____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-2008-0002 Release Date: 04/08/2008 Title: Microsoft Windows SharePoint Services Picture Source XSS Application/OS: Microsoft Windows SharePoint Services 2.0 Topic: A stored Cross Site Scripting (XSS) attack is possible in Microsoft SharePoint Services 2.0 via picture object source when adding a picture object to a page. Vendor Status: Not Notified Attributes: XSS, Web Service, Microsoft Tuesday Advisory URL: http://www.caughq.org/advisories/CAU-2008-0002.txt Author/Email: OneIdBeagl3 ===============/======================================================== Overview ======== A stored XSS vulnerability exists in Microsoft Windows SharePoint Services 2.0 where a malicious user can bypass sanitization and inject javascript into a web page they are editing. Under normal circumstances, SharePoint does not permit users to include javascript in any submitted content. Impact ====== If javascript is enabled in a user's browser, when the user views the page, the javascript will be executed. As a result, an attacker could potentially steal credentials and takeover the browser or machine of any user who views the page. Affected Systems ================ Microsoft Windows Share Point Services 2.0 Technical Explanation ===================== The string below is not properly sanitized when the web page is saved after adding a picture using the application's text editor: """>

The text between the script tags will be injected into the page upon each successful edit and save operation, after the page is initially saved. On initial testing, there did not appear to be a size limit for javascript text that could be injected. The string must also use all double quotes when quotes are needed. Solution & Recommendations ========================== Unless editing web pages in SharePoint 2.0 is necessary, disable this feature. If the feature is necessary, ensure users must authenticate to a service before giving them the privilege to create or edit pages, and only afford users the privileges if they need to create or edit pages. This practice will help leave an audit trail to determine which account was used to create a malicious web page if an incident takes place. Exploitation ============ ===============/======================================================== Steps to inject the javascript attack: 1) Log-in as a user that has enough privileges to create a web page. 2) In the web page on the top toolbar click on Create. 3) Under the 'Web Pages' section, click on 'Basic Page.' 4) Pick a web page name and click the create button. 5) In IE 7, an Edit Content Link appears in the upper right hand corner. Click on it and it should open up a "Rich Text Editor -- Webpage Dialog" window. 6) Add a picture to the page, and in the 'Picture Source' enter the following: """>

7) Save the content, and then click 'Edit Content' again and save it. Now the javascript is embedded in the page. Also, each time the page is edited and saved, the javascript is duplicated in the page. Credits & Gr33ts ================ CAU & HDM -- I)ruid, C˛ISSP druid@caughq.org http://druid.caughq.org