Forum Discussion

Sven Engel's avatar
Sven Engel
Copper Contributor
Aug 10, 2017

Found Stored Cross Site Scripting (XSS) vulnerability in SharePoint 2013

Hi @all,

 

having penetrated our local SP 2013 farm we now have to deal with a Stored Cross Site Scripting Vulnerability which was found by the pentesters.

 

What they did:
Creating a new task element or every other list element, it was possible to paste Script Code into the input field of the tasks title for example. (Same approach like SQL Injection works) After finishing the creation of the task, only viewing the task was necessary to run a XSS attack.

 

Does anybody here know a solution or an official comment of Microsoft concerning that attack vector for SharePoint in general? Our management and security departments expects something like:

"this vulnerability is fixed with CU xyz" or something similar...

I hope Microsoft knows this vulnerability and is doing further steps to close that issue.

Best regards,

Sven Engel

 

security
sharepoint server
XSS
  • MichaelHolste's avatar
    MichaelHolste
    Icon for Microsoft rankMicrosoft
    Aug 24, 2017

    Microsoft has reproduced the issue and is working on a fix.

    During our initial review of this thread we were able to identify a workaround to prevent this issue.

    • Open the “List Settings” page off of the task list associated with the “Project Summary” webpart.
    • Open the “Advanced settings” option from the “List settings” page.


    • Change the setting of the “Launch forms in a dialog?” option to “No”.

    Thanks,
    SharePoint Team

  • Marco Pirzer's avatar
    Marco Pirzer
    Copper Contributor
    Aug 17, 2017

    Hi guys,

     

    I am a colleague of Sven and will give you some additional input.

     

    The site on which we can reproduce the XSS was setup with a project site template. On the homepage we are displaying the Project Summary Webpart.

    In the tasks we have created one entry with following details:

     

    Name: pentest11<script>alert(document.cookie)</script>

    Start date: <at least today, as it needs to be show up on the Project Summary webpart>

    End date: <any date>

     

    Saving the entry and browsing in the task list doesn't seem to execute the javascript snippet. But once going back to the site homepage where the Projekt Summary webpart is displayed we see a pop up showing cookie details.

     

    The javascript will not be executed when this particular task has no start date so it will not show up in the webpart.

     

    We tried this with IE and Chrome with same results.

     

    Our farm patch status is:

    CU: Juni 2017
    Security Patches: Juli 2017

     

    Best regards, Marco

    • Trevor Seward's avatar
      Trevor Seward
      MVP
      Aug 17, 2017

      Thanks. I can't reproduce with the August 2017 CU. I've attached an image of what the page looks like.

      • Marco Pirzer's avatar
        Marco Pirzer
        Copper Contributor
        Aug 18, 2017

        Hi Trevor,

         

        thanks for your input.

        We have done several tests and found the root cause for this behavior (at least in our environment). Would be great if you could try this also on your end just to see if you are affected as well.

         

        Our sites are provisioned via powershell and the task list is also generated via powershell. We recognized that when deleting an existing task list and recreating a task list with the same name over the GUI the issue is gone. So we checked our powershell script which contains following commands:

         

        #Create Tasks
        $LibTemp = [Microsoft.SharePoint.SPListTemplateType]::TasksWithTimelineAndHierarchy
        $web.Lists.Add("Tasks", "", $LibTemp)
        $list5 = $web.Lists["Tasks"]
        $list5.OnQuickLaunch = $TRUE
        $list5.EnableAssignToEmail = $TRUE
        $list5.NavigateForFormsPages = $FALSE
        $list5.Update()

         

        So we went through each setting and identified the "NavigateForFormsPages" setting to be the root case. So actually the "Launch dialogs in forms" trigger in the task list setting is causing the XSS on our end. When disabling this setting either via powershell or the GUI everything is fine and no XSS is possible. Of course XSS is only happening when tasks appear in the Project Summary webpart.

         

        So it would be interesting if you can reproduce this in your farm and could give some feedback.

         

        Thank you guys!

         

        Best regards, Marco

    • Sven Engel's avatar
      Sven Engel
      Copper Contributor
      Aug 15, 2017

      Hi Trevor,

      thanks for your post. uner kb.cert.org/vuls our vulnerability is not listed. At the moment I try to get the correct malicious code from our pentester to report the security vulnerability as clear as possible.

       

      Our SP 2013 Farm and Win server have the all security paches installed until July 2017 and SP CU June 2017 ist installed too.
      What is the right approach for us to verify this pentest finding?

      1) https://technet.microsoft.com/en-us/security/ff852094

      2) open a Microsoft Case

       

      At the moment my intention is option 1 because I don't believe we have done a failure in our SP configuration.

      • Trevor Seward's avatar
        Trevor Seward
        MVP
        Aug 15, 2017
        Option 1, but that said, I can't reproduce your scenario. I created a Task list, entered "&lt;script&gt;alert(document.cookie);&lt;/script&gt;" as the task item name, saved it and nothing was produced when viewing the Task list or the individual item.

Resources