Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft SharePoint XSS Vulnerability
IPS Forum

(Microsoft Security Advisory 983438, CVE-2010-0817)

A zero-day Cross-Site Scripting (XSS) vulnerability has been identified in Microsoft SharePoint by High Tech Bridge, a Switzerland-based security research lab, in advisory HTB22350 on April 28th that included proof of concept code. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code within the vulnerable application.

Microsoft Office SharePoint Server (MOSS) 2007 is an integrated suite of server capabilities built on top of Windows SharePoint Services. The vulnerability is due to an error in Microsoft SharePoint Server in the "/_layouts/help.aspx" script that fails to properly sanitize user-supplied input in the “cid0” variable. A remote attacker can exploit this issue to execute a cross-site scripting attack by convincing a user to click on a maliciously crafted URL that contains script code. Microsoft issued Security Advisory 983438 a few hours after the release of the High Tech announcement.

On April 29th Check Point IPS Update Service teams reproduced the vulnerability, determined that the generic Cross-Site Scripting protection available since 2005 provides pre-emptive protection against this exploit, and immediately published a pre-emptive advisory, CPAI-2010-074. At the same time, our security engineers started developing a focused protection for specifically detecting the new vulnerability using more detailed information about the vulnerability that came from various sources including:

  • Internal research
  • Check Point partnership in Microsoft Active Protection Program (MAPP)
  • Other Research Partners

On May 4th Check Point Update Services released a protection for Security Gateway versions R70 and R71. The new IPS Software Blade engine in R70 and later versions protects against the SharePoint Server vulnerability using technology in the engine that matches regular expressions and normalizes URLs to a canonical form. This also defeats attempts to evade detection using URL obfuscation.

To protect against other Cross-Site Scripting attacks in R70 Software Blades and earlier NGX versions see Security Best Practice SBP-2010-18. In addition IPS-1, Check Point’s dedicated IPS product, protects against Cross-Site Scripting and this specific exploit using the WWW 2 User-Definable Variables protection group.

Why develop the new specific protection when we have the generic XSS protection one in place?
The generic XSS protection requires careful tuning and monitoring before activating it in Prevent mode to avoid false positives. As a result, it is not included in the R70 and R71 Recommended Profile and isn’t activated out of box for customers choosing to use this protection profile. The new protection avoids this problem by providing accurate detection of the SharePoint Server vulnerability. Note that there is work in progress to reduce the false positive rate for the generic XSS protection in future Security Gateway versions so that it can be deployed in more environments.
Why is the new protection available only for R70 and R71 gateways?
This is due to the new IPS detection technologies that these versions provide, especially for protections that can be pushed through IPS updates. The protection against the SharePoint Server vulnerability uses matching regular expressions and the ability to normalize URLs to a canonical form, defeating attempts to evade detection through numerous techniques of URL obfuscation.
How does the IPS-1 WWW 2 protection detect and block this attack?
The User-Definable Variables protection group contains a list of values which the user should not see in GET/POST requests. Among these are values for various scripting elements included in the default protection, i.e. '<script>' tags, that are matched in the clients URL when accessing a malicious target.