Today we released Security Advisory 983438 informing customers of a cross-site scripting (XSS) vulnerability in SharePoint Server 2007 and SharePoint Services 3.0. Here we would like to give further technical information about this vulnerability.
What is the attack vector?
Sharepoint uses Http-Only cookies for authentication. HttpOnly cookies are not accessible through script, significantly mitigating the risk of XSS attacks. For more information, please refer to Mitigating Cross-site Scripting With HTTP-only Cookies.
IE8’s XSS filter is enabled by default in the Internet Zone. The IE8 XSS filter catches this class of XSS attacks so users of IE8 are at the reduced risk from this vulnerability. IE8’s XSS filter is not enabled in the local intranet zone. It can be turned on in the local intranet zone via the following UI.
Or administrators can choose to enable or disable the XSS Filter for any zone via group policy. Please refer to Group Policy and Internet Explorer 8 for more details.
We recommend a server-side workaround to ACL down the file help.aspx. If you enable this workaround, you will be unable to view Help content within your Sharepoint site. For users who implement the server-side mitigation, help content in English is available here as an alternative to SharePoint-provided help:
Jonathan Ness, David Ross, and Chengyun Chu, MSRC Engineering
*Posting is provided “AS IS” with no warranties, and confers no