Microsoft SharePoint’s `Follow` Feature XSS (CVE-2017–8514) -Adesh Kolte
Hii Guyz
I am Adesh.Nandkishor Kolte , An Independent Cyber Security Researcher from India
I have been working from last 1 year as a freelancer Security analyst and a bug bounty hunter. I have been acknowledged by renowned companies including Google,Microsoft, AT&T,Avira,Sony,,Oracle, Intel, Dell, Intuit, Eu CERT, Australia CERT, US CERT etc…
Contact Details:
Email:adeshkolte@gmail.com
Phone No: +919011324123
About Vulnerability:
This is common URL for this Type Of Vulnerability
https://<Any SharePoint URL Goes Here>?FollowSite=0&SiteName=’-confirm(document.domain)-’
SharePoint is all about sharing. In this line of direction, SharePoint provides a feature called “Follow” a site in order to get updates on site’s activity in your newsfeed. One way to follow a site is to click on the “Follow” feature available at the top right of the page At this time, SharePoint sends a POST request to the following end-point: bbmsft.sharepoint.com/_vti_bin/client.svc/ProcessQuery (bbmsft is the tenant name in my case and this will be different in your case). I played around with that POST request but was unable to find something interesting. I observed that this is not the only way to follow a site. You can also share your site(s) with others by using the Share feature available at the top right corner. Once you send out Share invitation, on the receiving end email
The URL has two GET parameters i.e., FollowSite=1 and SiteName=<AnySiteNameGoesHere>. The FollowSite GET parameter holds a Boolean value of 0 or 1. 0 for not following and 1 for following. It is a sort of flag. The GET parameter SiteName is of our interest. It is reflected back as a part of script context like the following (watch out for the keyword ReflectionHere). In real life, this would be the name of site you want to follow.
<script type=”text/javascript”>
//<![CDATA[
…
SP.SOD.executeFunc(‘followingcommon.js’, ‘FollowSiteFromEmail’, function() { FollowSiteFromEmail(‘ReflectionHere’); });
…
//]]>
</script>
As you can see in the above code, the developers’re using single quote around ReflectionHere and I found that potentially dangerous characters like ‘, <, > and / etc were not encoded. In order to keep it simple, the XSS payload like ‘-confirm(document.domain)-’ should do the job for you. Further, I noticed that the above inline JavaScript code snippet only appears or becomes a part of DOM if GET parameters (FollowSite and SiteName) are present in the URL.
Vulnerable URL:
https://drumbeat.office.com/Pages/Forms/AllItems.aspx?FollowSite=0&SiteName=1
Payload:
Proof Of Concept:
Hall OF Fame:
Listed In Microsoft Securtiy Resercher Aknowledgement in November 2017 (10Th Times)
Thanks For Reading :}
