Microsoft issues warning about XSS hole in SharePoint
The recently announced breach in the Apache Software Foundation's server shows that XSS holes should not be taken lightly. That narrowly targeted attack began with an XSS vulnerability and even experienced administrators had clicked on the poisoned links.
The cause of the current problem in SharePoint is insufficient filtering of the cid0 variable in the script /_layouts/help.aspx, which can be misused for reflective XSS.
SharePoint Server 2007 and SharePoint Services 3.0 are affected.
SharePoint Services 2.0, SharePoint Portal Server 2001, SharePoint Portal Server 2003 Service Pack 3 and SharePoint Server 2010 are not.
According to Microsoft, the problem does not occur with Internet Explorer 8 because its XSS detects and prevents the attack. Until a patch has been provided, Microsoft recommends preventing access to the flawed script by executing the following commands on the SharePoint server:
cacls "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N
cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N
The server then no longer offers any help functions. The change can be reversed once a patch has been installed. For instructions, see Microsoft's advisory.
- XSS in Microsoft SharePoint Server 2007, security advisory from High-Tech Bridge.
- Apache's Atlassian JIRA system compromised, a report from The H.