[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] MOSS security

From: "Chris Weber \(Casaba Security\)" <chris@xxxxxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] MOSS security
Date: Fri, 23 May 2008 10:53:27 -0700

Meaning, you can upload html files to a doclib and they'll be loaded as any
hosted html file in that domain.  So if you have uploaded a file called
'myfile.html' and you navigate to:

http://mysharepoint/Shared%20Documents/myfile.html

Then myfile.html loads in the browser as any other html file would in that
domain (as Content-Type: text/html).  There might be a setting to mitigate
this by forcing a Content-Disposition: attachment header (a download dialog
prompt) but I'm not sure.  Someone with more Sharepoint knowledge would
know.  Otherwise you could customize the code yourself to force this.

Thanks,
Chris


-----Original Message-----
From: Prasad Shenoy [mailto:prasad.shenoy@xxxxxxxxx] 
Sent: Thursday, May 22, 2008 6:34 PM
To: Chris Weber (Casaba Security)
Cc: WASC Forum
Subject: Re: [WEB SECURITY] MOSS security

Very nice Chris. After reading your blog, I am going to revisit some
of the deployments tomorrow but just a quick question while I am at
it. When you talk about XSS in Document Libraries, do you mean a
contributer can inject a script in the name/description of a document?
Or something else? Where can I get more information on this particular
topic?

Thanks.

Prasad

On Thu, May 22, 2008 at 8:00 PM, Chris Weber (Casaba Security)
<chris@xxxxxxxxxxxxxxxxxx> wrote:
> David, MOSS has builtin CSRF protections via the
> SPUtility.ValidateFormDigest() method inherited from its master page.
> There's also builtin XSS protections on ListItem's, but not the document
> library - watch out there.  You should also look for the use of
> SPSecurity.RunWithElevatedPermissions() when you start building apps on
top
> of MOSS.  I wrote a bit about these and point to some other references
here:
>
>
http://lookout.net/2008/04/22/sharepoint-wss-and-moss-application-developmen
> t-and-security-testing/
>
> thanks,
> Chris
>
>
>
>
>
>
> -----Original Message-----
> From: David Felio [mailto:david@xxxxxxx]
> Sent: Wednesday, May 21, 2008 6:56 AM
> To: WASC Forum
> Subject: [WEB SECURITY] MOSS security
>
> After years in the LAMP stack, our company is going towards various MS
> products, including MOSS 2007/WSS 3.0. In various conversations with
> MS folks about security considerations, they always go back to
> permissions. I have not been terribly successful in getting them to
> discuss security beyond/outside setting permissions w/in MOSS correctly.
>
> Does anyone have experience for MOSS (or any SharePoint products) and
> have some ideas about security concerns? One of the things I am
> concerned about is CSRF, since the bulk of the administration is
> handled via a web interface, but there doesn't seem to be much
> existing research out there right now.
>
> Thanks.
>
> David
>
>
>
----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
>
----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>



-- 
Ah! the beauty of hacking....

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] MOSS security
  - From: Prasad Shenoy

References:
- [WEB SECURITY] MOSS security
  - From: David Felio
- RE: [WEB SECURITY] MOSS security
  - From: Chris Weber \(Casaba Security\)
- Re: [WEB SECURITY] MOSS security
  - From: Prasad Shenoy

Prev by Date: Re: [WEB SECURITY] MOSS security
Next by Date: Re: [WEB SECURITY] MOSS security
Previous by thread: Re: [WEB SECURITY] MOSS security
Next by thread: Re: [WEB SECURITY] MOSS security
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site