Industry Trends

SharePoint 2013 XSS Vulnerability Discovered

By Aamir Lakhani | September 14, 2015

Researchers with FortiGuard Labs recently discovered a persistent cross-site scripting vulnerability in Microsoft SharePoint 2013. SharePoint is a web application platform in the Microsoft Office server suite that combines intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management, and an enterprise application store. It is frequently deployed for internal use in mid-size businesses and large departments alongside Microsoft Exchange, among other Microsoft enterprise software.

This particular vulnerability, CVE-2015-2522, is caused by insufficiently sanitizing user-supplied input in a number of input points like notes, keywords, and comments. It allows remote attackers to launch XSS attacks, potentially injecting malicious code into the SharePoint web pages which could be viewed and inadvertently executed by other users. As described in Microsoft's related security bulletin,
"An attacker who successfully exploited this vulnerability could perform persistent cross-site scripting attacks and run script (in the security context of the logged-on user) with malicious content that appears authentic. This could allow the attacker to steal sensitive information, including authentication cookies and recently submitted data."
Specifically, once the vulnerability is successfully exploited, attackers can
  • Gain other users’ information such as operating system information, browser information, etc. For example, if the browser or any plugin in this browser is vulnerable, the attackers may further exploit the vulnerability to take control of the victim’s computer.
  • Redirect the victim's browser to malicious websites. For example, a pop-up could prompt the victim for a username and password and then collect this data for further attacks.
  • Force victims to download and execute malicious code from other websites.

Because so many organizations that use SharePoint also use Windows Active Directory for authentication, attackers could steal high-level credentials and then gain administrator-level control system-wide.

As with many XSS vulnerabilities, attackers can craft specific inputs to exploit this vulnerability. In Figure 1, we see normal sanitization:

Figure 1. Normal sanitization

In Figure 2 below, however, we demonstrate how an attacker can add a crafted expression to the Notes field:

Figure 2. Adding a crafted note

As shown in Figure 3, once the user clicks Save, we can see the “Notes” has been changed. Then, when any victim views this crafted link and moves his/her mouse on it, the injected script code will be automatically executed on behalf of the victim within their security context.

Figure 3. Successful execution of injected XSS code

We further demonstrate this vulnerability in the video below:

Microsoft has patched this vulnerability and any users of SharePoint 2013 15.0.4571.1502 and before should update as soon as possible. FortiGuard is protecting against this vulnerability with IPS Signature:  MS.SharePoint.App.Links.Notes.XSS.

For customers using SharePoint and other web-based applications that can be vulnerable to XSS attacks, Fortinet strongly recommends the use of a Web Application Firewall (WAF). A FortiWeb WAF provides protection from this XSS vulnerability automatically without the need for a signature update or patch from Microsoft.