locked
Web Vulnerability Scan on SharePoint 2013 RRS feed

  • Question

  • Hi,

    A security scan was conducted on our customer’s On-Premise SharePoint 2013 farm and the following vulnerabilities were found:

    1. Open redirection (DOM-based)

    <https>://<WWW>/WebResource.axd
    <https>://<MYSITE>/_layouts/15/init.js
    <https>://<MYSITE>/_layouts/15/mediaplayer.js
    <https>://<MYSITE>/personal/user1/_layouts/15/start.aspx
    <https>://<MYSITE>/WebResource.axd
    <https>://<MYSITE>/WebResource.axd
    <https>://<WWW>/_layouts/15/init.js
    <https>://<WWW>/WebResource.axd

    2. Link manipulation (DOM-based)

    <https>://<MYSITE>/_layouts/15/init.js
    <https>://<MYSITE>/_layouts/15/init.js
    <https>://<MYSITE>/personal/user1/_layouts/15/RssXslt.aspx
    <https>://<MYSITE>/personal/user1/_layouts/15/start.aspx
    <https>://<MYSITE>/personal/user1/_layouts/15/start.aspx
    <https>://<WWW>/_layouts/15/init.js

    Note

    <WWW> - Web Application hosting the Intranet application

    <MYSITE> - SharePoint My Site

    =========

    Is there any way to prove that above findings does not expose any threat?

    I have the scan details but I am not able to attach the docs here. If you need more details please let me know.

    Greatly appreciate any feedback. Thank you.




    • Edited by PleoData.Kenneth_Ylaya Thursday, March 31, 2016 3:28 AM more details added
    • Moved by Just Karl Friday, April 1, 2016 7:56 PM Looking for the correct forum.
    Thursday, March 31, 2016 2:59 AM

Answers

All replies

  • Hello,

    The 'Academic Initiatives - Technical Queries' forum is for posts Related to technical / coding / programming related issues as related to Microsoft's Academic Initiatives.

    As it's off-topic here, I am moving the question to the Where is the forum for... forum.

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

    Friday, April 1, 2016 7:53 PM
  • Hello,

    You should ask in the SharePoint 2013 forums

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

    Friday, April 1, 2016 7:56 PM