In association with heise online

30 April 2010, 14:56

Microsoft issues warning about XSS hole in SharePoint

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft Logo Microsoft‘s SharePoint products have a cross-site scripting (XSS) vulnerability that attackers can use to execute their own JavaScript code in a victim's browser in the context of the server. Attackers can then read out the authentication cookie, manipulate the user's account and access confidential data. Users must click on a manipulated link for the attack to succeed .

The recently announced breach in the Apache Software Foundation's server shows that XSS holes should not be taken lightly. That narrowly targeted attack began with an XSS vulnerability and even experienced administrators had clicked on the poisoned links.

The cause of the current problem in SharePoint is insufficient filtering of the cid0 variable in the script /_layouts/help.aspx, which can be misused for reflective XSS.

SharePoint Server 2007 and SharePoint Services 3.0 are affected.

SharePoint Services 2.0, SharePoint Portal Server 2001, SharePoint Portal Server 2003 Service Pack 3 and SharePoint Server 2010 are not.

According to Microsoft, the problem does not occur with Internet Explorer 8 because its XSS detects and prevents the attack. Until a patch has been provided, Microsoft recommends preventing access to the flawed script by executing the following commands on the SharePoint server:

cacls "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N

cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N

The server then no longer offers any help functions. The change can be reversed once a patch has been installed. For instructions, see Microsoft's advisory.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-990812
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit