[WEB SECURITY] MOSS security

Prasad Shenoy prasad.shenoy at gmail.com
Wed May 21 11:54:13 EDT 2008


I did a couple of rounds of testing on MOSS 2007 (Sharepoint Portal,
Web parts etc...) and the reason why MS folks keep going back to
permissions is that that's all there is to focus on for most part.
Well, having said that, I am not downplaying the likelihood of XSS,
CSRF and the likes but I did not see any obvious issues or "low
hanging fruits" that would indicate a weakness in input/output
validation that can be exploited. Well, as always, that remains true
till the next guy in the line finds a hole (or already did find one as
we speak) ....:-)

Thanks,
Prasad
--
Ah! the beauty of hacking....

On Wed, May 21, 2008 at 9:56 AM, David Felio <david at ark.org> wrote:
> After years in the LAMP stack, our company is going towards various MS
> products, including MOSS 2007/WSS 3.0. In various conversations with MS
> folks about security considerations, they always go back to permissions. I
> have not been terribly successful in getting them to discuss security
> beyond/outside setting permissions w/in MOSS correctly.
>
> Does anyone have experience for MOSS (or any SharePoint products) and have
> some ideas about security concerns? One of the things I am concerned about
> is CSRF, since the bulk of the administration is handled via a web
> interface, but there doesn't seem to be much existing research out there
> right now.
>
> Thanks.
>
> David
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List
> Archives:http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>



-- 
Prasad

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list