[Full-disclosure] XEE vulnerabilities in SharePoint (MS11-074) and DotNetNuke


Microsoft recently published MS11-074. This bulletin concerns mainly
SharePoint (2007 and 2010) but CVE-2011-1892 applies too to Office
Groove (client and server), Office Forms Server 2007 and Office Web Apps

The vulnerability is a "XML External Entity Reference" one, as described
in CWE-611 [1]. The vulnerable component is "XML Web Part" and the
following image demonstrates the exploit on a SharePoint 2007 server

DotNetNuke has quietly patched this summer a very similar vulnerability
in its XML component (v6.0.0 is OK [3]).

As described in Microsoft documentation [4], setting
XmlReaderSettings::XmlResolver to NULL is enough to correct this bug.

Simple PoC for SharePoint and DotNetNuke :
-------------------------- XML ---------------------------------
<!DOCTYPE doc [
<!ENTITY boom SYSTEM "c:\\windows\\system32\\drivers\\etc\\hosts">

-------------------------- XSL ----------------------------------
<xsl:stylesheet version="1.0"
<xsl:template match="/">
<xsl:value-of select="doc"/>

More details, in French, on my blog : http://goo.gl/hptbj

1: http://cwe.mitre.org/data/definitions/611.html
2: http://www.agarri.fr/docs/shpt-xee.png
3: http://dnnxml.codeplex.com/releases/view/62862
4: http://msdn.microsoft.com/en-us/library/ms172415.aspx

Nicolas Grégoire / Agarri

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Installed Sharepoint Update now Companyweb is gone
    ... "Cannot upgrade virtual server http://>. ... SharePoint Services does not support in-place upgrading of SharePoint ... Team Services v. 1.0 from Microsoft or Front Page Server Extensions. ... This newsgroup only focuses on SBS technical issues. ...
  • RE: Problems upgrading SQL MSDE for Sharepoint
    ... I am glad to know the upgrade Sharepoint ... Microsoft CSS Online Newsgroup Support ... With this working I was able to start upgrading SQL MSDE for SharePoint. ... >white paper to backup your SBS server first. ...
  • WSS FAQ additions and changes - 4th - 10th December 2006
    ... Non-MS Articles below were valid at the time I added them to the WSS FAQ ... Microsoft Forefront Security for SharePoint ... Microsoft Forefront Security for SharePoint 10.0 MOM 2005 Management Pack ... Planning and architecture for Office SharePoint Server 2007 for Search ...
  • RE: Installation problem with companyweb
    ... I was able to get Sharepoint Servcies reinstalled without any errors. ... Database Server and the Database name. ... > Microsoft CSS Online Newsgroup Support ... > This newsgroup only focuses on SBS technical issues. ...
  • RE: SharePoint Error
    ... Check if you can install the WSS patch 832880. ... select Microsoft SQL Server Desktop Engine ... Delete SharePoint Central Administration (Do Not Delete Microsoft ...