Today we released Security Advisory 983438 informing customers of a cross-site scripting (XSS) vulnerability in SharePoint Server 2007 and SharePoint Services 3.0.  Here we would like to give further technical information about this vulnerability.

What is the attack vector?

The advisory states that the vulnerability could allow Elevation of Privilege (EoP) within the SharePoint site itself. We would like to stress that this EoP is not EoP from normal user to admin user in the workstation or the server environment. Instead, the attacker may execute malicious script under a SharePoint user’s context within his/her Sharepoint session. The most likely attack scenario, then, is that an attacker sends a malicious link to a user who is logged into their Sharepoint server. If the user clicks the link, the javascript created by the attacker and embedded in the link would execute in the context of the user who clicked the link.

Mitigation

Sharepoint uses Http-Only cookies for authentication. HttpOnly cookies are not accessible through script, significantly mitigating the risk of XSS attacks. For more information, please refer to Mitigating Cross-site Scripting With HTTP-only Cookies.

IE8’s XSS filter is enabled by default in the Internet Zone. The IE8 XSS filter catches this class of XSS attacks so users of IE8 are at the reduced risk from this vulnerability.  IE8’s XSS filter is not enabled in the local intranet zone. It can be turned on in the local intranet zone via the following UI.


Or administrators can choose to enable or disable the XSS Filter for any zone via group policy. Please refer to Group Policy and Internet Explorer 8 for more details.

Workaround

We recommend a server-side workaround to ACL down the file help.aspx. If you enable this workaround, you will be unable to view Help content within your Sharepoint site. For users who implement the server-side mitigation, help content in English is available here as an alternative to SharePoint-provided help:

http://office.microsoft.com/en-us/sharepointserver/FX101211721033.aspx

Jonathan Ness, David Ross, and Chengyun Chu, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*