Re: [VulnWatch] FW: failure notice

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa@private)
Date: Tue Mar 28 2006 - 14:38:13 PST


But I don't get it...

It's still an untrusted web site...Sharepoint "is" a web site.

And if you don't know who's site it is... it still falls into the 
guidance of "it's not a trusted web site".

Besides... antivirus vendors are so far protecting us..

Ken Pfeil wrote:

>Just in case anyone uses IE with Sharepoint.. Boom.
>
>----- Forwarded message from secure@private -----
>    Date: Tue, 28 Mar 2006 11:47:12 -0800
>    From: Microsoft Security Response Center <secure@private>
>Reply-To: Microsoft Security Response Center <secure@private>
> Subject: RE: Another Attack Vector
>      To: Ken@private
>
>Hi Ken,
>
>Thanks for getting back to me. I will pass your comments on to the case
>manager handling this behavior with the SharePoint team.
>
>Thanks,
>Christopher, CISSP
>
>-----Original Message-----
>From: Ken@private [mailto:Ken@private]
>Sent: Tuesday 28 March 2006 11:42
>To: Microsoft Security Response Center
>Subject: RE: Another Attack Vector
>
>Thank you Christopher,
>
>But there are a bazillion different scenarios where this could be
>slightly more than detrimental. There are literally hundreds of sites
>using Sharepoint for blogs, and anonymous access is an option turned on
>by default. For a real working example, please open the file
>IE_Exploit.txt on the below site and watch filemon dance a jig..
>
>Best,
>Ken
>
>
>Quoting Microsoft Security Response Center <secure@private>:
>
>  
>
>>Hi Ken,
>>
>>Thanks for your note. This is by-design behavior with SharePoint and
>>Internet Explorer and, as you mentioned, is related to IE MIME type
>>detection. The mitigating circumstance in this scenario is that
>>SharePoint sites are authenticated and it would be possible to "audit
>>and punish" the attacker. Just the same, I'll pass this on to the case
>>    
>>
>
>  
>
>>manager for this investigation.
>>
>>Thanks,
>>Christopher, CISSP
>>
>>-----Original Message-----
>>From: Ken@private [mailto:Ken@private]
>>Sent: Tuesday 28 March 2006 09:16
>>To: Microsoft Security Response Center
>>Subject: Another Attack Vector
>>
>>There is yet another attack vector for createTextRange() (besides
>>untrusted websites). Windows Sharepoint. If you create a txt file with
>>    
>>
>
>  
>
>>html tags and post it, say in "Shared Documents", IE will render it as
>>    
>>
>
>  
>
>>HTML in the browser when the document is clicked on instead of
>>displaying as text. Example:
>>https://foo.org/Shared%20Documents/test2.txt (code is
>>simple html here, but could have been dangerous). You might want to
>>update your advisory to include this.
>>
>>(And, I know you can de-select "Open Files Based on Content, not file
>>extension" under IE, but that opens your host to *other*
>>vulnerabilites.)
>>
>>Username for the system above for a sample doc is:
>>testuser with password of password.
>>
>>Best,
>>Ken
>>
>>
>>    
>>
>
>
>
>
>
>----- End forwarded message -----
>
>
>
>  
>

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com



This archive was generated by hypermail 2.1.3 : Tue Mar 28 2006 - 15:15:26 PST