Microsoft Windows SharePoint Services XSS

May 5, 2010

Microsoft Windows SharePoint Services (WSS) is a free add-on to Microsoft Windows Server 2003/2008; it is the core of several of Microsoft's commercial portal technologies, such as the Office SharePoint Server. WSS is based on IIS and ASP.NET technologies; it provides a basic portal infrastructure, collaborative editing of documents, document organization, and version control capabilities. Clients normally use a web browser to access the SharePoint portal.

WSS comes with several administrative functions; one of them is Help interface, which provides access to on-line documentation and manuals. The search functionality is handled by help.aspx. When a query request of on-line help page arrives, help.aspx calls ProcessQueryString() function which reads all available parameters (cids) in the request.

A cross site scripting vulnerability exists in Microsoft Windows SharePoint Services. Specifically, the vulnerability is due to insufficient validation of request parameters. It is the URL-encoded string terminator %00 within a cid parameter value that allows a malicious cid value to bypass a sanity check. Below is An example of a malicious URL:

When a user submits a request with a cid parameter appending %00, the full cid value, including the script code, will be rendered onto the response page. An attacker could exploit this vulnerability by embedding malicious script code in a URL and enticing the target user to open the URL in the browser. Successful exploitation would allow the attacker to get access to a target user's sensitive information, such as cookies associated with the site.

Microsoft has released Security Advisory 983438 to address this issue. The CVE identifier for this vulnerability is CVE-2010-0817.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 5224 MS SharePoint Server help.aspx XSS Attempt