Microsoft Confirms SharePoint Security Vulnerability
Microsoft has confirmed reports of a cross-site scripting vulnerability in SharePoint Server 2007 and SharePoint Services 3.0.
According to Microsoft, the vulnerability could allow escalation of privilege (EoP) within the SharePoint site. If an attacker successfully exploits the vulnerability, the person could run commands against the SharePoint server with the privileges of the compromised user.
"In the elevation of privilege scenario, an attacker could convince a user to click a specially crafted URL containing a script that would be run on the target SharePoint site," Microsoft warned. "This URL could be in an e-mail message, on a Web site, or in an Instant Message conversation. Once the user clicks the specially crafted URL, the browser would run the script with the same privileges as the targeted user on the SharePoint site."
A proof-of-concept exploit has already appeared on the Full Disclosure Mailing list, where a poster described the situation thusly:
"The vulnerability exists due to failure in the "/_layouts/help.aspx" script to properly sanitize user-supplied input in "cid0" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data."
"An administrator can apply an access control list to SharePoint Help.aspx to ensure that they can no longer be loaded," Microsoft said. "This effectively prevents exploitation of the vulnerability using this attack vector."
Microsoft officials did not state when a security update will be ready to address the issue.