The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in Windows SharePoint Allows CSS and Spoofing Attacks
(MS05-006)
------------------------------------------------------------------------
SUMMARY
This is a cross-site scripting and spoofing vulnerability. The cross-site
scripting vulnerability could allow an attacker to convince a user to run
a malicious script. If this malicious script is run, it would execute in
the security context of the user. Attempts to exploit this vulnerability
require user interaction. This vulnerability could allow an attacker
access to any data on the affected systems that was accessible to the
individual user.
It may also be possible for an attacker to exploit this vulnerability to
modify Web browser caches and intermediate proxy server caches, and put
spoofed content in those caches.
DETAILS
Affected Software:
Windows SharePoint Services for Windows Server 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=6BB93661-0CE7-46CF-B8BB-55546B58A2F2>
Download the update (KB887981)
SharePoint Team Services from Microsoft -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=6BE3F8AD-768E-4BCB-8EB3-AD74B576038C>
Download the update (KB890829) -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=6BE3F8AD-768E-4BCB-8EB3-AD74B576038C>
Download the full-file update (KB890829)
Non-Affected Software:
Microsoft Windows Server 2003 for Itanium-based Systems
SharePoint Portal Server 2003 (all versions)
SharePoint Portal Server 2001 (all versions)
SharePoint Team Services Users: Office XP Service Pack 2 for Office XP Web
Components and Office XP Service Pack 3 for SharePoint Team Services are
both vulnerable to this issue. However the security update for Office XP
Service Pack 2 for Office XP Web Components is provided only as part of
the Office XP full-file security update.
CVE Information:
Cross-site Scripting and Spoofing Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0049>
CAN-2005-0049
Mitigating factors for cross-site scripting attacks:
* An attacker who successfully exploited the cross-site scripting aspect
of this vulnerability would gain only the same permissions as the user.
Mitigating factors for putting spoofed content in a user s Web browser
cache:
* Clients who have turned on the Do not save encrypted pages to disk
advanced Internet option in Internet Explorer would not be at risk from
any attempts to put spoofed content into the client cache if they accessed
their Web site through the Secure Sockets Layer (SSL) protocol.
Mitigating factors for putting spoofed content in an intermediate proxy
server cache
* Clients who use SSL-protected connections to access the affected Web
sites would not be vulnerable to attempts to put spoofed content on
intermediate proxy server caches. This is because SSL session data is
encrypted and is not cached on intermediate proxy servers.
* If spoofed content is successfully put in an intermediate proxy server
s cache, it could be difficult for an attacker to predict which users
would be served the spoofed cached content.
* An attacker must be able to log on the affected Web site to try to
exploit this vulnerability. If you do not allow anonymous access to your
Web site, only authenticated users could try to exploit this
vulnerability.
Frequently Asked Questions:
What is the scope of the vulnerability?
This is a cross-site scripting and spoofing vulnerability. The cross-site
scripting vulnerability could allow an attacker to convince a user to run
a malicious script. If this malicious script is run, it would execute in
the security context of the user. Attempts to exploit this vulnerability
require user interaction. This vulnerability could allow an attacker
access to any data on the affected systems that was accessible to the
individual user.
It may also be possible for an attacker to exploit the vulnerability to
modify Web browser caches and intermediate proxy server caches and to put
spoofed content in those caches.
What causes the vulnerability?
The affected software does not completely validate input that is provided
to a HTML redirection query before it sends this input to the browser.
What is Windows SharePoint Services for Windows Server 2003?
Windows SharePoint Services lets teams create Web sites for information
sharing and document collaboration, benefits that help increase individual
and team productivity. Available as a separate download, Windows
SharePoint Services 2003 is a component of the Windows Server 2003
information worker infrastructure and provides team services and sites to
Microsoft Office System and other desktop programs. It also serves as a
platform for application development. For more information about Windows
SharePoint Services, visit the following
<http://www.microsoft.com/windowsserver2003/techinfo/sharepoint/overview.mspx>
Microsoft Web site.
What is SharePoint Team Servicesfrom Microsoft?
SharePoint Team Services from Microsoft provides both Web publishing and
collaboration features to make communicating ideas and sharing information
easier. SharePoint Team Services is a superset of Microsoft FrontPage
Server Extensions 2002, and includes all the features that are available
with the server extensions. Additionally, SharePoint Team Services
contains new workgroup features that create a rich environment for Web
publishing and team communication. By using SharePoint Team Services,
administrators can create, author, and administer Web sites that help a
team organize and advance on a project. For more information about
SharePoint Team Services, visit the following
<http://www.microsoft.com/resources/documentation/sts/2001/all/proddocs/en-us/admindoc/owsb01.mspx>
Microsoft Web site. FrontPage Server Extensions 2002 are not vulnerable to
this issue.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability could perform
cross-site scripting attacks, display spoofed responses to users, or
redirect server responses to another user.
How could an attacker exploit the vulnerability?
An attacker could create an e-mail message that is specially crafted to
try to exploit this vulnerability. An attacker could exploit the
vulnerability by sending this specially crafted e-mail message to a user
of a server that is running an affected software application. An attacker
could then persuade the user to click a link in the e-mail message.
It may also be possible to exploit the vulnerability to modify Web browser
caches and intermediate proxy server caches and to put spoofed content in
those caches.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the
Internet.
What does the update do?
The update removes the vulnerability by modifying the way that the
affected software validates input that is provided to an HTTP redirection
query before it sends this input to the client.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly disclosed when this security bulletin was
originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS05-006.mspx>
http://www.microsoft.com/technet/security/bulletin/MS05-006.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
