Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2008-5026 to a friend New vulnerability? New tool? Tell us	CVE-2008-5026 Microsoft SharePoint Portal Persistent Cross Site Scripting     Credit: The information has been provided by Irene Abezgauz. The original article can be found at: http://www.hacktics.com/content/advisories/AdvMS20100222.html Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2008-5026 Details Check for CVE-2008-5026 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems: Microsoft Office SharePoint Server 2007 This vulnerability allows attackers to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more. The document module of the SharePoint server allows attackers to inject malicious scripts into dynamically generated web content through file uploading. These scripts will be executed in the browser of any user viewing the infected content (persistent cross site scripting). Further research and correspondence with Microsoft Security Response Center has identified that a partial mention of this vulnerability appears in CVE-2008-5026. However, as this is only partial, there is no bugtraq record for this vulnerability and there is no fix (making it still valid on most SharePoint deployments.) The Documents module is vulnerable to persistent cross site scripting: https:////_layouts/Upload.aspx An attacker can inject malicious scripts into a file and upload it. When any user will access the uploaded file, it will be displayed directly on their browser (rather than having the file downloaded to the computer), and the malicious script will be executed in the context of the vulnerable SharePoint site. This vulnerability can obviously be exploited with HTML files (as mentioned in CVE-2008-5026), but can also be exploited with any other file type parsed as HTML by the browser. In our testing we were able to reproduce this with uploads of TXT files as well. Patch Availability: There is currently no fix to the problem and Microsoft has no plan of releasing one for SharePoint 2007. Once SharePoint 2010 is officially released this could be resolved by upgrading to SharePoint 2010. Workaround: Microsoft's Security Response Team was contacted on 13-Dec-2009. Microsoft response to the point was that this is a known issue, and is considered a low impact vulnerability by Microsoft for the following reasons: 1. Authentication and the ability to write to the SharePoint site are required to exploit this scenario. 2. Significant workarounds exist that allow SharePoint server configurations to be isolated from cross domain exploitation. 3. SharePoint administrators can restrict the uploading of files to SharePoint servers. A suggested workaround is proposed by Microsoft, to build the SharePoint site with separate host name for each collection, as described in: http://technet.microsoft.com/en-us/library/cc262778.aspx#section6  Comments on CVE-2008-5026:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®