[WEB SECURITY] MOSS security

Chris Weber (Casaba Security) chris at casabasecurity.com
Fri May 23 14:12:29 EDT 2008


Out-of-the-box I'm not sure - there's some 'Content Type' configurations
available under a doclib but I haven't played with those.  I'm not even sure
what good that would do - then you run into questions like 'should we parse
files to validate types?' 'what types of canonicalization issues pop up?',
etc.  One thing you can do is setup a workflow rule to require approval of
any uploaded content.  Of course you can always customize and extend too.

Chris

-----Original Message-----
From: Prasad Shenoy [mailto:prasad.shenoy at gmail.com] 
Sent: Friday, May 23, 2008 11:01 AM
To: Chris Weber (Casaba Security)
Cc: WASC Forum
Subject: Re: [WEB SECURITY] MOSS security

Oh I see what you mean. Yeah, that is an outstanding issue. One
problem I have with Document Libraries is that they do not let you
restrict by file types either....do they?

Prasad

On Fri, May 23, 2008 at 1:53 PM, Chris Weber (Casaba Security)
<chris at casabasecurity.com> wrote:
> Meaning, you can upload html files to a doclib and they'll be loaded as
any
> hosted html file in that domain.  So if you have uploaded a file called
> 'myfile.html' and you navigate to:
>
> http://mysharepoint/Shared%20Documents/myfile.html
>
> Then myfile.html loads in the browser as any other html file would in that
> domain (as Content-Type: text/html).  There might be a setting to mitigate
> this by forcing a Content-Disposition: attachment header (a download
dialog
> prompt) but I'm not sure.  Someone with more Sharepoint knowledge would
> know.  Otherwise you could customize the code yourself to force this.
>
> Thanks,
> Chris
>
>
> -----Original Message-----
> From: Prasad Shenoy [mailto:prasad.shenoy at gmail.com]
> Sent: Thursday, May 22, 2008 6:34 PM
> To: Chris Weber (Casaba Security)
> Cc: WASC Forum
> Subject: Re: [WEB SECURITY] MOSS security
>
> Very nice Chris. After reading your blog, I am going to revisit some
> of the deployments tomorrow but just a quick question while I am at
> it. When you talk about XSS in Document Libraries, do you mean a
> contributer can inject a script in the name/description of a document?
> Or something else? Where can I get more information on this particular
> topic?
>
> Thanks.
>
> Prasad
>
> On Thu, May 22, 2008 at 8:00 PM, Chris Weber (Casaba Security)
> <chris at casabasecurity.com> wrote:
>> David, MOSS has builtin CSRF protections via the
>> SPUtility.ValidateFormDigest() method inherited from its master page.
>> There's also builtin XSS protections on ListItem's, but not the document
>> library - watch out there.  You should also look for the use of
>> SPSecurity.RunWithElevatedPermissions() when you start building apps on
> top
>> of MOSS.  I wrote a bit about these and point to some other references
> here:
>>
>>
>
http://lookout.net/2008/04/22/sharepoint-wss-and-moss-application-developmen
>> t-and-security-testing/
>>
>> thanks,
>> Chris
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: David Felio [mailto:david at ark.org]
>> Sent: Wednesday, May 21, 2008 6:56 AM
>> To: WASC Forum
>> Subject: [WEB SECURITY] MOSS security
>>
>> After years in the LAMP stack, our company is going towards various MS
>> products, including MOSS 2007/WSS 3.0. In various conversations with
>> MS folks about security considerations, they always go back to
>> permissions. I have not been terribly successful in getting them to
>> discuss security beyond/outside setting permissions w/in MOSS correctly.
>>
>> Does anyone have experience for MOSS (or any SharePoint products) and
>> have some ideas about security concerns? One of the things I am
>> concerned about is CSRF, since the bulk of the administration is
>> handled via a web interface, but there doesn't seem to be much
>> existing research out there right now.
>>
>> Thanks.
>>
>> David
>>
>>
>>
>
----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>>
>>
>
----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>
>
>
> --
> Ah! the beauty of hacking....
>
>
----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>



-- 
Ah! the beauty of hacking....



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list