- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint
Server 2007 Elevation of Privilege (MS07-059)
------------------------------------------------------------------------
SUMMARY
The vulnerability could allow an attacker to run arbitrary script that
could result in elevation of privilege within the SharePoint site, as
opposed to elevation of privilege within the workstation or server
environment.
The vulnerability could also allow an attacker to run arbitrary script to
modify a user s cache, resulting in information disclosure at the
workstation.
DETAILS
* Windows Server 2003
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2
* Windows Server 2003 x64 Edition
* Windows Server 2003 x64 Edition Service Pack 2
* Microsoft Office SharePoint Server 2007
* Microsoft Office SharePoint Server 2007 x64 Edition
SharePoint Scripting Vulnerability:
This is a scripting vulnerability in Microsoft Windows SharePoint Services
3.0 and Microsoft Office SharePoint Server 2007. The vulnerability could
allow an attacker to run arbitrary script that can result in elevation of
privilege within the SharePoint site, as opposed to elevation of privilege
within the workstation or server environment. The vulnerability could also
allow an attacker to run arbitrary script to modify a user s cache,
resulting in information disclosure at the workstation. However, user
interaction is required to exploit this vulnerability.
To view this vulnerability as a standard entry in the Common
Vulnerabilities and Exposures list, see
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2581>
CVE-2007-2581.
Mitigating Factors for SharePoint Scripting Vulnerability:
Mitigation refers to a setting, common configuration, or general
best-practice, existing in a default state, that could reduce the severity
of exploitation of a vulnerability. The following mitigating factors may
be helpful in your situation:
* In a Web-based attack scenario, Web sites that accept or host
user-provided content, or compromised Web sites and advertisement servers
could contain specially crafted content that could exploit this
vulnerability. In all cases, however, an attacker would have no way to
force users to visit these Web sites. Instead, an attacker would have to
persuade users to visit the Web site, typically by getting them to click a
link in an e-mail message or Instant Messenger message that contains a
specially-crafted URL with embedded Javascript.
* In the information disclosure scenario, clients that have the advanced
Internet option, Do not save encrypted pages to disk, turned on in
Internet Explorer would not be at risk from any attempts to put spoofed
content into the client cache if the clients accessed SharePoint site
through the Secure Sockets Layer (SSL) protocol.
FAQ for SharePoint Scripting Vulnerability:
What is the scope of the vulnerability?
This is a scripting vulnerability in Microsoft Windows SharePoint Services
3.0 and Microsoft Office SharePoint Server 2007. The vulnerability could
allow an attacker to run arbitrary script that can result in elevation of
privilege within the SharePoint site, as opposed to elevation of privilege
within the workstation or server environment. The vulnerability could also
allow an attacker to run arbitrary script to modify a user s cache,
resulting in information disclosure at the workstation. However, user
interaction is required to exploit this vulnerability.
What causes the vulnerability?
Both Microsoft Windows SharePoint Services 3.0 and Microsoft Office
SharePoint Server 2007 do not sufficiently validate URL-encoded requests
to ensure that the requests do not contain script code.
What are SharePoint Services?
Windows SharePoint Services, a technology in Windows Server 2003, provides
a platform for collaboration applications, offering a common framework for
document management and a common repository for storing documents of all
types. It exposes key Windows Server services like Windows Workflow
Services and Windows Rights Management Services. Office SharePoint Server
2007 is an integrated suite of server capabilities built on top of Windows
SharePoint Services.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the
same user rights on the SharePoint site as the logged-on user. Users whose
accounts are configured to have fewer user rights on the SharePoint site
could be less impacted than users who operate with administrative user
rights on the SharePoint site.
An attacker could also run arbitrary script to modify a user s cache by
displaying spoofed responses to users, or by redirecting server responses
to the attacker. This results in information disclosure at the
workstation.
How could an attacker exploit the vulnerability?
In the elevation of privilege scenario, an attacker could convince a user
to click a specially crafted link, in an e-mail message or in a Web site,
that contained script. Once the user clicks the link, the browser would
run the script to elevate the attacker to the same privilege or higher as
the logged-on user on the SharePoint site.
In the spoofing scenario, an attacker could also create a specially
crafted link to redirect the user to another specially crafted Web site,
or to capture confidential information within the browser cache.
What systems are primarily at risk from the vulnerability?
Systems that are running Microsoft Windows SharePoint Services 3.0 and
Microsoft Office SharePoint Server 2007 are primarily at risk of attacks
resulting in elevation of privilege. Workstations where users are
accessing a vulnerable SharePoint site are at risk of attacks resulting in
information disclosure.
What does the update do?
The security update addresses the vulnerability by modifying the way that
Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint
Server 2007 validate URL-encoded requests.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned
Common Vulnerability and Exposure numberCVE-2007-2581.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published
publicly but had not received any information to indicate that this
vulnerability had been publicly used to attack customers when this
security bulletin was originally issued.
ADDITIONAL INFORMATION
The information has been provided by Microsoft Security Bulletin MS07-059.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms07-059.mspx>
http://www.microsoft.com/technet/security/bulletin/ms07-059.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment