Lucene search
K

Computer Academic Underground Advisory 2008.2

🗓️ 09 Apr 2008 00:00:00Reported by Computer Academic UndergroundType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 23 Views

Stored XSS in SharePoint Services 2.0 allows javascript injection on web page

Code
` ____ ____ __ __  
/ \ / \ | | | |  
----====####/ /\__\##/ /\ \##| |##| |####====----  
| | | |__| | | | | |  
| | ___ | __ | | | | |  
------======######\ \/ /#| |##| |#| |##| |######======------  
\____/ |__| |__| \______/  
  
Computer Academic Underground  
http://www.caughq.org  
Security Advisory   
  
===============/========================================================  
Advisory ID: CAU-2008-0002  
Release Date: 04/08/2008  
Title: Microsoft Windows SharePoint Services Picture Source XSS  
Application/OS: Microsoft Windows SharePoint Services 2.0   
Topic: A stored Cross Site Scripting (XSS) attack is possible  
in Microsoft SharePoint Services 2.0 via picture object  
source when adding a picture object to a page.  
Vendor Status: Not Notified  
Attributes: XSS, Web Service, Microsoft Tuesday  
Advisory URL: http://www.caughq.org/advisories/CAU-2008-0002.txt  
Author/Email: OneIdBeagl3 <oneidbeagl3 (at) caughq.org>  
===============/========================================================  
  
Overview  
========  
  
A stored XSS vulnerability exists in Microsoft Windows SharePoint  
Services 2.0 where a malicious user can bypass sanitization and inject   
javascript into a web page they are editing. Under normal circumstances,  
SharePoint does not permit users to include javascript in any submitted  
content.  
  
  
Impact  
======  
  
If javascript is enabled in a user's browser, when the user views the  
page, the javascript will be executed. As a result, an attacker could  
potentially steal credentials and takeover the browser or machine of any  
user who views the page.   
  
  
Affected Systems  
================  
  
Microsoft Windows Share Point Services 2.0  
  
  
Technical Explanation  
=====================  
  
The string below is not properly sanitized when the web page is saved  
after adding a picture using the application's text editor:  
  
"""></P></div></td><script>alert("bingo");</script>  
  
The text between the script tags will be injected into the page upon  
each successful edit and save operation, after the page is initially  
saved. On initial testing, there did not appear to be a size limit for  
javascript text that could be injected. The string must also use all  
double quotes when quotes are needed.  
  
  
Solution & Recommendations  
==========================  
  
Unless editing web pages in SharePoint 2.0 is necessary, disable this  
feature. If the feature is necessary, ensure users must authenticate to  
a service before giving them the privilege to create or edit pages, and  
only afford users the privileges if they need to create or edit pages.  
This practice will help leave an audit trail to determine which account  
was used to create a malicious web page if an incident takes place.  
  
  
Exploitation  
============  
  
===============/========================================================  
Steps to inject the javascript attack:  
  
1) Log-in as a user that has enough privileges to create a web page.  
  
2) In the web page on the top toolbar click on Create.  
  
3) Under the 'Web Pages' section, click on 'Basic Page.'  
  
4) Pick a web page name and click the create button.  
  
5) In IE 7, an Edit Content Link appears in the upper right hand corner.  
Click on it and it should open up a "Rich Text Editor -- Webpage  
Dialog" window.  
  
6) Add a picture to the page, and in the 'Picture Source' enter the  
following:  
  
"""></P></div></td><script>[your javascript here]</script>  
  
7) Save the content, and then click 'Edit Content' again and save it.  
Now the javascript is embedded in the page. Also, each time the page  
is edited and saved, the javascript is duplicated in the page.  
  
  
Credits & Gr33ts  
================  
  
CAU & HDM  
  
  
--   
I)ruid, C²ISSP  
[email protected]  
http://druid.caughq.org  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

09 Apr 2008 00:00Current
0.4Low risk
Vulners AI Score0.4
23