Microsoft to patch serious SharePoint XSS flaw

The company is investigating a bug in the content management software that security researchers warned could expose sensitive data and credentials
Written by Tom Espiner, Contributor

Microsoft is looking into releasing a patch for a serious cross-site scripting flaw in SharePoint 2007 that a security company has warned could expose sensitive data.

It is investigating a report that says, by exploiting the XSS vulnerability, an attacker may be able to run a script to gain user rights on a site built using SharePoint. In addition, the intruder could run commands against SharePoint server, the company said in a security bulletin on Thursday.

The security risk could affect Microsoft Windows SharePoint Services 3.0 as well as Microsoft Office SharePoint Server 2007, according to the bulletin. SharePoint is content management software that businesses can use to build portals where people can access shared databases and documents.

High-Tech Bridge, which found the issue, warned it could allow an attacker to execute JavaScript code in SharePoint Server 2007. The security and penetration testing company notified Microsoft about the flaw on 12 April, according to an advisory it released on Wednesday on the Full Disclosure mailing list.

The vulnerability could let an intruder compromise SharePoint, steal cookie-based authentication credentials and disclose or modify sensitive data, High-Tech Bridge added. It said the problem exists in the failure of a help script to fully sanitise input in the 'cid0' variable.

Microsoft said it does not expect will enable an attacker to gain control of workstations or servers.

The software maker added that it will release a patch as soon as it has one of sufficient quality for wide distribution. In the meantime, it said administrators can mitigate the issue by applying an access control list to restrict access to SharePoint Help.aspx. This action restricts help, according to the security bulletin.

In a blog post on Thursday, Microsoft urged customers to monitor the websites of security and technology vendors that are part of Microsoft Active Protections Program (Mapp), as these may be able to provide updates to fix the issue. Microsoft provides Mapp vendors with vulnerability information ahead of releasing patches.

Microsoft warned of a SharePoint bug in 2009 in a service pack update for the product.

Editorial standards