eicma 2013
www.motoblog.it

Benelli anticipa il Salone EICMA di Milano e presenta la nuova BN 600 GT 2014. Scopri dettagli e caratteristiche.

andrdcndy: Samsung Galaxy S (i9000) ROM List
alchemistar.blogspot.com

*Please proceed at your own risk* 1010. ROM: andrdcndy recommends CyanogenMod. ' (01/13/2014) Unofficial CyanogenMod 11 nightly (4.4.2). ' (

Find files with JavaScript
www.codeproject.com

Find files or directory in client or server site with JavaScript; Author: AFShin Dehghani; Updated: 26 Mar 2002; Section: Client side script

How I hacked 4 Unifi accounts in under 5 minutes
www.keithrozario.com

So I was wondering if I should publish this, but I guess I have to. If you’re one of the 500,000 Unifi subscribers in Malaysia, you need to

How to change your Unifi password
www.keithrozario.com

Now It’s quite clear from a previous post I did how about easy it was to hack a Unifi Dlink DIR-615 Wi-Fi router, that the least you should

Counter Strike Edisi Gerak Khas Malaysia
csgerakkhas.blogspot.com

COUNTER STRIKE EDISI GERAK KHAS MALAYSIA Internet Server :- XXX.XXX.XXX.XXX