Tag Archives: help.aspx

XSS leak in SharePoint 2007

So, been a while since my last post. This is caused by the dutch elections and of course the World Championship soccer in South Africa. General outcome, dutch team advanced to the next round and political landscape is a mess. Let us focus on SharePoint once again 😉

During a security audit, one of our customers encountered a security breach in SharePoint, caused by the help.aspx. More specifically, /_layouts/help.aspx. It is possible on this page to insert JavaScript in the url and modify the page layout, offering a possibility for phishing.  An explanaion of the breach can be found here.

We have reported this to Microsoft and they have released a hotfix to counter this problem. The hotfix is reported in KB arcticle KB 2028554. In intranet situations, the risk is minimal as the attack needs to come from the inside. But for internet facing sites, this could pose a problem. You can easily test whether or not your site is prone to the breach, by using below url on your site:


If your site is prone, you will see a JavaScript popup stating your site is hacked. For our customer, we requested the hotfix from MS and deployed it to our test environment. What is important to note here is that, like all hotfixes, there are two versions of the hotfix (or actually 4). One for WSS and one for MOSS. These are also mentioned in different knowledge base articles, to keep things simple.

WSS 3.0 hotfix: KB983444
MOSS hotfix: KB979445

Both have 32 and 64 bit versions, which totals to 4. The fix we are looking for resides in the WSS 3.0 hotfix, although applying the MOSS hotfix also on a environment that is running MOSS is obviously a good thing. But to resolve the matter at hand, only the WSS hotfix is needed.

 Till next time.