Microsoft SharePoint XML File Disclosure

September 23, 2011

Microsoft SharePoint Server is an ASP.NET product intended for collaboration, file sharing, web publishing and other social networking functions. The server runs on the Microsoft IIS web server. SharePoint farms host web sites, intranets, extranets, as well as provide a framework for web application development. SharePoint also allows creation of ASP.NET controls known as Web Parts or Web Widgets to enhance the functionality of a particular SharePoint page. These controls allow end users to modify various aspects of the web page from their web browser. One of these widgets included in the SharePoint package is the XML Viewer. The XML Viewer has the ability to display and apply XSLT to XML documents. An example SharePoint page is shown which can be added to an XML Viewer widget:



XML defines entities which are symbolic representations of a block of information. Entities can be either external or internal. Internal entities are defined and used inside the XML file. External entities exist in an external source like a file and require the SYSTEM identifier in order to be imported and used. An example of an external entity definition is shown:


In the above example, the external resource identifier is a URI. Most of the time, its a simple file name.

An information disclosure vulnerability exists in Microsoft SharePoint. It is due to an error while parsing XML files which use external entities. The vulnerable code allows a user to specify an arbitrary file and path of the external resource. This can allow a user to create an XML Viewer Web Part which discloses the contents of arbitrary files within the SharePoint server scope. In order to exploit this flaw, an attacker must first be successfully authenticated by the target SharePoint server.

SonicWALL has released two IPS signatures to address this vulnerability. The signatures detect and block generic attack attempts targetting this flaw.

  • 1856 - SharePoint Remote File Disclosure 1
  • 1003 - SharePoint Remote File Disclosure 2

The vulnerability has been assigned CVE-2011-1892 by mitre.
The vendor has released an advisory (ms11-074) addressing this issue.