Document Title: =============== Microsoft Education - Stored Cross Site Web Vulnerability References (Source): ==================== http://ift.tt/2aLTjeb Release Date: ============= 2016-08-10 Vulnerability Laboratory ID (VL-ID): ==================================== 1897 Common Vulnerability Scoring System: ==================================== 3.6 Product & Service Introduction: =============================== Our mission is creating immersive and inclusive experiences that inspire lifelong learning, stimulating development of essential life skills and supporting educators in guiding and nurturing student passions. We empower students and educators to create and share in entirely new ways, to teach and learn through exploration, to adapt to individual learning needs, so they can make, design, invent and build with technology. (Copy of the Vendor Homepage: http://ift.tt/1K3NRUM ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a stored cross site scripting vulnerability in the official Microsoft Education online service web-application. Vulnerability Disclosure Timeline: ================================== 2016-05-01: Researcher Notification & Coordination (SaifAllah benMassaoud) 2016-04-03: Vendor Notification (Microsoft Security Response Center - MSRC) 2016-05-19: Vendor Fix/Patch (Microsoft Developer Team - Online Services) 2016-06-07: Security Acknowledgements (Microsoft Security Response Center - MSRC) 2016-08-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Microsoft Corporation Product: Education - Online Service (Web-Application) 2016 Q3 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A stored cross site scripting web vulnerability has been discovered in the official Microsoft Education online service web-application. The Stored cross site vulnerability allows remote attacker to inject own malicious script codes to the application-side of the module. The stored cross site scripting web vulnerability is located in the `Default.aspx` file GET method request. During the exploitation the victim education account retrieves the malicious script to the server when it requests the stored database information. The attack vector of the issue is application-side and the request method to inject the payload is POST. The execution occurs in the default.aspx file context after the review of the about me page via GET method request. The security risk of the cross site web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6. Exploitation of the input validation web vulnerability requires a low privileged web-application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): [+] GET Vulnerable Module(s): [+] /Create-My-Account/ Vulnerable File(s): [+] Default.aspx Affected Module(s): [+] About Me Proof of Concept (PoC): ======================= The stored xss vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: HTML
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment