|
|
|
|
| |
Credit:
The information has been provided by Microsoft Security Bulletin MS07-059.
The original article can be found at:
http://www.microsoft.com/technet/security/bulletin/ms07-059.mspx
|
| |
* Windows Server 2003
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2
* Windows Server 2003 x64 Edition
* Windows Server 2003 x64 Edition Service Pack 2
* Microsoft Office SharePoint Server 2007
* Microsoft Office SharePoint Server 2007 x64 Edition
SharePoint Scripting Vulnerability:
This is a scripting vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. The vulnerability could allow an attacker to run arbitrary script that can result in elevation of privilege within the SharePoint site, as opposed to elevation of privilege within the workstation or server environment. The vulnerability could also allow an attacker to run arbitrary script to modify a user s cache, resulting in information disclosure at the workstation. However, user interaction is required to exploit this vulnerability.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-2581.
Mitigating Factors for SharePoint Scripting Vulnerability:
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
* In a Web-based attack scenario, Web sites that accept or host user-provided content, or compromised Web sites and advertisement servers could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that contains a specially-crafted URL with embedded Javascript.
* In the information disclosure scenario, clients that have the advanced Internet option, Do not save encrypted pages to disk, turned on in Internet Explorer would not be at risk from any attempts to put spoofed content into the client cache if the clients accessed SharePoint site through the Secure Sockets Layer (SSL) protocol.
FAQ for SharePoint Scripting Vulnerability:
What is the scope of the vulnerability?
This is a scripting vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. The vulnerability could allow an attacker to run arbitrary script that can result in elevation of privilege within the SharePoint site, as opposed to elevation of privilege within the workstation or server environment. The vulnerability could also allow an attacker to run arbitrary script to modify a user s cache, resulting in information disclosure at the workstation. However, user interaction is required to exploit this vulnerability.
What causes the vulnerability?
Both Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 do not sufficiently validate URL-encoded requests to ensure that the requests do not contain script code.
What are SharePoint Services?
Windows SharePoint Services, a technology in Windows Server 2003, provides a platform for collaboration applications, offering a common framework for document management and a common repository for storing documents of all types. It exposes key Windows Server services like Windows Workflow Services and Windows Rights Management Services. Office SharePoint Server 2007 is an integrated suite of server capabilities built on top of Windows SharePoint Services.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the same user rights on the SharePoint site as the logged-on user. Users whose accounts are configured to have fewer user rights on the SharePoint site could be less impacted than users who operate with administrative user rights on the SharePoint site.
An attacker could also run arbitrary script to modify a user s cache by displaying spoofed responses to users, or by redirecting server responses to the attacker. This results in information disclosure at the workstation.
How could an attacker exploit the vulnerability?
In the elevation of privilege scenario, an attacker could convince a user to click a specially crafted link, in an e-mail message or in a Web site, that contained script. Once the user clicks the link, the browser would run the script to elevate the attacker to the same privilege or higher as the logged-on user on the SharePoint site.
In the spoofing scenario, an attacker could also create a specially crafted link to redirect the user to another specially crafted Web site, or to capture confidential information within the browser cache.
What systems are primarily at risk from the vulnerability?
Systems that are running Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 are primarily at risk of attacks resulting in elevation of privilege. Workstations where users are accessing a vulnerable SharePoint site are at risk of attacks resulting in information disclosure.
What does the update do?
The security update addresses the vulnerability by modifying the way that Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 validate URL-encoded requests.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure numberCVE-2007-2581.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.
|
|
|
|
|
