Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server 2001

From: Ory Segal (ory.segal_at_sanctuminc.com)
Date: 04/05/04

  • Next message: Rene: "SuSEs YaST Online Update - possible symlink attack"
    Date: Mon, 05 Apr 2004 13:12:41 +0200
    To: BUGTRAQ@SECURITYFOCUS.COM, webappsec@securityfocus.com
    
    

    --[ Security Advisory

    --[ Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server
        2001

    --[ Author: Ory Segal , Sanctum inc. http://www.SanctumInc.com
    --[ Release Date: April 5th. 2004
    --[ Product: Microsoft SharePoint Portal Server 2001
    --[ Severity: High
    --[ CVE: CAN-2004-0379

    --[ Description

     From Microsoft's web site: "Microsoft SharePoint Portal Server
    provides an easy way to create Web portals with integrated document
    management services and search capabilities. You can establish a
    central point of access to all your existing key business information
    and applications, as well as share information across file servers,
    databases, public folders, Internet sites, and SharePoint
    Team Services-based Web sites."

    Sanctum inc. has discovered several Cross Site Scripting
    vulnerabilities in three scripts, which are a part of Microsoft
    SharePoint Portal server 2001.

    These vulnerabilities may lead to theft of cookies associated with the
    domain, or execution of client-side scripts in the user's browser.

    --[ Solution

    Microsoft has addressed these XSS issues in Service Pack 3 of
    Microsoft SharePoint Portal Server, which can be downloaded at:
    http://www.microsoft.com/downloads/details.aspx?FamilyId=15677A92-3470-465F-9F63-E621094103E0&displaylang=en

    --[ Greets

    Happy Passover!

     


  • Next message: Rene: "SuSEs YaST Online Update - possible symlink attack"

    Relevant Pages

    • Re: Web Site
      ... Basically you want to keep your SPS install away from other ... over the default web site. ... Microsoft MVP - SharePoint Portal Server ... CRM is "another" web app that does the ...
      (microsoft.public.sharepoint.portalserver)
    • Re: Weird Sharepoint question
      ... web site named "Group" which is my Sharepoint portal site. ... contains the ASPX files used to display the library contents. ... if you have SharePoint Portal Server installed you could use ... when you browsed IIS home directory. ...
      (microsoft.public.sharepoint.portalserver)
    • RE: PHPBB in search
      ... you could add a web site to the content source so SPS will crawl that site. ... In the Source Group section, ... you could refer the Adding a Content resource section in the Sharepoint portal Server 2003 Administrator's Guide. ...
      (microsoft.public.sharepoint.portalserver.development)
    • Re: Web Site
      ... use the Default Web Site considering that CRM is already there and using it? ... > SharePoint Portal Server 2003 basically takes over your web server. ...
      (microsoft.public.sharepoint.portalserver)
    • Schema for News and Reviews Site packet from Frontpage 2003
      ... I create a web site using News and Reviews Site packet from Frontpage 2003. ... use this web site in Sharepoint Portal Server 2003 Portal Site. ...
      (microsoft.public.frontpage.extensions.windowsnt)