Microsoft SharePoint XML File Disclosure (Sept 23, 2011)

By

Microsoft SharePoint Server is an ASP.NET product intended for collaboration, file sharing, web publishing and other social networking functions. The server runs on the Microsoft IIS web server. SharePoint farms host web sites, intranets, extranets, as well as provide a framework for web application development. SharePoint also allows creation of ASP.NET controls known as Web Parts or Web Widgets to enhance the functionality of a particular SharePoint page. These controls allow end users to modify various aspects of the web page from their web browser. One of these widgets included in the SharePoint package is the XML Viewer. The XML Viewer has the ability to display and apply XSLT to XML documents. An example SharePoint page is shown which can be added to an XML Viewer widget:

      

test

XML defines entities which are symbolic representations of a block of information. Entities can be either external or internal. Internal entities are defined and used inside the XML file. External entities exist in an external source like a file and require the SYSTEM identifier in order to be imported and used. An example of an external entity definition is shown:

  

In the above example, the external resource identifier is a URI. Most of the time, its a simple file name.

An information disclosure vulnerability exists in Microsoft SharePoint. It is due to an error while parsing XML files which use external entities. The vulnerable code allows a user to specify an arbitrary file and path of the external resource. This can allow a user to create an XML Viewer Web Part which discloses the contents of arbitrary files within the SharePoint server scope. In order to exploit this flaw, an attacker must first be successfully authenticated by the target SharePoint server.

SonicWALL has released two IPS signatures to address this vulnerability. The signatures detect and block generic attack attempts targetting this flaw.

  • 1856 – SharePoint Remote File Disclosure 1
  • 1003 – SharePoint Remote File Disclosure 2

The vulnerability has been assigned CVE-2011-1892 by mitre.
The vendor has released an advisory (ms11-074) addressing this issue.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.