This forum is closed. Thank you for your contributions.

Sign in

Microsoft.com

Microsoft

Remove From My Forums

Web Vulnerability Scan on SharePoint 2013

Question
0

Sign in to vote
Hi,

A security scan was conducted on our customer’s On-Premise SharePoint 2013 farm and the following vulnerabilities were found:

1. Open redirection (DOM-based)

<https>://<WWW>/WebResource.axd
<https>://<MYSITE>/_layouts/15/init.js
<https>://<MYSITE>/_layouts/15/mediaplayer.js
<https>://<MYSITE>/personal/user1/_layouts/15/start.aspx
<https>://<MYSITE>/WebResource.axd
<https>://<MYSITE>/WebResource.axd
<https>://<WWW>/_layouts/15/init.js
<https>://<WWW>/WebResource.axd

2. Link manipulation (DOM-based)

<https>://<MYSITE>/_layouts/15/init.js
<https>://<MYSITE>/_layouts/15/init.js
<https>://<MYSITE>/personal/user1/_layouts/15/RssXslt.aspx
<https>://<MYSITE>/personal/user1/_layouts/15/start.aspx
<https>://<MYSITE>/personal/user1/_layouts/15/start.aspx
<https>://<WWW>/_layouts/15/init.js

Note

<WWW> - Web Application hosting the Intranet application

<MYSITE> - SharePoint My Site

=========

Is there any way to prove that above findings does not expose any threat?

I have the scan details but I am not able to attach the docs here. If you need more details please let me know.

Greatly appreciate any feedback. Thank you.
- Edited by PleoData.Kenneth_Ylaya Thursday, March 31, 2016 3:28 AM more details added
- Moved by Just Karl Friday, April 1, 2016 7:56 PM Looking for the correct forum.
Thursday, March 31, 2016 2:59 AM

Answers

1

Sign in to vote
Hello,

You should ask in the SharePoint 2013 forums

Karl
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog: Unlock PowerShell
My Book: Windows PowerShell 2.0 Bible
My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})
- Proposed as answer by Dave PatrickMVP Saturday, April 2, 2016 9:34 PM
- Marked as answer by Dave PatrickMVP Sunday, April 10, 2016 9:28 PM
Friday, April 1, 2016 7:56 PM

All replies

0

Sign in to vote

Hello,

The 'Academic Initiatives - Technical Queries' forum is for posts Related to technical / coding / programming related issues as related to Microsoft's Academic Initiatives.

As it's off-topic here, I am moving the question to the Where is the forum for... forum.

Karl
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog: Unlock PowerShell
My Book: Windows PowerShell 2.0 Bible
My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

Friday, April 1, 2016 7:53 PM
1

Sign in to vote
Hello,

You should ask in the SharePoint 2013 forums

Karl
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog: Unlock PowerShell
My Book: Windows PowerShell 2.0 Bible
My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})
- Proposed as answer by Dave PatrickMVP Saturday, April 2, 2016 9:34 PM
- Marked as answer by Dave PatrickMVP Sunday, April 10, 2016 9:28 PM
Friday, April 1, 2016 7:56 PM