Microsoft has confirmed reports of a cross-site scripting vulnerability in SharePoint Server 2007 and SharePoint Services 3.0.
According to Microsoft, the vulnerability could allow escalation of privilege (EoP) within the SharePoint site. If an attacker successfully exploits the vulnerability, the person could run commands against the SharePoint server with the privileges of the compromised user.
“In the elevation of privilege scenario, an attacker could convince a user to click a specially crafted URL containing a script that would be run on the target SharePoint site,” Microsoft warned. “This URL could be in an e-mail message, on a Web site, or in an Instant Message conversation. Once the user clicks the specially crafted URL, the browser would run the script with the same privileges as the targeted user on the SharePoint site.”
A proof-of-concept exploit has already appeared on the Full Disclosure Mailing list, where a poster described the situation thusly:
“The vulnerability exists due to failure in the “/_layouts/help.aspx” script to properly sanitize user-supplied input in “cid0″ variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.”
According to Microsoft, while an attacker can cause arbitrary JavaScript to be run by tricking the user into clicking a malicious URL, the attacker would not be able to steal the logged-on user’s authentication credentials due to the way SharePoint Server handles the HttpOnly authentication cookie. The vulnerability is also mitigated by Internet Explorer 8’s cross-site scripting filter and by restricting access to SharePoint Help.aspx.
“An administrator can apply an access control list to SharePoint Help.aspx to ensure that they can no longer be loaded,” Microsoft said. “This effectively prevents exploitation of the vulnerability using this attack vector.”
Microsoft officials did not state when a security update will be ready to address the issue.