Researchers with FortiGuard Labs recently discovered a persistent cross-site scripting vulnerability in Microsoft SharePoint 2013. SharePoint is a web application platform in the Microsoft Office server suite that combines intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management, and an enterprise application store. It is frequently deployed for internal use in mid-size businesses and large departments alongside Microsoft Exchange, among other Microsoft enterprise software.
"An attacker who successfully exploited this vulnerability could perform persistent cross-site scripting attacks and run script (in the security context of the logged-on user) with malicious content that appears authentic. This could allow the attacker to steal sensitive information, including authentication cookies and recently submitted data."
Because so many organizations that use SharePoint also use Windows Active Directory for authentication, attackers could steal high-level credentials and then gain administrator-level control system-wide.
As with many XSS vulnerabilities, attackers can craft specific inputs to exploit this vulnerability. In Figure 1, we see normal sanitization:
Figure 1. Normal sanitization
In Figure 2 below, however, we demonstrate how an attacker can add a crafted expression to the Notes field:
Figure 2. Adding a crafted note
As shown in Figure 3, once the user clicks Save, we can see the “Notes” has been changed. Then, when any victim views this crafted link and moves his/her mouse on it, the injected script code will be automatically executed on behalf of the victim within their security context.
Figure 3. Successful execution of injected XSS code
We further demonstrate this vulnerability in the video below:
Microsoft has patched this vulnerability and any users of SharePoint 2013 15.0.4571.1502 and before should update as soon as possible. FortiGuard is protecting against this vulnerability with IPS Signature: MS.SharePoint.App.Links.Notes.XSS.
For customers using SharePoint and other web-based applications that can be vulnerable to XSS attacks, Fortinet strongly recommends the use of a Web Application Firewall (WAF). A FortiWeb WAF provides protection from this XSS vulnerability automatically without the need for a signature update or patch from Microsoft.