CVE-2019-1262 - Stored XSS SharePoint 2013 SP1

Stored or Persistent XSS

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. (OWASP)
We talk about stored or persistent XSS when a web application allows user input to be stored in a data source, and does not properly sanitise the payloads, allowing possible XSS. Every time the payload is rendered in a web page, XSS is triggered, without the need of user interaction. Stored XSS is the most dangerous type of XSS and can lead to:
  • Hijacking user's browser (using for example the BeeF Framework)
  • Capturing sensitive information from users
  • Defacement
  • Drive-by download (malware download)
  • Phishing

Description of CVE-2019-1262

Sharepoint 2013 SP1 allows users to upload files to the platform, but does not correctly sanitise the filename when the files are listed. An authenticated user that has the rights to upload files to the SharePoint platform, is able to exploit a Stored Cross Site Scripting vulnerability uploading a file with a crafted filename. The vulnerability is exploitable because the filename is directly reflected in the attribute aria-label of the HTML anchor tag <a> and the single quotes are changed in double quotes, allowing the attacker to break-out of the aria-label attribute and add his/her own malicious payload. If we use the following filename: ' onmouseover=alert(1) ', once the files are listed, our anchor tag will look like the following:
<a class="ms-listlink ms-draggable" href="/FOLDER/' onmouseover=alert(1) '.swf" onmousedown="return VerifyHref(this,event,'1','','')" onclick="return DispEx(this,event,'TRUE','FALSE','FALSE','','1','','','','','4402','0','0','0x7fffffffffffffff')" aria-label="" onmouseover="alert(1)" ',="" swf="" file'="" dragid="219" draggable="true">' onmouseover=alert(1) '</a>
We can see that the aria-label is empty, and the next event is coming from our file name, in this case onmouseover

Steps to reproduce

  1. 1.
    Login to the SharePoint platform with an admin user, or a user that has the rights to upload files.
  2. 2.
    Create a file with the following filename: ' onmouseover=alert(1) '. The payload must have the following format: [SINGLE_QUOTE][SPACE][EVENT][=][JAVASCRIPT][SPACE][SINGLE_QUOTE]
  3. 3.
    Upload the file through file upload page
  4. 4.
    Position the mouse on the filename to trigger the onmouseover event
The complete security advisory can be found here

How to fix it

Microsoft released a patch on September 10th.

SharePoint version tested

  • Sharepoint 2013 SP1