Microsoft warns of serious SharePoint cross-site scripting zero-day

A cross-site scripting (XSS) flaw in SharePoint Server 2007 and SharePoint Services 3.0 could allow elevation of privilege within the SharePoint site itself, Microsoft said.

Microsoft issued a security advisory late Thursday, warning SharePoint users of a new SharePoint zero-day vulnerability that could allow elevation of privilege.

Jerry Bryant, Microsoft's group manager of response communications, said the software giant was unaware of any active attacks attempting to exploit the flaw. The cross-site scripting (XSS) vulnerability affects SharePoint Server 2007 and SharePoint Services 3.0. The vulnerability can be exploited in a browser-based attack.

The Microsoft advisory includes a workaround to mitigate against the threat. Microsoft said users can restrict access by adding an access control list to SharePoint Help.aspx XML files. The workaround will, however, disable all help functionality from the SharePoint server, Microsoft said.

Servers are at reduced risk from Internet Explorer 8 clients, Microsoft said. IE 8 includes an XSS filter in the Internet zone that can block an attack.

According to an advisory issued by High-Tech Bridge SA, a security firm based in Switzerland, the SharePoint vulnerability could enable an attacker to execute JavaScript code within the vulnerable application. The firm said that it notified Microsoft of the vulnerability on April 12.

"Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data," the firm warned.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close