Microsoft SharePoint Cross-Site Scripting and Script Insertion Vulnerabilities


Description   Multiple vulnerabilities have been reported in Microsoft SharePoint, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.
1) Input passed via the URL is not properly sanitised within the SharePoint Calendar before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Input passed to the SafeHTML function is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
3) Input passed to EditForm.aspx is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
4) Input passed via Contact details is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
5) Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
NOTE: Additionally, a weakness exists when handling certain input and can be exploited to redirect a client to a malicious web site.
     
Vulnerable Products   Vulnerable Software:
Microsoft Office Forms Server 2007Microsoft Office Groove 2007Microsoft Office Groove 2010Microsoft Office SharePoint Server 2007Microsoft SharePoint Foundation 2010Microsoft SharePoint Server 2010Microsoft Windows SharePoint Services 2.xMicrosoft Windows SharePoint Services 3.x
     
Solution   Apply patches.Microsoft Office Groove 2007 SP2: http://www.microsoft.com/downloads/details.aspx?familyid=5ea6192b-55e5-4ca4-8d91-cc768ede8277Microsoft SharePoint Workspace 2010 and Microsoft SharePoint Workspace 2010 SP1 (32-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=f6ee7e43-9da9-4b96-abd0-390cfcacb885Microsoft SharePoint Workspace 2010 and Microsoft SharePoint Workspace 2010 SP1 (64-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=234efac1-4f09-41f5-90a9-4a3c2e81c05eMicrosoft Office Forms Server 2007 SP2 (32-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=c4c8ad7e-50bd-460e-9678-d8c72c6ee7abMicrosoft Office Forms Server 2007 SP2 (64-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=7390b526-f411-45a4-8587-8077b473ac17Microsoft Office SharePoint Server 2007 SP2 (coreserver) (32-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=ad52c341-13ce-4b53-87b4-269cb3f41275Microsoft Office SharePoint Server 2007 SP2 (oserver) (32-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=fd6189c9-ab3b-441f-a901-6ac7f3b202aaMicrosoft Office SharePoint Server 2007 SP2 (sserverx) (32-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=d9601fae-4a80-45cd-a49b-ef441856d7e4Microsoft Office SharePoint Server 2007 SP2 (dlc) (32-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=55b60e2f-ec68-4ccb-803a-5d03add8a1f1Microsoft Office SharePoint Server 2007 SP2 (coreserver) (64-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=8cbb365a-6568-4e63-8b81-bbddb36c559eMicrosoft Office SharePoint Server 2007 SP2 (oserver) (64-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=b1466366-e2ae-498e-b964-135e034e7348Microsoft Office SharePoint Server 2007 SP2 (sserverx) (64-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=bb788c8d-8383-4e53-ac05-2a7dd9b83e70Microsoft Office SharePoint Server 2007 SP2 (dlc) (64-bit editions): http://www.microsoft.com/downloads/details.aspx?familyid=e8e1a5bb-a552-45fe-8e81-e05fbfbb57eeMicrosoft Office SharePoint Server 2010 and Microsoft Office SharePoint Server 2010 SP1 (osrchwfe): http://www.microsoft.com/downloads/details.aspx?familyid=c17eb04d-cbbc-457e-a424-4ee26b7a9654Microsoft Office SharePoint Server 2010 and Microsoft Office SharePoint Server 2010 SP1 (osrv): http://www.microsoft.com/downloads/details.aspx?familyid=2a80a849-b712-47d4-9def-9395ee54a265Microsoft Office SharePoint Server 2010 and Microsoft Office SharePoint Server 2010 SP1 (ppsmawfe): http://www.microsoft.com/downloads/details.aspx?familyid=1597f295-02a9-4479-9d52-f18f0e83eabaMicrosoft Office SharePoint Server 2010 and Microsoft Office SharePoint Server 2010 SP1 (dlc): http://www.microsoft.com/downloads/details.aspx?familyid=e6b666a4-a795-441c-9bda-23e2de2e7b05Microsoft Office SharePoint Server 2010 and Microsoft Office SharePoint Server 2010 SP1 (ppsmamui): http://www.microsoft.com/downloads/details.aspx?familyid=57592ce4-5d99-45c2-830f-380d67af8899Microsoft Office SharePoint Server 2010 and Microsoft Office SharePoint Server 2010 SP1 (wosrv): http://www.microsoft.com/downloads/details.aspx?familyid=dd64a635-1e55-4b4d-9718-9b94c31c5625Microsoft Office Groove Data Bridge Server 2007 SP2: http://www.microsoft.com/downloads/details.aspx?familyid=5958247e-204e-409c-bdc1-7aff06e854b8Microsoft Office Groove Management Server 2007 SP2: http://www.microsoft.com/downloads/details.aspx?familyid=6b5b4caf-6a95-487d-ac17-c4435225af3aMicrosoft Groove Server 2010 and Microsoft Groove Server 2010 SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=71c0f217-5112-4dca-b9aa-46c69f6099e4Microsoft Windows SharePoint Services 2.0: http://www.microsoft.com/downloads/details.aspx?familyid=71e32745-cb05-4b87-a447-741ccdac7450Microsoft Windows SharePoint Services 3.0 SP2 (32-bit versions): http://www.microsoft.com/downloads/details.aspx?familyid=0f306cbd-a652-4e77-b394-1a6dc38ba83cMicrosoft Windows SharePoint Services 3.0 SP2 (64-bit versions): http://www.microsoft.com/downloads/details.aspx?familyid=3137e4c6-783d-4461-88bd-90da064e3105Microsoft SharePoint Foundation 2010 and Microsoft SharePoint Foundation 2010 SP1: http://www.microsoft.com/downloads/details.aspx?familyid=0db799e2-896f-464b-8cd5-ecf2014f0588Microsoft Office Web Apps 2010 and Microsoft Office Web Apps 2010 SP1: http://www.microsoft.com/downloads/details.aspx?familyid=288a7394-b8d5-4445-bd4c-65bbf4b10eafMicrosoft Word Web App 2010 and Microsoft Word Web App 2010 SP1: http://www.microsoft.com/downloads/details.aspx?familyid=152ff9f4-d720-41af-8f89-793133ece037
     
CVE   CVE-2011-1893
CVE-2011-1891
CVE-2011-1890
CVE-2011-1252
CVE-2011-0653
     
References   MS11-074 (KB2493987
KB2494001
KB2494007
KB2494022
KB2508964
KB2508965
KB2552998
KB2552999
KB2553001
KB2553002
KB2553003
KB2553005
KB2560885
KB2566449
KB2566450
KB2566456
KB2566954
KB2566958
KB2566960):
http://technet.microsoft.com/en-us/security/bulletin/ms11-074
Seeker Security:
http://www.seekersec.com/Advisories/SeekerAdvMS03.html
http://www.seekersec.com/Advisories/SeekerAdvMS04.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - POST : suspicious tag with event found in data
3.2.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'object' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
3.2.0
XSS - Prevention - POST : 'location' javascript object found in data
3.2.0
XSS - Prevention - POST : javascript code found in data
3.2.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
3.2.0
XSS - Prevention - POST : code allowing cookie access found in data
3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
3.2.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'div' tag found in data
3.2.0
XSS - Prevention - POST : 'script' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
5.0.0
XSS - Prevention - POST : javascript code found in data
5.0.0
XSS - Prevention - POST : suspicious tag with event found in data
5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
5.0.0
XSS - Prevention - POST : 'location' javascript object found in data
5.0.0
XSS - Prevention - POST : code allowing cookie access found in data
5.0.0
XSS - Prevention - POST : 'script' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
5.0.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2011-09-13 

 Target Type 
Server 

 Possible exploit 
Remote