Security researchers found serious vulnerability in Microsoft SharePoint can lead a sniffing attack which can steal your personal data. So-called frame-sniffing attacks involve the use of a hidden HTML frame to load a target website inside the attacker's malicious webpage. Using the tactic, attackers would be able to read information about the content and structure of the framed pages. "Using frame-sniffing it's possible for a malicious webpage to run search queries for potentially sensitive terms on a SharePoint server and determine how many results are found for each query,” explained Paul Stone, senior security consultant at Context. "For example, with a given company name it is possible to establish who their customers or partners are; and once this information has been found, the attacker can go on to perform increasingly complex searches and uncover valuable commercial information." Context researchers tested SharePoint 2007 and 2010 installations. They discovered that by default, neither version of the enterprise server software sends the X-Frame-Options header that instructs web browsers to disallow framing. As a result, firms that rely on both flavours of the enterprise content management systems are vulnerable to both frame-sniffing and click-jacking. Attacks are possible if the URL of a SharePoint installation is known, even if it is only accessible on an intranet.
Microsoft warns that the approach bypasses browser security restrictions that are meant to prevent webpages directly reading the contents of third-party sites loaded in frames. Guarding against the attack involves tweaking the X-Frame-Options on the server, so that browsers disallow framing. However this option is not applied by default on current versions of Microsoft SharePoint. "We have concluded our investigation and determined that this is by-design in current versions of SharePoint. We are working to set the X-Frame-Options in the next version of SharePoint" - Said Microsoft
-Source (The Register)
LINK TO OUR HOME PAGE :
Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info.
Thank You !
-Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You!
-Team VOGH
Categories:
Microsoft
,
security-news
,
vulnerablity