Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2010

Help Centre

Reporting Channels

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2010

MA-229.042010: MyCERT Advisory -Vulnerability in Microsoft Sharepoint Could Allow Elevation of Privilege

Date Published: 2010-04-30

1.0 Introduction

Microsoft has released a security advisory (CVE-2010-0817) on a cross-site scripting (XSS) vulnerability in SharePoint Server 2007 and SharePoint Services 3.0 that could allow Elevation of Privilege (EoP) within the SharePoint site.

2.0 Impact

An attacker who successfully exploited this vulnerability could gain the same user rights on the SharePoint site as the targeted user. The attacker could then run commands against the SharePoint server in the context of the targeted user.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

Microsoft Office SharePoint Server 2007 Service Pack 1 and Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions)
Microsoft Office SharePoint Server 2007 Service Pack 1 and Microsoft Office SharePoint Server 2007 Service Pack 2 (64-bit editions)
Microsoft Windows SharePoint Services 3.0 Service Pack 1 and Microsoft Windows SharePoint Services 3.0 Service Pack 2 (32-bit editions)
Microsoft Windows SharePoint Services 3.0 Service Pack 1 and Microsoft Windows SharePoint Services 3.0 Service Pack 2 (64-bit editions)

4.0 Recommendations

4.1 Internet Explorer 8 users browsing to a SharePoint site in the Internet Zone are at a reduced risk because, by default, the XSS Filter in Internet Explorer 8 prevents this attack in the Internet Zone. The Internet Explorer 8 XSS Filter, however, is not enabled by default in the Intranet Zone.

4.2 Restrict Access to SharePoint Help.aspx.

An administrator can apply an access control list to SharePoint Help.aspx to ensure that they can no longer be loaded. This effectively prevents exploitation of the vulnerability using this attack vector.

To restrict access to the vulnerable Help.aspx:

-Run the following commands from a command prompt:

-How to undo the workaround:

Note: Impact of workaround. This workaround will disable all help functionality from the SharePoint server.

More information can be found at Microsoft Security Bulletin webpages:

http://www.microsoft.com/technet/security/advisory/983438.mspx

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor. MyCERT can be reached through the following channels:
E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <REPORT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

http://www.microsoft.com/technet/security/advisory/983438.mspx
http://blogs.technet.com/msrc/archive/2010/04/29/security-advisory-983438-released.aspx