Serious XSS flaw haunts Microsoft SharePoint

Serious XSS flaw haunts Microsoft SharePoint

Summary: The vulnerability, which can be exploited via the browser, could allow a malicious hacker to execute arbitrary JavaScript code within the vulnerable application.


Microsoft's security response team has confirmed the existence of a serious cross-site scripting (XSS) vulnerability in the Microsoft SharePoint Server 2007 product.

The vulnerability, which can be exploited via the browser, could allow a malicious hacker to execute arbitrary JavaScript code within the vulnerable application.  A proof-of-concept exploit has been publicly posted and Microsoft is expected to issue a formal security advisory before the end of this week to offer pre-patch workaround and mitigations.

Here's the skinny on the flaw from an alert posted to the the Full Disclosure mailing list:follow Ryan Naraine on twitter

The vulnerability exists due to failure in the "/_layouts/help.aspx" script to properly sanitize user-supplied input in "cid0" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability.

On Twitter, Microsoft said it was aware of the issue and promised to issue guidance for affected customers:

This isn't Microsoft SharePoint's first brush with XSS security problems.  Back in 2007, the company shipped an "important" security patch to fix a flaw that allowed attackers to run arbitrary script that could result in elevation of privilege within a SharePoint site.

Topics: Enterprise Software, Microsoft, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • maybe now the Linux

    zealots will agree that XSS is a server side
    • No

      you see SharePoint is still a Microsoft Product so they will have a field day with this one. Only if it is a Linux Server will they make up crap to try and fulfill their belief that anything Linux is secure by design.
      • It IS a Microsoft vulnerability

        only not a server vulnerability.

        While in those other cases you mention Linux and Apache have got absolutely nothing to do with the vulnerability, they merely provide the platform, in this case Microsoft is 100% responsible for the vulnerability.
        Great Kahuna
        • Javascript blows security holes everywhere

          It's inherently a zero-security, disastrous language for developing web apps. This whole JS/XSS/CSS thing should be replaced with sth new or it will keep going on like this.
          • You are very unwise in writing about stuff you don't understand

            I suggest you buy a few books to get started. Those in the "for dummies" collection are good choices for people with your current skill set.
            Great Kahuna
          • And saying that someone is wrong without saying how makes you a genius?

            LBiege is right. JavaScript like Microsoft is an example of what goes wrong when you try to be all things to all people.

            When Netscape created JavaScript, they took the easy way (but they claimed to try to be universal to coders of different languages) and hacked together pieces (syntax) from different languages instead of originating a new language.

            To expound on what I think LBiege is saying, the more dynamic (more work left to the compiler)a language is, the easier it is to code and less prone to error on the part of the coder. It would stand to reason also that the more basic a language is, the easier it would be to find the fewer vulnerabilities.

            Since JavaScript is a cobble of different languages it is far more complex than it needs to be. Python, Ruby, and even PHP are far better suited. But, who's going to turn the Titanic around at this point?
      • Get ready for another round of grand linux trolling

        Wait, they are already here faster than you can 'troll'. Never mind.
      • Yes, it's a Microsoft product, thus; problems in it are Microsoft's fault.

        Nothing to do with Windows vs Linux.
    • Nope!

      It's a web application vulnerability.

      The server has got nothing to do with it.
      Great Kahuna
      • Try reading my post again

        and, please, try to figure out what <i>server
        side</i> means.

        When Apache's JIRA app was compromised through an
        XSS vuln you claimed it was an <i>Internet
        Explorer</i> vulnerability.
        • Yes, most probably some vulnerability in MSIE was exploited...

          to steal the admin cookies/credentials.

          Remember what happened with the Google China attack from December 2009? An MSIE 6 vulnerability was the cause of it all.
          Great Kahuna
    • I think you misunderstand the argument...

      An XSS flaw in a web app has no more to do with
      Linux than this XSS flaw in Sharepoint has to do
      with Windows. The argument is that its not a flaw
      in the SERVER. I mean why bother...we all know
      better and its just fun and games anyway. Which
      leads me to the post I'm about to make...
    • XSS attacks are server side*.. at the application, not OS, level.

      This isn't a problem in Windows or IIS, but rather a problem in Microsoft SharePoint.

      Just like the WordPress one wasn't a problem in Linux or Apache, but rather WordPress.

      *except in the case of IE, which is such a horrible client it <a href=//>manages to make XSS attacks easier in its attempt to block them</a>.
  • Good thing nobody uses Sharepiss anyway nt

    • Re

      Are you sure about that?

      "Microsoft sold 75 million through the end of 2005
      and 25 million more in the last two years"
      • How many of those came bundled with Windows Pro/Ultimate?

        [b] [/b]
        • Sharepoint is a separate $$ item

          It is sold. It generates over a Billion dollars a year for MS
          Johnny Vegas
        • Try commenting on a topic you know about

          It is obviously not Sharepoint.

          Sharepoint is a content management and
          collaboration <b>server</b>. You cannot get it
          with Pro/Ultimate.

          Sahrepoint is a kick-ass product (for users)
          which sees tremendous success in enterprises
          because of its ease of use and (almost) first
          class integration with Office.

          Suggesting that it was bundled with a client OS
          is, well, revealing.
        • Re:

          Short answer, NONE.
    • Are you stupid?

      or was that just a humor=EPICFAIL on your part?
      Sharepoint is used by about a 100 million people every day.
      Johnny Vegas