Code & Data Security
By Irene Abezgauz February 22nd, 2010
During a penetration test performed by Hacktics’ experts, a persistent cross-site scripting vulnerability was identified in the SharePoint document handling module. This vulnerability allows attackers to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more.
Following is a video demonstrating a full step-by-step reproduction of this attack:
The document module of the SharePoint server allows attackers to inject malicious scripts into dynamically generated web content through file uploading. These scripts will be executed in the browser of any user viewing the infected content (persistent cross site scripting).
The Documents module is vulnerable to persistent cross site scripting:
An attacker can inject malicious scripts into a file and upload it. When any user will access the uploaded file, it will be displayed directly on their browser (rather than having the file downloaded to the computer), and the malicious script will be executed in the context of the vulnerable SharePoint site.
This vulnerability can naturally be exploited with HTML files (as mentioned in CVE-2008-5026), but can also be exploited with any other file type parsed as HTML by the browser. In our testing we were able to reproduce this with uploads of TXT files as well.
An attacker can embed a malicious script (for example – in a document uploaded to the SharePoint site. When any other user (an administrative user or a regular user who views documents in the system) opens the file – the malicious script will be executed on their browser.
We have contacted the Microsoft Security Response Team on 13-Dec-2009. Microsoft response to the point was that this is a known issue, and is considered a low impact vulnerability by Microsoft for the following reasons:
Authentication and the ability to write to the SharePoint site are required to exploit this scenario. Significant workarounds exist that allow SharePoint server configurations to be isolated from cross domain exploitation. SharePoint administrators can restrict the uploading of files to SharePoint servers. Hacktics’ research team has reviewed this response and has certain reservations with this response. Having users authenticate and upload documents is the inherent functionality of SharePoint. Many organizations have implemented complex environments on top of this functionality, with need for strict authorization separation which is easily circumvented using this exploit.
Moreover, although the proposed workaround does indeed reduce the risk of this vulnerability, it requires a rather complex configuration to setup and maintain, especially with internet-facing environments. Such a solution may not be easily adopted by most SharePoint administrators.
Finally, restriction of uploading files may indeed provide a solution, but may very well not be acceptable by the system’s users.
It is important to note that despite this response, Microsoft has fixed this problem entirely in SharePoint 2010.
There is currently no fix to the problem and Microsoft has no plan of releasing one for SharePoint 2007. Once SharePoint 2010 is officially released this could be resolved by upgrading to SharePoint 2010.
Nonetheless, in case this poses a security risk, a suggested workaround is proposed by Microsoft, to build the SharePoint site with separate host names for each collection, as described in http://technet.microsoft.com/en-us/library/cc262778.aspx#section6.
As already mentioned, this may involve complex configuration and maintenance, and does not provide a full solution to the risk. It is therefore recommended that uploading of HTML files, as well as any text type files will be disabled in the SharePoint configuration.
Microsoft Office SharePoint Server 2007.
Further research and correspondence with Microsoft Security Response Center has identified that a partial mention of this vulnerability appears in CVE-2008-5026.
The vulnerability was discovered by Irene Abezgauz, Hacktics Ltd.
Copyright Hacktics 2009 All right reserved
This post is also available in: French