Sunday, 18 March 2012

SharePoint "Vulnerable by Default"

Even the Scroll Bar Can't be Trusted

Here's how to steal sensitive information from users of either SharePoint or LinkedIn, via their web browser.

The method, known as frame sniffing, is unlike a conventional SQL Injection or cross-site scripting (XSS) attack, in that no code need be injected into the site. Instead, a target website crafted within the attacker's malicious webpage is simply loaded into a hidden HTML frame, once the CMS user is tricked into browsing to that page by any of the usual, socially-engineered means (e.g., spam email). As long as the user then keeps that tab open, the attacker can frame-sniff, for example running SharePoint searches exactly like an authorised user.

Paul Stone & Jacobo Ros describe the vulnerability in their video, and present some sample exploits, including a proof of concept that you can run for yourself, at the Context Information Security site:

Surprisingly, the attack works because often the default configuration of the CMS omits to secure against browsers which allow framing. The approach bypasses browser security restrictions intended to prevent webpages directly reading the contents of third-party sites loaded in frames. At the time of writing, only Mozilla Firefox has been updated to prevent frame sniffing.

Installations that are vulnerable by default include SharePoint 2007 and 2010. The vulnerability is easily stomped by tweaking the X-Frame-Options, forcing browsers to disallow framing on critical configuration server pages, or other pages that require an “authentic user click” - as previously described by Microsoft's Eric Law in his (two year old!) IEInternals article, Combating ClickJacking With X-Frame-Options. Obviously, since this setting will prevent SharePoint from being framed, it might break your installation, for example if you have another intranet app using SharePoint via a frame.

Good news: Microsoft have stated that the X-Frame options should be correctly set in the next version of SharePoint. Bad: at the time of writing, LinkedIn have yet to respond to Context's vulnerability report.