Secure IT Alert: XSS Vulnerabilities in Microsoft SharePoint Server Web Security Feature

Secure IT Alert Header

Homeland Secure IT Alert

Homeland Secure IT Alert for Thursday, October 14, 2010

It seems like only yesterday I was telling our friends and clients about security issues that were announced this week. Believe me, this isn’t Deja Vu all over again…  It’s just another day in the life of a system administrator….

If you are running Microsoft SharePoint, especially if it has been made available to the outside world via HTTP or HTTPS (not just internally to your users), then this update affects you and the patch should be applied immediately. It also affects Microsoft Groove Server 2010 and Microsoft Office Web Apps.

I have included the security bulletin from Watchguard below which better outlines this vulnerability.

As always, should you require additional assistance or have questions, please email or call 864.990.4748. We offer complete computer / network service, support & consultation in the Greenville / Upstate SC area, and national sales of Watchguard Security Products.

XSS Vulnerabilities in SharePoint Server Web Security Feature

Severity: Medium
12 October , 2010

This vulnerability affects: The SharePoint family of products and Office Web Apps

How an attacker exploits it: By sending specially crafted HTTP requests, or enticing users into clicking malicious links

Impact: An attacker can execute scripts on your web site with another user’s privileges

What to do: Install Microsoft’s various server updates as soon as possible, or let Windows Update do it for you

Microsoft SharePoint is a family of products (including Groove Server) that offers web-based collaboration, file sharing, and web publishing. Office Web Apps are free, web-based versions of Microsoft Office productivity suite.

In a security bulletin released as part of Patch Day, Microsoft describes two Cross-Site Scripting (XSS) vulnerabilities that affect the SharePoint family of products, and Office Web Apps. Ironically, the XSS vulnerabilities lie within a component called SafeHTML, which is supposed to improve web security by sanitizing HTML from malicious scripts. Though the two XSS vulnerabilities differ technically, they share the same scope and impact. By sending specially crafted HTTP requests to a server with SafeHTML enabled, or by enticing a victim into clicking a link that generates such a request, an attacker can exploit either of these XSS flaws to execute script on your server on behalf of another user. Attackers can leverage these sorts of XSS flaws to read or steal your users’ cookie files, potentially hijack their web sessions, or, in some cases, even execute code on those users’ computers with an increased level of trust.

If you use the SharePoint family of products, you should download, and install the appropriate updates as soon as possible.

Solution Path:
Microsoft has released updates to fix these vulnerabilities. SharePoint product administrators should download, test and deploy the corresponding updates as soon as possible, or let Windows Update do it for you:

SharePoint Services 3.0 w/SP2 (KB2345304)
SharePoint Services 3.0 w/SP2 64-bit (KB2345304)
SharePoint Foundation 2010 (KB2345322)
SharePoint Server 2007 w/SP2 (KB2345212)
SharePoint Server 2007 w/SP2 64-bit (KB2345212)
Groove Server 2010 (KB2346298)
Office Web Apps (KB2346411)

For All WatchGuard Users:
Most people do not allow Internet-based users to access their SharePoint servers. Unless you’ve created an HTTP or HTTPS policy allowing external users to access your SharePoint server, your Firebox or XTM appliance will prevent Internet-based attackers from leveraging these flaws. That said, your server are still at risk of internal attack. Therefore, the patches above are your best solution.

Microsoft has released updates to correct these vulnerabilities.

Microsoft Security Bulletin MS10-72
This alert was researched and written by Corey Nachreiner, CISSP.

Homeland Secure IT Alert Footer

Homeland Secure IT Alert

Leave a Reply

Your email address will not be published. Required fields are marked *