Hacktics Research Group Security Advisory
By Irene Abezgauz, Hacktics.
During a penetration test performed by Hacktics' experts, a persistent
cross-site scripting vulnerability was identified in the SharePoint document
handling module. This vulnerability allows attackers to gain control over
valid user accounts, perform operations on their behalf, redirect them to
malicious sites, steal their credentials, and more.
A friendly formatted version of this advisory, including a video
demonstrating step-by-step execution of the exploit, is available in:
II. The Finding
The document module of the SharePoint server allows attackers to inject
malicious scripts into dynamically generated web content through file
uploading. These scripts will be executed in the browser of any user viewing
the infected content (persistent cross site scripting).
Further research and correspondence with Microsoft Security Response Center
has identified that a partial mention of this vulnerability appears in
CVE-2008-5026. However, as this is only partial, there is no bugtraq record
for this vulnerability and there is no fix (making it still valid on most
SharePoint deployments), we have decided to release this to the list.
The Documents module is vulnerable to persistent cross site scripting:
An attacker can inject malicious scripts into a file and upload it. When any
user will access the uploaded file, it will be displayed directly on their
browser (rather than having the file downloaded to the computer), and the
malicious script will be executed in the context of the vulnerable
This vulnerability can obviously be exploited with HTML files (as mentioned
in CVE-2008-5026), but can also be exploited with any other file type parsed
as HTML by the browser. In our testing we were able to reproduce this with
uploads of TXT files as well.
An attacker can embed a malicious script (for example -
<script>alert("XSS")</script> in a document uploaded to the SharePoint site.
When any other user (an administrative user or a regular user who views
documents in the system) opens the file - the malicious script will be
executed on their browser.
V. Vendor Response
We have contacted the Microsoft Security Response Team on 13-Dec-2009.
Microsoft response to the point was that this is a known issue, and is
considered a low impact vulnerability by Microsoft for the following
1. Authentication and the ability to write to the SharePoint site are
required to exploit this scenario.
2. Significant workarounds exist that allow SharePoint server configurations
to be isolated from cross domain exploitation.
3. SharePoint administrators can restrict the uploading of files to
Hacktics' research team has reviewed this response and has certain
reservations with this response. Having users authenticate and upload
documents is the inherent functionality of SharePoint. Many organizations
have implemented complex environments on top of this functionality, with
need for strict authorization separation which is easily circumvented using
Moreover, although the proposed workaround does indeed reduce the risk of
this vulnerability, it requires a rather complex configuration to setup and
maintain, especially with internet-facing environments. Such a solution may
not be easily adopted by most SharePoint administrators.
Finally, restriction of uploading files may indeed provide a solution, but
may very well not be acceptable by the system's users.
It is important to note that despite this response, Microsoft has fixed this
problem entirely in SharePoint 2010.
There is currently no fix to the problem and Microsoft has no plan of
releasing one for SharePoint 2007. Once SharePoint 2010 is officially
released this could be resolved by upgrading to SharePoint 2010.
Nonetheless, in case this poses a security risk, a suggested workaround is
proposed by Microsoft, to build the SharePoint site with separate host name
for each collection, as described in:
As already mentioned, this may involve complex configuration and
maintenance, and does not provide a full solution to the risk. It is
therefore recommended that uploading of HTML files, as well as any text type
files will be disabled in the SharePoint configuration.
VII. Affected Systems
Microsoft Office SharePoint Server 2007.
The vulnerability was discovered by Irene Abezgauz, Hacktics Ltd.
Chairman, OWASP Israel
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
I'm not sure, but three ex-Google employees have made what looks very much like a Microsoft Surface clone and equipped it with Android in hopes that you'll answer yes to that question. The Remix computer comes with detachable keyboard cover, a kickstand, and a UI that seems like a mix between Android, Chrome OS, and Microsoft's
I give you an example which I manage to get from an online payment form from a company. I believe this script exposed to some potential threat.
* I'm not a hacker ;-P
:-:-: Bersabarlah dengan sesuatu yg kamu benci...-:-:: Benteng Pertahana...
キャサリン妃のメイク（オフの日） - どこへ行くときにも同じメイクのかたもいらっしゃるようですが、せっかく女性に生まれたのであれば、TPOに合わせてメイクの仕方も変えて、いろいろと楽しみたいとは思いませんか。 洋服にあわせて、色を変えてみるだけでも、感じが違 […] 9 bula
Generate SQL Server Connection String - developer Fusion
Use our free online tool to generate your SQL Server connection string - and never have to remember the correct parameter name again.
Google engineer: We need more Web programming languages
The creator behind Google Dart showed developers at QCon some other nascent Web development languages
Dual Boot Windows 7 dan OS X Snow Leopard Menggunakan Chameleon ~ Songkar13
Menggunakan Chameleon sebagai bootloader Anda, Anda dapat boot jumlah tak terbatas sistem operasi pada PC Anda. Ini sederhana untuk mengguna
Whatsapp Plus for Android Free Download (Latest Version)
Blogging, Wordpress, SEO Tips, Make Money Online & more...
Britain needs 'national debate' about banning Muslim girls from wearing ...
Britain should consider banning Muslim girls and young women from wearing veils in schools and public places, a Home Office minister has sai
Navy has confirmed plane crashed into sea, says Vietnam media
Malaysia Airlines said it has lost contact with a plane carrying 227 passengers and 12 crew on its way from Kuala Lumpur to Beijing.
The Deep Web, Browsing without a trace and Calyphrox Webproxy | Xenode S...
Disclaimer: The information shared here may contain sensitive data or material that may be considered unsuitable for readers of a given coun
6 Things To Do when you got your Unifi Wireless Router D-Link Dir-615 « ...
Sawanila.com All in one Family Blog.