mailing list archives
CAU-2008-0002: Microsoft Windows SharePoint Services Picture Source XSS
From: "I)ruid" <druid () caughq org>
Date: Tue, 08 Apr 2008 21:02:42 -0500
____ ____ __ __
/ \ / \ | | | |
----====####/ /\__\##/ /\ \##| |##| |####====----
| | | |__| | | | | |
| | ___ | __ | | | | |
------======######\ \/ /#| |##| |#| |##| |######======------
\____/ |__| |__| \______/
Computer Academic Underground
Advisory ID: CAU-2008-0002
Release Date: 04/08/2008
Title: Microsoft Windows SharePoint Services Picture Source XSS
Application/OS: Microsoft Windows SharePoint Services 2.0
Topic: A stored Cross Site Scripting (XSS) attack is possible
in Microsoft SharePoint Services 2.0 via picture object
source when adding a picture object to a page.
Vendor Status: Not Notified
Attributes: XSS, Web Service, Microsoft Tuesday
Advisory URL: http://www.caughq.org/advisories/CAU-2008-0002.txt
Author/Email: OneIdBeagl3 <oneidbeagl3 (at) caughq.org>
A stored XSS vulnerability exists in Microsoft Windows SharePoint
Services 2.0 where a malicious user can bypass sanitization and inject
potentially steal credentials and takeover the browser or machine of any
user who views the page.
Microsoft Windows Share Point Services 2.0
The string below is not properly sanitized when the web page is saved
after adding a picture using the application's text editor:
The text between the script tags will be injected into the page upon
each successful edit and save operation, after the page is initially
saved. On initial testing, there did not appear to be a size limit for
double quotes when quotes are needed.
Solution & Recommendations
Unless editing web pages in SharePoint 2.0 is necessary, disable this
feature. If the feature is necessary, ensure users must authenticate to
a service before giving them the privilege to create or edit pages, and
only afford users the privileges if they need to create or edit pages.
This practice will help leave an audit trail to determine which account
was used to create a malicious web page if an incident takes place.
1) Log-in as a user that has enough privileges to create a web page.
2) In the web page on the top toolbar click on Create.
3) Under the 'Web Pages' section, click on 'Basic Page.'
4) Pick a web page name and click the create button.
5) In IE 7, an Edit Content Link appears in the upper right hand corner.
Click on it and it should open up a "Rich Text Editor -- Webpage
6) Add a picture to the page, and in the 'Picture Source' enter the
7) Save the content, and then click 'Edit Content' again and save it.
Credits & Gr33ts
CAU & HDM
druid () caughq org
Description: This is a digitally signed message part
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- CAU-2008-0002: Microsoft Windows SharePoint Services Picture Source XSS I)ruid (Apr 09)