what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft SharePoint 2007 / 2010 URL Redirect

Microsoft SharePoint 2007 / 2010 URL Redirect
Posted Sep 14, 2011
Authored by Irene Abezgauz | Site seekersec.com

Microsoft SharePoint 2007 and 2010 suffer from an open redirect vulnerability.

tags | exploit
SHA-256 | 5e74e222cf47c042342b8886f931b38f1ceaf22f10e9117819c5db9b0ec8ca6c

Microsoft SharePoint 2007 / 2010 URL Redirect

Change Mirror Download
Seeker Research Center Security Advisory 

This vulnerability was discovered by Seeker(r) Automatic Run-Time
Application Security Testing Solution
Disclosed By Irene Abezgauz, September 13th, 2011

=========
I. Overview
=========
An Insecure Redirect vulnerability has been identified in Microsoft
SharePoint shared infrastructure. This vulnerability allows an attacker
to craft links that contain redirects to malicious sites in the source
parameter used throughout SharePoint portal.

The exploitation technique detailed in this document bypasses the cross
application redirection restriction which normally limits such redirects
restricting access to external sites.

A friendly formatted version of this advisory is available at:
https://www.seekersec.com/Advisories/SeekerAdvMS03.html

=======
II. Details
=======
Multiple pages and components in Microsoft Sharepoint use the source
parameter to redirect users to a new location after accessing a certain
page, such as:
POST
/Docs/Lists/Announcements/NewForm.aspx?Source=http%3a%2f%2f127.0.0.1%2fD
ocs%2fdefault.aspx
In order to avoid cross application redirects (which pose a threat to
the system), Microsoft Sharepoint enforces checks on these redirects,
and limits them to localhost or 127.0.0.1, or the SharePoint server IP
(the IP redirect is only valid if the redirect is to an actual
SharePoint page on the server, redirects to localhost or 127.0.0.1 will
work regardless of existence of relevant page).
The implementation of this verification, however, is flawed, and can be
circumvented by creating hostnames which begin with the string
localhost, or 127.0.0.1 even if they are not localhost.
Due to domain naming restrictions the 127.0.0.1 prefix cannot be used in
exploitation, as https://127.0.0.1.seekersec.com is not a valid domain
name - subdomain names cannot be digits only. However, redirects to
https://localhost.seekersec.com or https://localhostie.seekersec.com are
valid. The following prefixes can be provided into the Source parameter
to exploit this vulnerability:
localhostaaa, localhost.seekersec.com, etc.
An attacker can generate an attack by creating a site containing
localhost in its name, and crafting a URL which embeds into the source
parameter a link that lead to sites outside the current application.
Once a victim follows the specially crafted link he indeed arrives at
the selected page of the vulnerable SharePoint application. Once the
page operation is completed, the user will be redirected to the URL in
the source parameter.

========
III. Exploit
========
Sample exploitation of this vulnerability would be crafting the
following link:
https://MySharePoint/Docs/Lists/Announcements/NewForm.aspx?Source=http%3a
%2f%2flocalhost.seekersec.com
It is important to note that in many situations, even if the application
does not use the source parameter by default, this parameter can be
added manually to the URL, leading to exploitation of this
vulnerability.

================
IV. Affected Systems
================
Microsoft SharePoint 2007
Microsoft SharePoint 2010

========
V. Solution
========
Microsoft has released a fix for this vulnerability, see
https://technet.microsoft.com/security/bulletin/MS11-074 for further
information.

=======
VI. Credit
=======
The vulnerability was automatically discovered by Seeker(r) - New
generation application security testing solution, utilizing ground
breaking BRITE(tm) technology (Behavioral Runtime Intelligent Testing
Engine).
Further research and publication was performed by Irene Abezgauz,
Product Manager, Seeker Security.
For more information please visit www.seekersec.com

-----------------
Irene Abezgauz
Product Manager
Seeker Security
www.seekersec.com
E-Mail: irene@seekersec.com
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close