none
Sharepoint Javascript for DOM-based Cross Site Scripting Vulnerability RRS feed

  • Question

  • Hi Sir,

    I would like to check about "DOM-based Cross Site Scripting Vulnerability".

    According to scanning result to my SharePoint project, "core.js" from _layouts/1033/core.js?rev=S5dt4K8TJGVTYU9HrW6enw%3D%3D is found out as DOM-based XSS attack.

    here is the list from _layouts/1033/core.js?rev=S5dt4K8TJGVTYU9HrW6enw%3D%3D

    • Line 4470:Unsafe client output setting document.cookie to tainted value
    • Line 4470:String concatenation with user-controlled value
    • Line 2872:Assignment of "path" to user-controlled value
    • Line 2872:String concatenation with user-controlled value
    • Line 2855:Assignment of "path" to user-controlled value
    • Line 2855:String concatenation with user-controlled value
    • Line 2844:Initialization of "source" from user-controlled value
    • Line 2844:"window.location.href" is controlled by the user

    As per searched, there is CVE-2012-1863 patch that Microsoft released for JavaScript cross sit scripting vulnerability. Notes: My system is implemented with SharePoint service 3.0.

    So , I would like to know that CVE-2012-1863 patches would be protected for DOM-based Cross Site Scripting?

    if it is not, can you let me know which patches should install in order to prevent this DOM-based XSS attack for SharePoint JavaScript attack?

    Thanks

    Su

    Wednesday, June 17, 2015 2:26 AM