Microsoft多个产品HTML过滤组件跨站脚本执行漏洞（MS12-066）

2012-10-11T00:00:00

Description

CVE(CAN) ID: CVE-2012-2520 Microsoft是一家基于美国的跨国电脑科技公司。以研发、制造、授权和提供广泛的电脑软件服务业务为主。 Microsoft多个产品在HTML过滤组件内没有正确过滤某些输入即返给用户使用。成功利用此漏洞的攻击者可执行跨站脚本攻击并以当前用户权限运行脚本。 0 Microsoft SharePoint Server 2007 Microsoft Office Web Apps Microsoft Groove Server 2010 Microsoft Lync 2010 Microsoft Office Communicator 2007 Microsoft InfoPath 2010 厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS12-066）以及相应补丁: MS12-066：Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517) 链接：http://www.microsoft.com/technet/security/bulletin/MS12-066.asp

{"sourceData": "", "status": "details", "description": "CVE(CAN) ID: CVE-2012-2520\r\n\r\nMicrosoft\u662f\u4e00\u5bb6\u57fa\u4e8e\u7f8e\u56fd\u7684\u8de8\u56fd\u7535\u8111\u79d1\u6280\u516c\u53f8\u3002\u4ee5\u7814\u53d1\u3001\u5236\u9020\u3001\u6388\u6743\u548c\u63d0\u4f9b\u5e7f\u6cdb\u7684\u7535\u8111\u8f6f\u4ef6\u670d\u52a1\u4e1a\u52a1\u4e3a\u4e3b\u3002\r\n\r\nMicrosoft\u591a\u4e2a\u4ea7\u54c1\u5728HTML\u8fc7\u6ee4\u7ec4\u4ef6\u5185\u6ca1\u6709\u6b63\u786e\u8fc7\u6ee4\u67d0\u4e9b\u8f93\u5165\u5373\u8fd4\u7ed9\u7528\u6237\u4f7f\u7528\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u6267\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u5e76\u4ee5\u5f53\u524d\u7528\u6237\u6743\u9650\u8fd0\u884c\u811a\u672c\u3002\n0\nMicrosoft SharePoint Server 2007\r\nMicrosoft Office Web Apps\r\nMicrosoft Groove Server 2010\r\nMicrosoft Lync 2010\r\nMicrosoft Office Communicator 2007\r\nMicrosoft InfoPath 2010\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS12-066\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nMS12-066\uff1aVulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS12-066.asp", "sourceHref": "", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-60430", "type": "seebug", "viewCount": 7, "references": [], "lastseen": "2017-11-19T17:49:09", "published": "2012-10-11T00:00:00", "cvelist": ["CVE-2012-2520"], "id": "SSV:60430", "enchantments_done": [], "modified": "2012-10-11T00:00:00", "title": "Microsoft\u591a\u4e2a\u4ea7\u54c1HTML\u8fc7\u6ee4\u7ec4\u4ef6\u8de8\u7ad9\u811a\u672c\u6267\u884c\u6f0f\u6d1e\uff08MS12-066\uff09", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": -0.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-2520"]}, {"type": "nessus", "idList": ["SMB_NT_MS12-066.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902927"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12625"]}, {"type": "seebug", "idList": ["SSV:60431"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2012-2520"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902927"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12625"]}, {"type": "seebug", "idList": ["SSV:60431"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2012-2520", "epss": "0.099330000", "percentile": "0.938890000", "modified": "2023-03-14"}], "vulnersScore": -0.5}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659709850, "epss": 1678850553}}

{"nessus": [{"lastseen": "2023-01-11T14:32:09", "description": "The version of Microsoft InfoPath, Communicator, Lync, SharePoint Server, Groove Server, and/or Office Web Apps installed on the remote host is potentially affected by a privilege escalation vulnerability due to the way HTML strings are sanitized.", "cvss3": {}, "published": "2012-10-10T00:00:00", "type": "nessus", "title": "MS12-066: Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2520"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:microsoft:groove", "cpe:/a:microsoft:infopath", "cpe:/a:microsoft:lync", "cpe:/a:microsoft:office_web_apps", "cpe:/a:microsoft:sharepoint_server", "cpe:/a:microsoft:sharepoint_services", "cpe:/a:microsoft:sharepoint_foundation"], "id": "SMB_NT_MS12-066.NASL", "href": "https://www.tenable.com/plugins/nessus/62461", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(62461);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2012-2520\");\n script_bugtraq_id(55797);\n script_xref(name:\"MSFT\", value:\"MS12-066\");\n script_xref(name:\"MSKB\", value:\"2589280\");\n script_xref(name:\"MSKB\", value:\"2687356\");\n script_xref(name:\"MSKB\", value:\"2687401\");\n script_xref(name:\"MSKB\", value:\"2687402\");\n script_xref(name:\"MSKB\", value:\"2687405\");\n script_xref(name:\"MSKB\", value:\"2687417\");\n script_xref(name:\"MSKB\", value:\"2687434\");\n script_xref(name:\"MSKB\", value:\"2687435\");\n script_xref(name:\"MSKB\", value:\"2687436\");\n script_xref(name:\"MSKB\", value:\"2687439\");\n script_xref(name:\"MSKB\", value:\"2687440\");\n script_xref(name:\"MSKB\", value:\"2726382\");\n script_xref(name:\"MSKB\", value:\"2726384\");\n script_xref(name:\"MSKB\", value:\"2726388\");\n script_xref(name:\"MSKB\", value:\"2726391\");\n\n script_name(english:\"MS12-066: Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517)\");\n script_summary(english:\"Checks installed versions of various Microsoft applications.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a privilege escalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft InfoPath, Communicator, Lync, SharePoint\nServer, Groove Server, and/or Office Web Apps installed on the remote\nhost is potentially affected by a privilege escalation vulnerability\ndue to the way HTML strings are sanitized.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-066\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for InfoPath 2007, InfoPath\n2010, Communicator 2007 R2, Lync 2010, Lync 2010 Attendee, SharePoint\nServer 2007, SharePoint Server 2010, Groove Server 2010, SharePoint\nServices 3.0, SharePoint Foundation 2010, and Office Web Apps 2010.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:groove\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:infopath\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:lync\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_apps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_services\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_foundation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"office_installed.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nglobal_var bulletin, vuln;\n\nfunction get_user_dirs()\n{\n local_var appdir, dirpat, domain, hklm, iter, lcpath, login, pass;\n local_var path, paths, pdir, port, rc, root, share, user, ver;\n\n paths = make_list();\n\n registry_init();\n hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n pdir = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory\");\n if (pdir && stridx(tolower(pdir), \"%systemdrive%\") == 0)\n {\n root = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRoot\");\n if (!isnull(root))\n {\n share = hotfix_path2share(path:root);\n pdir = share - '$' + ':' + substr(pdir, strlen(\"%systemdrive%\"));\n }\n }\n RegCloseKey(handle:hklm);\n close_registry(close:FALSE);\n\n if (!pdir)\n return NULL;\n\n ver = get_kb_item_or_exit(\"SMB/WindowsVersion\");\n\n share = hotfix_path2share(path:pdir);\n dirpat = ereg_replace(string:pdir, pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\*\");\n\n port = kb_smb_transport();\n if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n login = kb_smb_login();\n pass = kb_smb_password();\n domain = kb_smb_domain();\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel(close:FALSE);\n return NULL;\n }\n\n # 2000 / XP / 2003\n if (ver < 6)\n appdir += \"\\Local Settings\\Application Data\";\n # Vista / 7 / 2008\n else\n appdir += \"\\AppData\\Local\";\n\n paths = make_array();\n iter = FindFirstFile(pattern:dirpat);\n while (!isnull(iter[1]))\n {\n user = iter[1];\n iter = FindNextFile(handle:iter);\n\n if (user == \".\" || user == \"..\")\n continue;\n\n path = pdir + '\\\\' + user + appdir;\n\n lcpath = tolower(path);\n if (isnull(paths[lcpath]))\n paths[lcpath] = path;\n }\n\n NetUseDel(close:FALSE);\n\n return paths;\n}\n\nfunction get_ver()\n{\n local_var fh, path, rc, share, ver;\n\n path = _FCT_ANON_ARGS[0];\n\n share = hotfix_path2share(path:path);\n\n rc = NetUseAdd(share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n\n ver = NULL;\n path = ereg_replace(string:path, pattern:\"^[A-Za-z]:(.*)\", replace:'\\\\1\\\\');\n\n fh = CreateFile(\n file : path,\n desired_access : GENERIC_READ,\n file_attributes : FILE_ATTRIBUTE_NORMAL,\n share_mode : FILE_SHARE_READ,\n create_disposition : OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver = GetFileVersion(handle:fh);\n ver = join(ver, sep:\".\");\n CloseFile(handle:fh);\n }\n\n NetUseDel(close:FALSE);\n\n return ver;\n}\n\nfunction check_vuln(fix, kb, name, path, ver, min_ver)\n{\n local_var info;\n\n if (isnull(ver))\n ver = get_ver(path);\n\n if (isnull(ver) || ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)\n return 0;\n\n # If min_ver is supplied, make sure the version is higher than the min_ver\n if (min_ver && ver_compare(ver:ver, fix:min_ver, strict:FALSE) == -1)\n return 0;\n\n info =\n '\\n Product : ' + name +\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix + '\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n\n vuln = TRUE;\n}\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\nbulletin = 'MS12-066';\nkbs = make_list(\n '2589280', '2687401', '2687402', '2687356',\n '2687405', '2687434', '2687435', '2687417',\n '2687436', '2687439', '2687440', '2726391',\n '2726382', '2726384', '2726388');\n\nif (get_kb_item(\"Host/patch_management_checks\"))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\n# Connect to the registry\nuserpaths = get_user_dirs();\narch = get_kb_item_or_exit(\"SMB/ARCH\", exit_code:1);\nif (arch == \"x64\")\n extra = \"\\Wow6432Node\";\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n# Get the path information for SharePoint Server 2007\nsps_2007_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\12.0\\InstallPath\"\n);\n\n# Get the path information for SharePoint Server 2010\nsps_2010_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\14.0\\InstallPath\"\n);\n\ncommonprogramfiles = hotfix_get_commonfilesdir();\nif (!commonprogramfiles)\n{\n RegCloseKey(handle:hklm);\n close_registry();\n audit(AUDIT_PATH_NOT_DETERMINED, 'Common Files');\n}\n\n# Get the path information for SharePoint Services orSharePoint Foundation 2010\nforeach ver (make_list(\"12.0\", \"14.0\"))\n{\n spf_2010_path = get_registry_value(\n handle : hklm,\n item : 'SOFTWARE\\\\Microsoft\\\\Shared Tools\\\\Web Server Extensions\\\\' + ver + \"\\Location\"\n );\n\n if (spf_2010_path)\n break;\n}\n\n# Get the path information for Groove Server 2010\ngs_2010_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\14.0\\Groove\\Groove Relay\\Parameters\\InstallDir\"\n);\n\n\n# Get the path information for Office Web Apps\nowa_2010_path = sps_2010_path;\n\n# Get the path information for Microsoft Communicator 2007 R2\nmscomm_path = get_registry_value(\n handle : hklm,\n item : 'SOFTWARE\\\\Microsoft\\\\Communicator\\\\InstallationDirectory'\n);\n\n# Get the path information for Microsoft Lync 2010\nlync_path = get_registry_value(\n handle : hklm,\n item : 'SOFTWARE'+extra+'\\\\Microsoft\\\\Communicator\\\\InstallationDirectory'\n);\n\n# Get the path information for Microsoft Lync 2010 Attendant Admin-level install\nlync_att_admin_path = get_registry_value(\n handle : hklm,\n item : 'SOFTWARE\\\\Microsoft\\\\AttendeeCommunicator\\\\InstallationDirectory'\n);\n\n# Close connection to registry\nRegCloseKey(handle:hklm);\nclose_registry(close:FALSE);\n\n# Get the path and version information for InfoPath\nip_installs = get_kb_list(\"SMB/Office/InfoPath/*/ProductPath\");\nif (!isnull(ip_installs))\n{\n foreach install (keys(ip_installs))\n {\n ip_ver = install - 'SMB/Office/InfoPath/' - '/ProductPath';\n ip_path = ip_installs[install];\n\n if (ip_path)\n ip_path = ereg_replace(string:ip_path, pattern:\"^(.*)(\\\\[^\\\\]+)$\", replace:\"\\1\");\n\n ##############################################################\n # InfoPath 2007 SP2 / SP3\n #\n # [KB2687439] INFOPATH.EXE - 12.0.6662.5004\n # [KB2687440] IPEDITOR.DLL - 12.0.6662.5004\n ##############################################################\n if (ip_ver =~ '^12\\\\.')\n {\n name = \"InfoPath 2007\";\n\n check_vuln(\n name : name,\n kb : \"2687439\",\n path : ip_path + \"\\Infopath.exe\",\n fix : \"12.0.6662.5004\"\n );\n\n check_vuln(\n name : name,\n kb : \"2687440\",\n path : ip_path + \"\\Ipeditor.dll\",\n fix : \"12.0.6662.5004\"\n );\n }\n\n ##############################################################\n # InfoPath 2010 SP1\n #\n # [KB2687417] IPEDITOR.DLL - 14.0.6126.5000\n # [KB2687436] INFOPATH.EXE - 14.0.6123.5006\n ##############################################################\n if (ip_ver =~ '14\\\\.')\n {\n name = \"InfoPath 2010\";\n\n check_vuln(\n name : name,\n kb : \"2687439\",\n path : ip_path + \"\\Infopath.exe\",\n fix : \"14.0.6123.5006\"\n );\n\n check_vuln(\n name : name,\n kb : \"2687417\",\n path : ip_path + \"\\Ipeditor.dll\",\n fix : \"14.0.6126.5000\"\n );\n }\n }\n}\n\n#############################################################\n# Microsoft Communicator 2007 R2\n#\n# [KB2726391] COMMUNICATOR.EXE - 3.5.6907.261\n#############################################################\nif (mscomm_path)\n{\n name = \"Microsoft Communicator 2007 R2\";\n check_vuln(\n name : name,\n kb : \"2726391\",\n path : mscomm_path + \"\\Communicator.exe\",\n min_ver : \"3.5.0.0\",\n fix : \"3.5.6907.261\"\n );\n}\n\n#############################################################\n# Microsoft Lync 2010\n#\n# [KB2726382] COMMUNICATOR.EXE - 4.0.7577.4109\n#############################################################\nif (lync_path)\n{\n name = \"Microsoft Lync 2010\";\n check_vuln(\n name : name,\n kb : \"2726382\",\n path : lync_path + \"\\Communicator.exe\",\n min_ver : \"4.0.0.0\",\n fix : \"4.0.7577.4109\"\n );\n}\n\n#############################################################\n# Microsoft Lync 2010 Attendee (admin level install)\n#\n# [KB2726388] - MeetingJoinAxAOC.DLL - 4.0.7577.4109\n#############################################################\nif (lync_att_admin_path)\n{\n name = \"Microsoft Lync 2010 Attendee (admin-level install)\";\n check_vuln(\n name : name,\n kb : \"2726388\",\n path : lync_att_admin_path + \"\\MeetingJoinAxAOC.DLL\",\n min_ver : \"4.0.0.0\",\n fix : \"4.0.7577.4109\"\n );\n}\n\n#############################################################\n# Microsoft Lync 2010 Attendee (user level install)\n#\n# [KB2726384] - MeetingJoinAxAOC.DLL\n#############################################################\nif (max_index(keys(userpaths)) > 0)\n{\n foreach userdir (keys(userpaths))\n {\n name = \"Microsoft Lync 2010 Attendee (user-level install)\";\n check_vuln(\n name : name,\n kb : \"2726384\",\n path : userdir + \"\\Microsoft Lync Attendee\\MeetingJoinAxAOC.DLL\",\n min_ver : \"4.0.0.0\",\n fix : \"4.0.7577.4109\"\n );\n }\n}\n\n#############################################################\n# Microsoft SharePoint Server 2007 SP2 / SP3\n#\n# [KB2687405] - Microsoft.SharePoint.Publishing.dll: 12.0.6664.5000\n#############################################################\nif (sps_2007_path)\n{\n name = \"Office SharePoint Server 2007\";\n\n check_vuln(\n name : name,\n kb : \"2687405\",\n path : sps_2007_path + \"Bin\\Microsoft.SharePoint.Publishing.dll\",\n fix : \"12.0.6664.5000\"\n );\n}\n\n#############################################################\n# SharePoint Server 2010 SP1\n#\n# [KB2687435] - OSAFEHTM.DLL - 14.0.6123.5006\n# [KB2589280] - Microsoft.Office.Policy.dll - 14.0.6123.5000\n#############################################################\nif (sps_2010_path)\n{\n name = \"Office SharePoint Server 2010\";\n\n check_vuln(\n name : name,\n kb : \"2687435\",\n path : commonprogramfiles + \"\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\Osafehtm.dll\",\n fix : \"14.0.6123.5006\"\n );\n\n check_vuln(\n name : name,\n kb : \"2589280\",\n path : commonprogramfiles + \"\\Microsoft Shared\\Web Server Extensions\\14\\ISAPI\\Microsoft.Office.Policy.dll\",\n fix : \"14.0.6123.5000\"\n );\n}\n\n#############################################################\n# Groove Server 2010 SP1\n#\n# [KB2687402] - Relay.exe - 14.0.6123.5006\n#############################################################\nif (gs_2010_path)\n{\n check_vuln(\n name : \"Groove Server 2010\",\n kb : \"2687402\",\n path : gs_2010_path + \"\\Relay.exe\",\n fix : \"14.0.6123.5006\"\n );\n}\n\n\n#############################################################\n# SharePoint Services 3.0 SP2\n#\n# [KB2687356] - STSOM.DLL - 12.0.6665.5000\n#\n# SharePoint Foundation 2010 SP1\n# [KB2553365] - STSOM.DLL - 14.0.6123.5006\n#############################################################\nif (spf_2010_path)\n{\n path = spf_2010_path + \"Bin\\stswel.dll\";\n ver = get_ver(path);\n\n if (ver && ver =~ '^12\\\\.')\n {\n check_vuln(\n name : \"SharePoint Services 3.0\",\n kb : \"2687356\",\n path : path,\n ver : ver,\n fix : \"12.0.6665.5000\"\n );\n }\n else if (ver && ver =~ '^14\\\\.')\n {\n check_vuln(\n name : \"SharePoint Foundation 2010\",\n kb : \"2553365\",\n path : path,\n ver : ver,\n fix : \"14.0.6123.5006\"\n );\n }\n}\n\n#############################################################\n# Office Web Apps 2010 SP1\n#\n# [KB2687401] - sword.dll - 14.0.6123.5005\n#############################################################\nif (owa_2010_path)\n{\n check_vuln(\n name : \"Office Web Apps\",\n kb : \"2687401\",\n path : owa_2010_path + \"WebServices\\ConversionService\\Bin\\Converter\\sword.dll\",\n fix : \"14.0.6123.5005\"\n );\n}\n\nhotfix_check_fversion_end();\n\nif (!vuln)\n audit(AUDIT_HOST_NOT, 'affected');\n\n# Flag the system as vulnerable\nset_kb_item(name:\"SMB/Missing/\" + bulletin, value:TRUE);\nset_kb_item(name:\"www/0/XSS\", value:TRUE);\nhotfix_security_warning();\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2020-05-19T17:42:10", "description": "This host is missing an important security update according to\n Microsoft Bulletin MS12-066.", "cvss3": {}, "published": "2012-10-10T00:00:00", "type": "openvas", "title": "Microsoft Products HTML Sanitisation Component XSS Vulnerability (2741517)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2520"], "modified": "2020-05-15T00:00:00", "id": "OPENVAS:1361412562310902927", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902927", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Products HTML Sanitisation Component XSS Vulnerability (2741517)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902927\");\n script_version(\"2020-05-15T08:09:24+0000\");\n script_bugtraq_id(55797);\n script_cve_id(\"CVE-2012-2520\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-15 08:09:24 +0000 (Fri, 15 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-10-10 10:34:20 +0530 (Wed, 10 Oct 2012)\");\n script_name(\"Microsoft Products HTML Sanitisation Component XSS Vulnerability (2741517)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\", \"gb_ms_sharepoint_sever_n_foundation_detect.nasl\",\n \"secpod_office_products_version_900032.nasl\", \"gb_ms_office_web_apps_detect.nasl\",\n \"secpod_ms_lync_detect_win.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an attacker to bypass certain security\n restrictions and conduct cross-site scripting and spoofing attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Lync 2010\n\n - Microsoft Lync 2010 Attendee\n\n - Microsoft Communicator 2007 R2\n\n - Microsoft InfoPath 2007 Service Pack 2\n\n - Microsoft InfoPath 2007 Service Pack 3\n\n - Microsoft InfoPath 2010 Service Pack 1\n\n - Microsoft Groove Server 2010 Service Pack 1\n\n - Microsoft Office Web Apps 2010 Service Pack 1\n\n - Microsoft SharePoint Server 2010 Service Pack 1\n\n - Microsoft SharePoint Server 2007 Service Pack 2\n\n - Microsoft SharePoint Server 2007 Service Pack 3\n\n - Microsoft SharePoint Foundation 2010 Service Pack 1\n\n - Microsoft Windows SharePoint Services 3.0 Service Pack 2\");\n\n script_tag(name:\"insight\", value:\"Certain unspecified input is not properly sanitised within the HTML\n Sanitisation component before being returned to the user. This can be\n exploited to execute arbitrary HTML and script code in a user's\n browser session in context of an affected site.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security update according to\n Microsoft Bulletin MS12-066.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2687439\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2687440\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.org/files/117220/sa50855.txt\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-066\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nif(get_kb_item(\"MS/Lync/Ver\"))\n{\n path = get_kb_item(\"MS/Lync/path\");\n if(path)\n {\n commVer = fetch_file_version(sysPath:path, file_name:\"communicator.exe\");\n if(commVer)\n {\n if(version_in_range(version:commVer, test_version:\"3.5\", test_version2:\"3.5.6907.260\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\n## For Microsoft Lync 2010 Attendee (admin level install)\n## For Microsoft Lync 2010 Attendee (user level install)\nif(get_kb_item(\"MS/Lync/Attendee/Ver\"))\n{\n path = get_kb_item(\"MS/Lync/Attendee/path\");\n if(path)\n {\n oglVer = fetch_file_version(sysPath:path, file_name:\"Ogl.dll\");\n if(oglVer)\n {\n if(version_in_range(version:oglVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\n## InfoPath 2007 and InfoPath 2010\nkeys = make_list(\"SOFTWARE\\Microsoft\\Office\\12.0\\InfoPath\\InstallRoot\",\n \"SOFTWARE\\Microsoft\\Office\\14.0\\InfoPath\\InstallRoot\");\nforeach key (keys)\n{\n if(registry_key_exists(key:key))\n {\n infoPath = registry_get_sz(key:key, item:\"Path\");\n\n if(infoPath)\n {\n exeVer = fetch_file_version(sysPath:infoPath, file_name:\"Infopath.Exe\");\n dllVer = fetch_file_version(sysPath:infoPath, file_name:\"Ipeditor.dll\");\n if((exeVer &&\n (version_in_range(version:exeVer, test_version:\"12.0\", test_version2:\"12.0.6662.5003\") ||\n version_in_range(version:exeVer, test_version:\"14.0\", test_version2:\"14.0.6123.5005\"))) ||\n (dllVer &&\n (version_in_range(version:dllVer, test_version:\"12.0\", test_version2:\"12.0.6662.5003\") ||\n version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.6126.4999\"))))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\n## Microsoft Groove 2010\nkey = \"SOFTWARE\\Microsoft\\Office Server\\14.0\\Groove\\Groove Relay\";\nif(registry_key_exists(key:key))\n{\n dllPath = registry_get_sz(key:key, item:\"RelayCFg\");\n if(dllPath)\n {\n dllPath = dllPath - \"RelayCfg.cpl\";\n dllVer = fetch_file_version(sysPath:dllPath, file_name:\"Groovers.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.6123.5004\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\ncpe_list = make_list(\"cpe:/a:microsoft:sharepoint_server\", \"cpe:/a:microsoft:sharepoint_foundation\", \"cpe:/a:microsoft:sharepoint_services\", \"cpe:/a:microsoft:office_web_apps\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\ncpe = infos[\"cpe\"];\n\n## SharePoint Server 2007 and 2010\nif(\"cpe:/a:microsoft:sharepoint_server\" >< cpe)\n{\n ## SharePoint Server 2007 Service Pack 2 (coreserver)\n if(vers =~ \"^12\\.\")\n {\n path = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\", item:\"CommonFilesDir\");\n if(path)\n {\n path = path + \"\\Microsoft Shared\\web server extensions\\12\\ISAPI\";\n dllVer = fetch_file_version(sysPath:path, file_name:\"Microsoft.office.server.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"12.0\", test_version2:\"12.0.6650.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n\n ## SharePoint Server 2010 (wosrv)\n else if(vers =~ \"^14\\.\")\n {\n key = \"SOFTWARE\\Microsoft\\Office Server\\14.0\";\n file = \"Microsoft.office.server.native.dll\";\n }\n\n if(key && registry_key_exists(key:key) && file)\n {\n if(path = registry_get_sz(key:key, item:\"BinPath\"))\n {\n dllVer = fetch_file_version(sysPath:path, file_name:file);\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.6108.4999\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n\n## SharePoint Foundation 2010\nif(\"cpe:/a:microsoft:sharepoint_foundation\" >< cpe)\n{\n key = \"SOFTWARE\\Microsoft\\Shared Tools\\Web Server Extensions\\14.0\";\n if(registry_key_exists(key:key))\n {\n dllPath = registry_get_sz(key:key, item:\"Location\");\n if(dllPath)\n {\n dllVer = fetch_file_version(sysPath:dllPath, file_name:\"BIN\\Onetutil.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.6123.5005\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n\n## SharePoint Services 3.0\nif(\"cpe:/a:microsoft:sharepoint_services\" >< cpe)\n{\n key = \"SOFTWARE\\Microsoft\\Shared Tools\";\n if(registry_key_exists(key:key))\n {\n dllPath = registry_get_sz(key:key, item:\"SharedFilesDir\");\n if(dllPath)\n {\n dllVer = fetch_file_version(sysPath:dllPath, file_name:\"web server extensions\\12\\BIN\\Onetutil.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"12.0\", test_version2:\"12.0.6665.4999\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n\n## Microsoft Office Web Apps 2010 sp1\nif(\"cpe:/a:microsoft:office_web_apps\" >< cpe)\n{\n ## Microsoft Office Web Apps 2010 sp1\n if(vers =~ \"^14\\.\")\n {\n path = get_kb_item(\"MS/Office/Web/Apps/Path\");\n if(path && \"Could not find the install\" >!< path )\n {\n\n path = path + \"\\14.0\\WebServices\\ConversionService\\Bin\\Converter\";\n dllVer = fetch_file_version(sysPath:path, file_name:\"msoserver.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.6123.5000\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "seebug": [{"lastseen": "2017-11-19T17:49:11", "description": "BUGTRAQ ID: 55797\r\nCVE(CAN) ID: CVE-2012-2520\r\n\r\nSharePoint Server\u662f\u4e00\u4e2a\u670d\u52a1\u5668\u529f\u80fd\u96c6\u6210\u5957\u4ef6\uff0c\u63d0\u4f9b\u5168\u9762\u7684\u5185\u5bb9\u7ba1\u7406\u548c\u4f01\u4e1a\u641c\u7d22\uff0c\u52a0\u901f\u5171\u4eab\u4e1a\u52a1\u6d41\u7a0b\u5e76\u7b80\u5316\u8de8\u754c\u9650\u4fe1\u606f\u5171\u4eab\u3002Microsoft Lync \u65b0\u4e00\u4ee3\u4f01\u4e1a\u6574\u5408\u6c9f\u901a\u5e73\u53f0\uff08\u524d\u8eab\u4e3a Communications Server\uff09\uff0c\u63d0\u4f9b\u4e86\u4e00\u79cd\u5168\u65b0\u7684\u3001\u76f4\u89c2\u7684\u7528\u6237\u4f53\u9a8c\uff0c\u8de8\u8d8aPC\u3001Web\u3001\u624b\u673a\u7b49\u5176\u4ed6\u79fb\u52a8\u8bbe\u5907\uff0c\u5c06\u4e0d\u540c\u7684\u6c9f\u901a\u65b9\u5f0f\u96c6\u6210\u5230\u4e00\u4e2a\u5e73\u53f0\u4e4b\u4e2d\u3002\r\n\r\nMicrosoft SharePoint\u548cMicrosoft Lync\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6267\u884c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u7ad9\u70b9\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002\n0\nMicrosoft SharePoint Foundation 2010 SP1\r\nMicrosoft SharePoint Foundation 2010\r\nMicrosoft Office Web Apps 2010 SP1\r\nMicrosoft Office Web Apps 2010 0\r\nMicrosoft Groove Server 2010\r\nMicrosoft Lync 2010\r\nMicrosoft InfoPath 2007 SP2\r\nMicrosoft InfoPath 2007\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u7981\u7528Advanced Filter Pack for FAST Search Server 2010 for SharePoint\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS12-067\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nMS12-067\uff1aVulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (2742321)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS12-067.asp", "published": "2012-10-11T00:00:00", "type": "seebug", "title": "Microsoft SharePoint\u548cMicrosoft Lync HTML\u8fc7\u6ee4\u8de8\u7ad9\u811a\u672c\u6267\u884c\u6f0f\u6d1e (MS12-067)", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2520"], "modified": "2012-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60431", "id": "SSV:60431", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2021-06-08T18:58:31", "description": "Insufficient HTML sanitization", "cvss3": {}, "published": "2012-10-09T00:00:00", "type": "securityvulns", "title": "Multiple Microsoft web applications crossite scripting", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-2520"], "modified": "2012-10-09T00:00:00", "id": "SECURITYVULNS:VULN:12625", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12625", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "cve": [{"lastseen": "2023-02-09T14:04:52", "description": "Cross-site scripting (XSS) vulnerability in Microsoft InfoPath 2007 SP2 and SP3 and 2010 SP1, Communicator 2007 R2, Lync 2010 and 2010 Attendee, SharePoint Server 2007 SP2 and SP3 and 2010 SP1, Groove Server 2010 SP1, Windows SharePoint Services 3.0 SP2, SharePoint Foundation 2010 SP1, and Office Web Apps 2010 SP1 allows remote attackers to inject arbitrary web script or HTML via a crafted string, aka \"HTML Sanitization Vulnerability.\"", "cvss3": {}, "published": "2012-10-09T21:55:00", "type": "cve", "title": "CVE-2012-2520", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2520"], "modified": "2018-10-12T22:03:00", "cpe": ["cpe:/a:microsoft:sharepoint_services:3.0", "cpe:/a:microsoft:office_web_apps:2010", "cpe:/a:microsoft:office_communicator:2007", "cpe:/a:microsoft:groove_server:2010", "cpe:/a:microsoft:infopath:2010", "cpe:/a:microsoft:sharepoint_foundation:2010", "cpe:/a:microsoft:sharepoint_server:2007", "cpe:/a:microsoft:sharepoint_server:2010", "cpe:/a:microsoft:lync:2010", "cpe:/a:microsoft:infopath:2007"], "id": "CVE-2012-2520", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2520", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:infopath:2010:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_foundation:2010:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:infopath:2007:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2010:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2007:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:lync:2010:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_communicator:2007:r2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_web_apps:2010:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2007:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:groove_server:2010:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:lync:2010:*:attendee:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_services:3.0:sp2:*:*:*:*:*:*"]}]}

Microsoft多个产品HTML过滤组件跨站脚本执行漏洞（MS12-066）

Description

Related