Vigil@nce: Microsoft Office SharePoint, access to the administration interface
December 2008 by Vigil@nce
An attacker can access to a part of the administration interface
of Microsoft Office SharePoint.
– Gravity: 2/4
– Consequences: privileged access/rights
– Provenance: intranet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 10/12/2008
IMPACTED PRODUCTS
– Microsoft Office SharePoint Server
DESCRIPTION
The access to the administration interface of Microsoft Office
SharePoint requires an authentication.
However, an area of this interface does not ask for an
authentication.
An attacker can therefore use a direct url in order to:
– overload the server
– obtain path names
– obtain email addresses
– create scripts to be run in the context of the web site
CHARACTERISTICS
– Identifiers: 957175, BID-32638, CVE-2008-4032, MS08-077,
VIGILANCE-VUL-8309
– Url: http://vigilance.fr/vulnerability/8309