Microsoft SharePoint Multiple Vulnerabilities


Description   Multiple vulnerabilities have been reported in Microsoft SharePoint, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting and spoofing attacks.
1) Certain input is not properly sanitised in the "SafeHTML" API before being returned to the user.
For more information see vulnerability #2:
SA49412
2) Certain unspecified input is not properly sanitised in scriptresx.ashx before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
3) An error when validating search scope permissions can be exploited to view or modify another user's search scope.
4) Certain unspecified input associated with a username is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
5) Certain unspecified input associated with a URL is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
6) Certain unspecified input associated with a reflected list parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
     
Vulnerable Products   Vulnerable Software:
Microsoft Office SharePoint Server 2007Microsoft Office Web AppsMicrosoft SharePoint Foundation 2010Microsoft SharePoint Server 2010Microsoft Windows SharePoint Services 2.xMicrosoft Windows SharePoint Services 3.x
     
Solution   Apply patches.Microsoft Office SharePoint Server 2007 SP2 (coreserver) (32-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=4073d6e1-32f0-44a8-ae55-3c140ebc09d2Microsoft Office SharePoint Server 2007 SP2 (xlsrvwfe) (32-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=d9091923-67c7-4535-b44c-40a5292a94d9Microsoft Office SharePoint Server 2007 SP3 (coreserver) (32-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=4073d6e1-32f0-44a8-ae55-3c140ebc09d2Microsoft Office SharePoint Server 2007 SP3 (xlsrvwfe) (32-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=d9091923-67c7-4535-b44c-40a5292a94d9Microsoft Office SharePoint Server 2007 SP2 (coreserver) (64-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=b1acb373-0041-4883-8834-90a72ac04c91Microsoft Office SharePoint Server 2007 SP2 (xlsrvwfe) (64-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=723a5553-8610-49bf-99c0-bd94926bdc0bMicrosoft Office SharePoint Server 2007 SP3 (coreserver) (64-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=b1acb373-0041-4883-8834-90a72ac04c91Microsoft Office SharePoint Server 2007 SP2 (xlsrvwfe) (64-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=723a5553-8610-49bf-99c0-bd94926bdc0bMicrosoft SharePoint Server 2010 (wosrv): http://www.microsoft.com/downloads/details.aspx?familyid=59cbb3d0-4ba5-4f89-b54c-ae9aa2aa3b41Microsoft SharePoint Server 2010 (coreserverloc): http://www.microsoft.com/downloads/details.aspx?familyid=8a853489-a3ec-4be2-8093-6a992f9c8368Microsoft SharePoint Server 2010 SP1 (wosrv): http://www.microsoft.com/downloads/details.aspx?familyid=59cbb3d0-4ba5-4f89-b54c-ae9aa2aa3b41Microsoft SharePoint Server 2010 SP1 (coreserverloc): http://www.microsoft.com/downloads/details.aspx?familyid=8a853489-a3ec-4be2-8093-6a992f9c8368Microsoft Windows SharePoint Services 2.0: http://www.microsoft.com/downloads/details.aspx?familyid=7a54f510-0782-44c4-848a-8ef90d332e61Microsoft Windows SharePoint Services 3.0 SP2 (32-bit version): http://www.microsoft.com/downloads/details.aspx?familyid=61b9f234-3d9c-41d4-854d-30ca5e6fd2a6Microsoft Windows SharePoint Services 3.0 SP2 (64-bit version): http://www.microsoft.com/downloads/details.aspx?familyid=24265175-635f-4846-afcc-f692d4710707Microsoft SharePoint Foundation 2010: http://www.microsoft.com/downloads/details.aspx?familyid=4d610646-a0bd-492c-9077-fb2c92588c14Microsoft SharePoint Foundation 2010 SP1: http://www.microsoft.com/downloads/details.aspx?familyid=4d610646-a0bd-492c-9077-fb2c92588c14Microsoft Office Web Apps 2010: http://www.microsoft.com/downloads/details.aspx?familyid=f2d1c371-d617-4792-966e-14ae9ed6b8a1Microsoft Office Web Apps 2010 SP1: http://www.microsoft.com/downloads/details.aspx?familyid=f2d1c371-d617-4792-966e-14ae9ed6b8a1
     
CVE   CVE-2012-1863
CVE-2012-1862
CVE-2012-1861
CVE-2012-1860
CVE-2012-1859
CVE-2012-1858
     
References   MS12-050 (KB2596663
KB2596942
KB2553424
KB2553194
KB2596911
KB2553365
KB2598239
KB2760604):
http://technet.microsoft.com/en-us/security/bulletin/ms12-050
IBM Security Systems Application Security:
http://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL
3.2.0
XSS - Prevention - POST : suspicious tag with event found in data
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'object' tag found in data
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
3.2.0
XSS - Prevention - POST : 'location' javascript object found in data
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Prevention - POST : javascript code found in data
3.2.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL
3.2.0
XSS - Prevention - POST : code allowing cookie access found in data
3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
XSS - Prevention - POST : suspicious 'div' tag found in data
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
XSS - Prevention - POST : 'script' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
5.0.0
XSS - Prevention - POST : javascript code found in data
5.0.0
XSS - Prevention - POST : suspicious tag with event found in data
5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
5.0.0
XSS - Prevention - POST : 'location' javascript object found in data
5.0.0
XSS - Prevention - POST : code allowing cookie access found in data
5.0.0
XSS - Prevention - POST : 'script' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
5.0.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2012-07-10 

 Target Type 
Server 

 Possible exploit 
Remote