-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-019
Product: Microsoft SharePoint 2013
Manufacturer: Microsoft Corporation
Affected Version(s): Microsoft SharePoint 2013 15.0.0.4693
Tested Version(s): Microsoft SharePoint 2013 15.0.0.4693
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-03-04
Solution Date: Unknown
Public Disclosure: 2016-06-22
CVE Reference: Not yet assigned
Author of Advisory: Sven Freund (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Microsoft SharePoint application could be described as a web application
platform in the Microsoft Office server suite. It combines various
functions which are traditionally separate applications, for instance,
intranet, extranet, web content management, or an enterprise application
store.

The software manufacturer Microsoft Corporation describes the product as
follows (see [1]):

"Organizations use SharePoint to create websites. You can use it as a
secure place to store, organize, share, and access information from
almost any device. All you need is a web browser, such as Internet
Explorer, Google Chrome, or Mozilla Firefox."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that the parameter isStartPlt1 in different ASPX
pages, like calender.aspx, listform.aspx, or Allitems.aspx, within
the Microsoft ShareṔoint 2013 application are prone to reflected cross-
site scripting attacks.

This cross-site scripting vulnerability allows an attacker to send a
manipulated link to a victim in order to execute arbitrary JavaScript
code in the context of the victim's web browser.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1) calendar.aspx (request calender functionality)
 
The following URL is an example of an attack vector exploiting a 
reflected cross-site scripting vulnerability via the URL parameter
"isStartPlt1" of the request calendar functionality:

https://<Host>/<Path>/calendar.aspx??AjaxDelta=1&isStartPlt1=
1'><script>alert(1)</script>3=1


2) listform.aspx (list functionality)

The following URL is an example for an attack vector exploiting a 
reflected cross-site scripting vulnerability via the URL parameter
"isStartPlt1" of the list functionality:

https://<Host>/<Path>/listform.aspx?PageType=8&ListId=%7B2BB168C3%2D1280
%2D4EC0%2D9A77%2D033645D91330%7D&RootFolder=&Source=https%3A//<Host>/
<Path>/Homepage%2Easpx&AjaxDelta=1&isStartPlt1=9<script>alert(1)</script>
=1

The only requirement for successfully exploiting this vulnerability
is that the following HTTP header parameter must be set:

PRAGMA: SharePointAjaxDelta=

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution: 

According to information by the Microsoft Corporation, the described security
issue could not be reproduced in version 15.0.4805

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-03-04: Vulnerability reported to manufacturer
2016-03-31: Manufacturer acknowledges e-mail with SySS security advisory
            and described the security issue as fixed
2016-06-22: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for Microsoft SharePoint 2013
    https://support.office.com/en-us/article/Get-started-with-SharePoint-
    909ec2f0-05c8-4e92-8ad3-3f8b0b6cf261
[2] SySS Security Advisory SYSS-2016-019
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-019.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sven Freund of the SySS GmbH.

E-Mail: sven.freund (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJXakW6AAoJEIpfqFNBXUbcKZwH/0Jtv+fhlo9SeclThYNrxbVD
9pT6oLPHDQBEd/LRH/QZnHWELNMxsRIw/kT8LsDfIPBP6loIemvxVt++5QUGZ1c1
33C04eS29mh2TYETdisbWrWGCPZjllRolLqJ+mzvGSYXqcqbwSaIV25eEAbQ5QWR
EgSmeeLvVFLorV5Ekv5b4+LsG8fVCi7uLPBn8JGlmhIIE0ZE8IfVUt2a6e3gs8TA
5sIu0LCJ37zmsAaXSPbvgzFDU+K+G9MCIYlUGbSXPTpnp+VfQGmT9rlPhSlGXnst
HATVMt5yd2Uo5TI4IUxetT7k7hMtXt3Dt2ohJa7lWxIb6nS7i/KaCVR36EvalRc=
=XR9R
-----END PGP SIGNATURE-----