A new vulnerability affecting Microsoft Office SharePoint has surfaced. While enterprises wait on a patch, there are actions they can take to mitigate the vulnerability.
Microsoft has confirmed reports of a cross-site scripting
vulnerability in SharePoint Server 2007 and SharePoint Services 3.0.
According to Microsoft
the vulnerability could allow escalation of privilege (EoP) within the
SharePoint site. If an attacker successfully exploits the
vulnerability, the person could run commands against the SharePoint
server with the privileges of the compromised user.
"In the elevation of privilege scenario, an attacker could convince
a user to click a specially crafted URL containing a script that would
be run on the target SharePoint site," Microsoft warned. "This URL
could be in an e-mail message, on a Web site, or in an Instant Message
conversation. Once the user clicks the specially crafted URL, the
browser would run the script with the same privileges as the targeted
user on the SharePoint site."
A proof-of-concept exploit has already appeared on the Full Disclosure Mailing list, where a poster described the situation thusly
"The vulnerability exists due to failure in the
"/_layouts/help.aspx" script to properly sanitize user-supplied input
in "cid0" variable. Successful exploitation of this vulnerability could
result in a compromise of the application, theft of cookie-based
authentication credentials, disclosure or modification of sensitive
According to Microsoft, while an attacker can cause arbitrary
URL, the attacker would not be able to steal the logged-on user's
authentication credentials due to the way SharePoint Server handles the
HttpOnly authentication cookie. The vulnerability is also mitigated by Internet Explorer 8's
cross-site scripting filter and by restricting access to SharePoint Help.aspx.
"An administrator can apply an access control list to SharePoint
Help.aspx to ensure that they can no longer be loaded," Microsoft said.
"This effectively prevents exploitation of the vulnerability using this
Microsoft officials did not state when a security update will be ready to address the issue.