Vulnwatch mailing list archives
Re: FW: failure notice
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Tue, 28 Mar 2006 14:38:13 -0800
But I don't get it... It's still an untrusted web site...Sharepoint "is" a web site.And if you don't know who's site it is... it still falls into the guidance of "it's not a trusted web site".
Besides... antivirus vendors are so far protecting us.. Ken Pfeil wrote:
Just in case anyone uses IE with Sharepoint.. Boom. ----- Forwarded message from secure () microsoft com ----- Date: Tue, 28 Mar 2006 11:47:12 -0800 From: Microsoft Security Response Center <secure () microsoft com> Reply-To: Microsoft Security Response Center <secure () microsoft com> Subject: RE: Another Attack Vector To: Ken () infosec101 org Hi Ken, Thanks for getting back to me. I will pass your comments on to the case manager handling this behavior with the SharePoint team. Thanks, Christopher, CISSP -----Original Message----- From: Ken () infosec101 org [mailto:Ken () infosec101 org] Sent: Tuesday 28 March 2006 11:42 To: Microsoft Security Response Center Subject: RE: Another Attack Vector Thank you Christopher, But there are a bazillion different scenarios where this could be slightly more than detrimental. There are literally hundreds of sites using Sharepoint for blogs, and anonymous access is an option turned on by default. For a real working example, please open the file IE_Exploit.txt on the below site and watch filemon dance a jig.. Best, Ken Quoting Microsoft Security Response Center <secure () microsoft com>:Hi Ken, Thanks for your note. This is by-design behavior with SharePoint and Internet Explorer and, as you mentioned, is related to IE MIME type detection. The mitigating circumstance in this scenario is that SharePoint sites are authenticated and it would be possible to "audit and punish" the attacker. Just the same, I'll pass this on to the casemanager for this investigation. Thanks, Christopher, CISSP -----Original Message----- From: Ken () infosec101 org [mailto:Ken () infosec101 org] Sent: Tuesday 28 March 2006 09:16 To: Microsoft Security Response Center Subject: Another Attack Vector There is yet another attack vector for createTextRange() (besides untrusted websites). Windows Sharepoint. If you create a txt file withhtml tags and post it, say in "Shared Documents", IE will render it asHTML in the browser when the document is clicked on instead of displaying as text. Example: https://foo.org/Shared%20Documents/test2.txt (code is simple html here, but could have been dangerous). You might want to update your advisory to include this. (And, I know you can de-select "Open Files Based on Content, not file extension" under IE, but that opens your host to *other* vulnerabilites.) Username for the system above for a sample doc is: testuser with password of password. Best, Ken----- End forwarded message -----
--Letting your vendors set your risk analysis these days? http://www.threatcode.com
Current thread:
- FW: failure notice Ken Pfeil (Mar 28)
- Re: FW: failure notice Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 28)
- Re: FW: failure notice Michael Evanchik (Mar 29)
- Re: FW: failure notice Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 28)