Forum Discussion

Sven Engel's avatar
Sven Engel
Copper Contributor
Aug 10, 2017

Found Stored Cross Site Scripting (XSS) vulnerability in SharePoint 2013

Hi @all,   having penetrated our local SP 2013 farm we now have to deal with a Stored Cross Site Scripting Vulnerability which was found by the pentesters.   What they did: Creating a new task e...
security
sharepoint server
XSS
Marco Pirzer's avatar
Marco Pirzer
Copper Contributor
Aug 17, 2017

Hi guys,

 

I am a colleague of Sven and will give you some additional input.

 

The site on which we can reproduce the XSS was setup with a project site template. On the homepage we are displaying the Project Summary Webpart.

In the tasks we have created one entry with following details:

 

Name: pentest11<script>alert(document.cookie)</script>

Start date: <at least today, as it needs to be show up on the Project Summary webpart>

End date: <any date>

 

Saving the entry and browsing in the task list doesn't seem to execute the javascript snippet. But once going back to the site homepage where the Projekt Summary webpart is displayed we see a pop up showing cookie details.

 

The javascript will not be executed when this particular task has no start date so it will not show up in the webpart.

 

We tried this with IE and Chrome with same results.

 

Our farm patch status is:

CU: Juni 2017
Security Patches: Juli 2017

 

Best regards, Marco

Trevor Seward's avatar
Trevor Seward
MVP
Aug 17, 2017

Thanks. I can't reproduce with the August 2017 CU. I've attached an image of what the page looks like.

  • Marco Pirzer's avatar
    Marco Pirzer
    Copper Contributor
    Aug 18, 2017

    Hi Trevor,

     

    thanks for your input.

    We have done several tests and found the root cause for this behavior (at least in our environment). Would be great if you could try this also on your end just to see if you are affected as well.

     

    Our sites are provisioned via powershell and the task list is also generated via powershell. We recognized that when deleting an existing task list and recreating a task list with the same name over the GUI the issue is gone. So we checked our powershell script which contains following commands:

     

    #Create Tasks
    $LibTemp = [Microsoft.SharePoint.SPListTemplateType]::TasksWithTimelineAndHierarchy
    $web.Lists.Add("Tasks", "", $LibTemp)
    $list5 = $web.Lists["Tasks"]
    $list5.OnQuickLaunch = $TRUE
    $list5.EnableAssignToEmail = $TRUE
    $list5.NavigateForFormsPages = $FALSE
    $list5.Update()

     

    So we went through each setting and identified the "NavigateForFormsPages" setting to be the root case. So actually the "Launch dialogs in forms" trigger in the task list setting is causing the XSS on our end. When disabling this setting either via powershell or the GUI everything is fine and no XSS is possible. Of course XSS is only happening when tasks appear in the Project Summary webpart.

     

    So it would be interesting if you can reproduce this in your farm and could give some feedback.

     

    Thank you guys!

     

    Best regards, Marco

    • Trevor Seward's avatar
      Trevor Seward
      MVP
      Aug 18, 2017
      I'm unable to reproduce.

Resources