Microsoft warns of serious SharePoint cross-site scripting zero-day


Microsoft warns of serious SharePoint cross-site scripting zero-day

Robert Westervelt, News Editor,

Microsoft issued a security advisory late Thursday, warning SharePoint users of a new SharePoint zero-day vulnerability that could allow elevation of privilege.

Jerry Bryant, Microsoft's group manager of response communications,

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

said the software giant was unaware of any active attacks attempting to exploit the flaw. The cross-site scripting (XSS) vulnerability affects SharePoint Server 2007 and SharePoint Services 3.0. Proof-of-concept code is publicly available. The vulnerability can be exploited in a browser-based attack.

The Microsoft advisory includes a workaround to mitigate against the threat. Microsoft said users can restrict access by adding an access control list to SharePoint Help.aspx XML files. The workaround will, however, disable all help functionality from the SharePoint server, Microsoft said.

Servers are at reduced risk from Internet Explorer 8 clients, Microsoft said. IE 8 includes an XSS filter in the Internet zone that can block an attack.

According to an advisory issued by High-Tech Bridge SA, a security firm based in Switzerland, the SharePoint vulnerability could enable an attacker to execute JavaScript code within the vulnerable application. The firm said that it notified Microsoft of the vulnerability on April 12.

"Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data," the firm warned.