Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft SharePoint Server 2007 Cross-Site Scripting (XSS) Vulnerability (MS10-039)

Subscribe

Check Point Reference: CPAI-2010-074
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Advisory (983438)
Microsoft Security Bulletin MS10-039
Industry Reference(s): CVE-2010-0817
Protection Provided by: Security Gateway
  • R71
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
InterSpect
  • NGX
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Microsoft Office SharePoint Server 2007 SP1 (32-bit edition)
Microsoft Office SharePoint Server 2007 SP2 (32-bit edition)
Microsoft Office SharePoint Server 2007 SP1 (64-bit edition)
Microsoft Office SharePoint Server 2007 SP2 (64-bit edition)
Microsoft Windows SharePoint Services 3.0 SP1 (32-bit edition)
Microsoft Windows SharePoint Services 3.0 SP2 (32-bit edition)
Microsoft Windows SharePoint Services 3.0 SP1 (64-bit edition)
Microsoft Windows SharePoint Services 3.0 SP2 (64-bit edition)
Vulnerability Description
A cross-site scripting (XSS) vulnerability has been discovered in Microsoft SharePoint Server 2007. Windows SharePoint Services provide a platform for collaboration applications and document management. Office SharePoint Server is an integrated suite of server capabilities built on top of Windows SharePoint Services. A remote attacker may exploit this vulnerability to run malicious scripts on an affected system.
Vulnerability Status
The vulnerability is publicly disclosed:
High-Tech Bridge: HTB22350
Update/Patch Available
Update patches:
Microsoft Security Bulletin MS10-039
Vulnerability Details
The vulnerability is due to an error in Microsoft SharePoint Server that fails to properly sanitize user-supplied input. A remote attacker can exploit this issue to execute a cross-site scripting attack by convincing a user to click on a maliciously crafted URL that contains a script code. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary JavaScript code within the vulnerable application.

Protection Overview
This protection will detect and block the specific CVE-2010-0817 cross-site scripting attack. This protection is designed for users of R70/R71 only.

Users of Security Gateways VPN-1 NGX R62/R65, VSX NGX R65 and InterSpect NGX are preemptively protected against this vulnerability if the protection against Cross Site Scripting addressed in SBP-2010-18 has been applied.

Users of IPS-1 have been preemptive against this vulnerability since April 23, 2004. Follow instructions below to make sure this protection is activated on your IPS-1 machine.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > Application Layer.
2. In the right pane, double-click the Microsoft Office SharePoint Server help.aspx Cross Site Scripting protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Cross Site Scripting
Attack Information: Microsoft Office SharePoint server help.aspx cross site scripting

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the WWW2 User-Definable Variables protection group.
3. Click Data submitted in a GET method contains a user-defined bad string (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: User-Defined Attacks
Description: Data submitted in a GET method contains a user-defined bad string