SharePoint Server Cross Site Scripting

`Hacktics Research Group Security Advisory  
http://www.hacktics.com/#view=Resources%7CAdvisory  
  
By Irene Abezgauz, Hacktics.  
22-Feb-2010  
  
===========  
I. Overview  
===========  
During a penetration test performed by Hacktics' experts, a persistent  
cross-site scripting vulnerability was identified in the SharePoint document  
handling module. This vulnerability allows attackers to gain control over  
valid user accounts, perform operations on their behalf, redirect them to  
malicious sites, steal their credentials, and more.   
  
A friendly formatted version of this advisory, including a video  
demonstrating step-by-step execution of the exploit, is available in:   
http://www.hacktics.com/content/advisories/AdvMS20100222.html  
  
===============  
II. The Finding  
===============  
The document module of the SharePoint server allows attackers to inject  
malicious scripts into dynamically generated web content through file  
uploading. These scripts will be executed in the browser of any user viewing  
the infected content (persistent cross site scripting).  
  
Further research and correspondence with Microsoft Security Response Center  
has identified that a partial mention of this vulnerability appears in  
CVE-2008-5026. However, as this is only partial, there is no bugtraq record  
for this vulnerability and there is no fix (making it still valid on most  
SharePoint deployments), we have decided to release this to the list.   
  
============  
III. Details  
============  
The Documents module is vulnerable to persistent cross site scripting:   
https://<mySharePointServer>/<id>/_layouts/Upload.aspx  
  
An attacker can inject malicious scripts into a file and upload it. When any  
user will access the uploaded file, it will be displayed directly on their  
browser (rather than having the file downloaded to the computer), and the  
malicious script will be executed in the context of the vulnerable  
SharePoint site.   
  
This vulnerability can obviously be exploited with HTML files (as mentioned  
in CVE-2008-5026), but can also be exploited with any other file type parsed  
as HTML by the browser. In our testing we were able to reproduce this with  
uploads of TXT files as well.  
  
===========  
IV. Exploit  
===========  
An attacker can embed a malicious script (for example -  
<script>alert("XSS")</script> in a document uploaded to the SharePoint site.  
When any other user (an administrative user or a regular user who views  
documents in the system) opens the file - the malicious script will be  
executed on their browser.   
  
==================  
V. Vendor Response  
==================  
We have contacted the Microsoft Security Response Team on 13-Dec-2009.  
Microsoft response to the point was that this is a known issue, and is  
considered a low impact vulnerability by Microsoft for the following  
reasons:  
  
1. Authentication and the ability to write to the SharePoint site are  
required to exploit this scenario.  
2. Significant workarounds exist that allow SharePoint server configurations  
to be isolated from cross domain exploitation.  
3. SharePoint administrators can restrict the uploading of files to  
SharePoint servers.  
  
Hacktics' research team has reviewed this response and has certain  
reservations with this response. Having users authenticate and upload  
documents is the inherent functionality of SharePoint. Many organizations  
have implemented complex environments on top of this functionality, with  
need for strict authorization separation which is easily circumvented using  
this exploit.  
  
Moreover, although the proposed workaround does indeed reduce the risk of  
this vulnerability, it requires a rather complex configuration to setup and  
maintain, especially with internet-facing environments. Such a solution may  
not be easily adopted by most SharePoint administrators.   
  
Finally, restriction of uploading files may indeed provide a solution, but  
may very well not be acceptable by the system's users.  
  
It is important to note that despite this response, Microsoft has fixed this  
problem entirely in SharePoint 2010.   
  
=======================  
VI. Solution/Workaround  
=======================  
There is currently no fix to the problem and Microsoft has no plan of  
releasing one for SharePoint 2007. Once SharePoint 2010 is officially  
released this could be resolved by upgrading to SharePoint 2010.  
  
Nonetheless, in case this poses a security risk, a suggested workaround is  
proposed by Microsoft, to build the SharePoint site with separate host name  
for each collection, as described in:  
http://technet.microsoft.com/en-us/library/cc262778.aspx#section6  
  
As already mentioned, this may involve complex configuration and  
maintenance, and does not provide a full solution to the risk. It is  
therefore recommended that uploading of HTML files, as well as any text type  
files will be disabled in the SharePoint configuration.   
  
=====================  
VII. Affected Systems  
=====================  
Microsoft Office SharePoint Server 2007.  
  
============  
VIII. Credit  
============  
The vulnerability was discovered by Irene Abezgauz, Hacktics Ltd.  
  
  
---  
Ofer Maor  
CTO, Hacktics  
Chairman, OWASP Israel  
  
Web: www.hacktics.com  
  
  
  
`