Seeker Advisory Sep11: Reflected Cross Site Scripting in Microso

看板Bugtraq作者irene.時間14年前 (2011/09/14 13:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

Seeker Research Center Security Advisory=20 This vulnerability was discovered by Seeker=AE Automatic Run-Time = Application Security Testing Solution=20 Disclosed By Irene Abezgauz, September 13th, 2011 =3D=3D=3D=3D=3D=3D=3D=3D=3D I. Overview =3D=3D=3D=3D=3D=3D=3D=3D=3D A Cross Site Scripting vulnerability has been identified in Microsoft = SharePoint 2007. This vulnerability allows attackers to gain control = over valid user accounts, perform operations on their behalf, redirect = them to malicious sites, steal their credentials, and more. A friendly formatted version of this advisory is available at: = http://www.seekersec.com/Advisories/SeekerAdvMS04.html=20 =3D=3D=3D=3D=3D=3D=3D II. Details =3D=3D=3D=3D=3D=3D=3D The Contact Details Tool Pane web part is vulnerable to cross site = scripting attacks in the parameter=20 ctl00$MSOTlPn_EditorZone$Edit0g_7aaa0c6d_72f5_4717_9b22_80188ffdbcde$peop= leEditor$hiddenSpanData=3D By manipulating an unsuspecting user into submitting a specially crafted = form an attacker causes the victim to send the malicious script to the = vulnerable SharePoint 2007 instance. The malicious script is then = reflected back to the user and executed on his browser.=20 The Contact Details Tool Pane is an out-of-the-box component, accessible = from various locations in SharePoint 2007 in which the Contact Details = web-part is present. The exploit in this advisory has been produced when = editing Report Center. =3D=3D=3D=3D=3D=3D=3D III. Exploit=20 =3D=3D=3D=3D=3D=3D=3D Sample exploitation of this vulnerability would be crafting the = following request: =20 POST /Reports/Pages/Default.aspx HTTP/1.1 =85 ctl00$MSOTlPn_EditorZone$Edit0g_7aaa0c6d_72f5_4717_9b22_80188ffdbcde$peop= leEditor$hiddenSpanData=3D<script>alert(=93SeekerSec=94)</script> The request also contains other parameters required by the page, the = vulnerable parameter being the parameter noted above.=20 It seems that when a script is simply placed into the input field there = is a client-side encoding of the parameter value, which is insufficient = to prevent attacks as directly (not via client) submitted scripts simply = do not undergo such validation.=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D IV. Affected Systems =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Microsoft SharePoint 2007 =3D=3D=3D=3D=3D=3D=3D=3D V. Solution =3D=3D=3D=3D=3D=3D=3D=3D Microsoft has released a fix for this vulnerability, see = http://technet.microsoft.com/security/bulletin/MS11-074 for further = information.=20 =3D=3D=3D=3D=3D=3D=3D VI. Credit =3D=3D=3D=3D=3D=3D=3D The vulnerability was automatically discovered by Seeker=AE - New = generation application security testing solution, utilizing ground = breaking BRITE=99 technology (Behavioral Runtime Intelligent Testing = Engine). Further research and publication was performed by Irene Abezgauz, = Product Manager, Seeker Security.=20 For more information please visit www.seekersec.com ----------------- Irene Abezgauz Product Manager Seeker Security www.seekersec.com =A0E-Mail:=A0=A0=A0 irene@seekersec.com

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 irene. 的文章

文章代碼(AID): #1ES3nJDc (Bugtraq)