[NT] Vulnerability in Windows SharePoint Allows CSS and Spoofing Attacks (MS05-006)

From: SecuriTeam (support_at_securiteam.com)
Date: 02/09/05

  • Next message: SecuriTeam: "[NT] Vulnerability in Windows Allows Information Disclosure (MS05-007)" 
    To: list@securiteam.com
Date: 9 Feb 2005 18:25:52 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in Windows SharePoint Allows CSS and Spoofing Attacks
    (MS05-006)
    ------------------------------------------------------------------------

    SUMMARY

    This is a cross-site scripting and spoofing vulnerability. The cross-site
    scripting vulnerability could allow an attacker to convince a user to run
    a malicious script. If this malicious script is run, it would execute in
    the security context of the user. Attempts to exploit this vulnerability
    require user interaction. This vulnerability could allow an attacker
    access to any data on the affected systems that was accessible to the
    individual user.

    It may also be possible for an attacker to exploit this vulnerability to
    modify Web browser caches and intermediate proxy server caches, and put
    spoofed content in those caches.

    DETAILS

    Affected Software:
    Windows SharePoint Services for Windows Server 2003 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=6BB93661-0CE7-46CF-B8BB-55546B58A2F2> Download the update (KB887981)
    SharePoint Team Services from Microsoft -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=6BE3F8AD-768E-4BCB-8EB3-AD74B576038C> Download the update (KB890829) - <http://www.microsoft.com/downloads/details.aspx?FamilyId=6BE3F8AD-768E-4BCB-8EB3-AD74B576038C> Download the full-file update (KB890829)

    Non-Affected Software:
    Microsoft Windows Server 2003 for Itanium-based Systems
    SharePoint Portal Server 2003 (all versions)
    SharePoint Portal Server 2001 (all versions)

    SharePoint Team Services Users: Office XP Service Pack 2 for Office XP Web
    Components and Office XP Service Pack 3 for SharePoint Team Services are
    both vulnerable to this issue. However the security update for Office XP
    Service Pack 2 for Office XP Web Components is provided only as part of
    the Office XP full-file security update.

    CVE Information:
    Cross-site Scripting and Spoofing Vulnerability -
    <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0049>
    CAN-2005-0049

    Mitigating factors for cross-site scripting attacks:
     * An attacker who successfully exploited the cross-site scripting aspect
    of this vulnerability would gain only the same permissions as the user.

    Mitigating factors for putting spoofed content in a user s Web browser
    cache:
     * Clients who have turned on the Do not save encrypted pages to disk
    advanced Internet option in Internet Explorer would not be at risk from
    any attempts to put spoofed content into the client cache if they accessed
    their Web site through the Secure Sockets Layer (SSL) protocol.

    Mitigating factors for putting spoofed content in an intermediate proxy
    server cache
     * Clients who use SSL-protected connections to access the affected Web
    sites would not be vulnerable to attempts to put spoofed content on
    intermediate proxy server caches. This is because SSL session data is
    encrypted and is not cached on intermediate proxy servers.
     * If spoofed content is successfully put in an intermediate proxy server
    s cache, it could be difficult for an attacker to predict which users
    would be served the spoofed cached content.
     * An attacker must be able to log on the affected Web site to try to
    exploit this vulnerability. If you do not allow anonymous access to your
    Web site, only authenticated users could try to exploit this
    vulnerability.

    Frequently Asked Questions:
    What is the scope of the vulnerability?
    This is a cross-site scripting and spoofing vulnerability. The cross-site
    scripting vulnerability could allow an attacker to convince a user to run
    a malicious script. If this malicious script is run, it would execute in
    the security context of the user. Attempts to exploit this vulnerability
    require user interaction. This vulnerability could allow an attacker
    access to any data on the affected systems that was accessible to the
    individual user.

    It may also be possible for an attacker to exploit the vulnerability to
    modify Web browser caches and intermediate proxy server caches and to put
    spoofed content in those caches.

    What causes the vulnerability?
    The affected software does not completely validate input that is provided
    to a HTML redirection query before it sends this input to the browser.

    What is Windows SharePoint Services for Windows Server 2003?
    Windows SharePoint Services lets teams create Web sites for information
    sharing and document collaboration, benefits that help increase individual
    and team productivity. Available as a separate download, Windows
    SharePoint Services 2003 is a component of the Windows Server 2003
    information worker infrastructure and provides team services and sites to
    Microsoft Office System and other desktop programs. It also serves as a
    platform for application development. For more information about Windows
    SharePoint Services, visit the following
    <http://www.microsoft.com/windowsserver2003/techinfo/sharepoint/overview.mspx> Microsoft Web site.

    What is SharePoint Team Servicesfrom Microsoft?
    SharePoint Team Services from Microsoft provides both Web publishing and
    collaboration features to make communicating ideas and sharing information
    easier. SharePoint Team Services is a superset of Microsoft FrontPage
    Server Extensions 2002, and includes all the features that are available
    with the server extensions. Additionally, SharePoint Team Services
    contains new workgroup features that create a rich environment for Web
    publishing and team communication. By using SharePoint Team Services,
    administrators can create, author, and administer Web sites that help a
    team organize and advance on a project. For more information about
    SharePoint Team Services, visit the following
    <http://www.microsoft.com/resources/documentation/sts/2001/all/proddocs/en-us/admindoc/owsb01.mspx> Microsoft Web site. FrontPage Server Extensions 2002 are not vulnerable to this issue.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited the vulnerability could perform
    cross-site scripting attacks, display spoofed responses to users, or
    redirect server responses to another user.

    How could an attacker exploit the vulnerability?
    An attacker could create an e-mail message that is specially crafted to
    try to exploit this vulnerability. An attacker could exploit the
    vulnerability by sending this specially crafted e-mail message to a user
    of a server that is running an affected software application. An attacker
    could then persuade the user to click a link in the e-mail message.

    It may also be possible to exploit the vulnerability to modify Web browser
    caches and intermediate proxy server caches and to put spoofed content in
    those caches.

    Could the vulnerability be exploited over the Internet?
    Yes. An attacker could try to exploit this vulnerability over the
    Internet.

    What does the update do?
    The update removes the vulnerability by modifying the way that the
    affected software validates input that is provided to an HTTP redirection
    query before it sends this input to the client.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly disclosed when this security bulletin was
    originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS05-006.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS05-006.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Vulnerability in Windows Allows Information Disclosure (MS05-007)"

    Relevant Pages