IT and Business Insights for SMB Solution Providers

Cloud security versus on premises security

About twenty years ago I made money helping corp­or­ations get con­nected to the thing we now call the Internet. Before the world wide web.

I'm trying to analyze the risk of doing nothing on my SBS 2008. SBS 2003 is not vulnerable to this SharePoint issue. SBS 2008 is at risk... but I'm not convinced it's enough for me to do anything other than monitor the situation.

High-Tech Bridge SA - Advisories - XSS vulnerability in Microsoft SharePoint Server 2007:
http://www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007....
Security Research & Defense : Sharepoint XSS issue:
http://blogs.technet.com/srd/archive/2010/04/29/sharepoint-xss-issue.aspx
Microsoft Online Services Team Blog : Mitigation for SharePoint Security Vulnerability:
http://blogs.technet.com/msonline/archive/2010/04/30/mitigation-for-shar...

So here's where we can compare risks of cloud versus risks of on premises.

I have a SharePoint that is vulnerable to this issue.... sort of.

http://www.microsoft.com/technet/security/advisory/983438.mspx
What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the same user rights on the SharePoint site as the targeted user. The attacker could then run commands against the SharePoint server in the context of the targeted user.

The advisory states that the vulnerability could allow Elevation of Privilege (EoP) within the SharePoint site itself. We would like to stress that this EoP is not EoP from normal user to admin user in the workstation or the server environment. Instead, the attacker may execute malicious script under a SharePoint user?s context within his/her Sharepoint session. The most likely attack scenario, then, is that an attacker sends a malicious link to a user who is logged into their Sharepoint server. If the user clicks the link, the javascript created by the attacker and embedded in the link would execute in the context of the user who clicked the link. http://blogs.technet.com/srd/archive/2010/04/29/sharepoint-xss-issue.aspx

An attacker can cause arbitrary JavaScript to be run by the user clicking the specially crafted URL, but the attacker would not be able to steal the logged-on user's authentication credentials due to the way SharePoint Server handles the HttpOnly authentication cookie

While you can proactively restrict the help file to block this issue as follows:

Restrict Access to SharePoint Help.aspx

An administrator can apply an access control list to SharePoint Help.aspx to ensure that they can no longer be loaded. This effectively prevents exploitation of the vulnerability using this attack vector.

To restrict access to the vulnerable Help.aspx:

?
Run the following commands from a command prompt:

cacls "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N

cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N

Impact of workaround.?This workaround will disable all help functionality from the SharePoint server.

How to undo the workaround.

?
Run the following commands from a command prompt:

takeown /f "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx"

takeown /f "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx"

cacls "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /R everyone

cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /R everyone

The question you can ask yourself is if the risk is really worth it?? They won't gain user credentials. They "gain the same rights as the logged in SharePoint". Okay so I don't log into companyweb often enough to make this a huge risk in my book. The BPOS guys took action to proactively mitigate. But I don't think the risk to my on premises SharePoint is enough to take action at this time.

What's your take?

About the Author

Susan Bradley's picture

Susan is just a wacko SBSer who started down her path by hanging out in the SBS newsgroup community. She's not a Microsoft employee or affiliated with Microsoft. Get a feel of the SBS “vibe” and join in the SBS community!

ChannelPro SMB Magazine
SUBSCRIBE FREE!

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.