Answered by:
Web Vulnerability Scan on SharePoint 2013

Question
-
Hi,
A security scan was conducted on our customer’s On-Premise SharePoint 2013 farm and the following vulnerabilities were found:
1. Open redirection (DOM-based)
<https>://<WWW>/WebResource.axd
<https>://<MYSITE>/_layouts/15/init.js
<https>://<MYSITE>/_layouts/15/mediaplayer.js
<https>://<MYSITE>/personal/user1/_layouts/15/start.aspx
<https>://<MYSITE>/WebResource.axd
<https>://<MYSITE>/WebResource.axd
<https>://<WWW>/_layouts/15/init.js
<https>://<WWW>/WebResource.axd2. Link manipulation (DOM-based)
<https>://<MYSITE>/_layouts/15/init.js
<https>://<MYSITE>/_layouts/15/init.js
<https>://<MYSITE>/personal/user1/_layouts/15/RssXslt.aspx
<https>://<MYSITE>/personal/user1/_layouts/15/start.aspx
<https>://<MYSITE>/personal/user1/_layouts/15/start.aspx
<https>://<WWW>/_layouts/15/init.jsNote
<WWW> - Web Application hosting the Intranet application
<MYSITE> - SharePoint My Site
=========
Is there any way to prove that above findings does not expose any threat?
I have the scan details but I am not able to attach the docs here. If you need more details please let me know.
Greatly appreciate any feedback. Thank you.
- Edited by PleoData.Kenneth_Ylaya Thursday, March 31, 2016 3:28 AM more details added
- Moved by Just Karl Friday, April 1, 2016 7:56 PM Looking for the correct forum.
Thursday, March 31, 2016 2:59 AM
Answers
-
Hello,
You should ask in the SharePoint 2013 forums
Karl
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog: Unlock PowerShell
My Book: Windows PowerShell 2.0 Bible
My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})- Proposed as answer by Dave PatrickMVP Saturday, April 2, 2016 9:34 PM
- Marked as answer by Dave PatrickMVP Sunday, April 10, 2016 9:28 PM
Friday, April 1, 2016 7:56 PM
All replies
-
Hello,
The 'Academic Initiatives - Technical Queries' forum is for posts Related to technical / coding / programming related issues as related to Microsoft's Academic Initiatives.
As it's off-topic here, I am moving the question to the Where is the forum for... forum.
Karl
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog: Unlock PowerShell
My Book: Windows PowerShell 2.0 Bible
My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})Friday, April 1, 2016 7:53 PM -
Hello,
You should ask in the SharePoint 2013 forums
Karl
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog: Unlock PowerShell
My Book: Windows PowerShell 2.0 Bible
My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})- Proposed as answer by Dave PatrickMVP Saturday, April 2, 2016 9:34 PM
- Marked as answer by Dave PatrickMVP Sunday, April 10, 2016 9:28 PM
Friday, April 1, 2016 7:56 PM