John PescatoreMicrosoft issued an advisory about an unpatched cross-site scripting vulnerability in Sharepoint Server 2007 and Sharepoint Services 3.0. that allows an attacker to run malicious Javascript on the SharePoint server. Since Sharepoint is one of those products that (like homegrown intranets) rapidly rolled out to meet “need to share” demands, vulnerabilities are magnified because a lot of sensitive information is often what is shared.
So, its important to emphasize “need to protect” everywhere “need to share” is rushed out. In this case of a Sharepoint vulnerability, Microsoft’s advisory says there is a server side workaround, but right now the link doesn’t seem to get you anywhere. Until a workaround, or even better an actual patch, is available, take a look at any exposed Sharepoint services to see if there are any IPS or Web Application Firewall mitigation available.
There were also reports of a new cross-site scripting vulnerability in Facebook, sort of the poster child for consumer-grade “need to share” software. The real lesson in all this, of course, is that in general too many products that are focused on need to exploit the value of information are written with sort of a “drill, baby, drill” kind of excitement and often lead to “information spills” unless you add protection around them.
A more pithy version on this can be found here.
Category: Uncategorized Tags:
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment