ServicesProductsResourcesNews
Persistent Cross Site Scripting in Microsoft SharePoint Portal
Hacktics Research
By Irene Abezgauz February 22nd, 2010
CVE: CVE-2010-0716

Overview

During a penetration test performed by Hacktics' experts, a persistent cross-site scripting vulnerability was identified in the SharePoint document handling module. This vulnerability allows attackers to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more.

Following is a video demonstrating a full step-by-step reproduction of this attack:

The Finding

The document module of the SharePoint server allows attackers to inject malicious scripts into dynamically generated web content through file uploading. These scripts will be executed in the browser of any user viewing the infected content (persistent cross site scripting).

Details

The Documents module is vulnerable to persistent cross site scripting:

https://<mySharePointServer>/<id>/_layouts/Upload.aspx

An attacker can inject malicious scripts into a file and upload it. When any user will access the uploaded file, it will be displayed directly on their browser (rather than having the file downloaded to the computer), and the malicious script will be executed in the context of the vulnerable SharePoint site.

This vulnerability can naturally be exploited with HTML files (as mentioned in CVE-2008-5026), but can also be exploited with any other file type parsed as HTML by the browser. In our testing we were able to reproduce this with uploads of TXT files as well.

Exploit

An attacker can embed a malicious script (for example - <SCRIPT>alert("XSS")</SCRIPT> in a document uploaded to the SharePoint site. When any other user (an administrative user or a regular user who views documents in the system) opens the file - the malicious script will be executed on their browser.

Vendor Response

We have contacted the Microsoft Security Response Team on 13-Dec-2009. Microsoft response to the point was that this is a known issue, and is considered a low impact vulnerability by Microsoft for the following reasons:

Hacktics' research team has reviewed this response and has certain reservations with this response. Having users authenticate and upload documents is the inherent functionality of SharePoint. Many organizations have implemented complex environments on top of this functionality, with need for strict authorization separation which is easily circumvented using this exploit.

Moreover, although the proposed workaround does indeed reduce the risk of this vulnerability, it requires a rather complex configuration to setup and maintain, especially with internet-facing environments. Such a solution may not be easily adopted by most SharePoint administrators.

Finally, restriction of uploading files may indeed provide a solution, but may very well not be acceptable by the system's users.

It is important to note that despite this response, Microsoft has fixed this problem entirely in SharePoint 2010.

Solution / Workaround

There is currently no fix to the problem and Microsoft has no plan of releasing one for SharePoint 2007. Once SharePoint 2010 is officially released this could be resolved by upgrading to SharePoint 2010.

Nonetheless, in case this poses a security risk, a suggested workaround is proposed by Microsoft, to build the SharePoint site with separate host names for each collection, as described in
http://technet.microsoft.com/en-us/library/cc262778.aspx#section6.

As already mentioned, this may involve complex configuration and maintenance, and does not provide a full solution to the risk. It is therefore recommended that uploading of HTML files, as well as any text type files will be disabled in the SharePoint configuration.

Affected Systems

Microsoft Office SharePoint Server 2007.

References

Further research and correspondence with Microsoft Security Response Center has identified that a partial mention of this vulnerability appears in CVE-2008-5026.

Credit

The vulnerability was discovered by Irene Abezgauz, Hacktics Ltd.