Document Title:
===============
Microsoft (MEPN EDU) - Client Side Cross Site Vulnerability
Date:
=====
2016-12-14
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1930
MSRC ID: 34153
TRK: 0497000318
VL-ID:
=====
1930
Common Vulnerability Scoring System:
====================================
3
Introduction:
=============
Microsoft Corporation is an American multinational technology company headquartered in Redmond, Washington, that develops,
manufactures, licenses, supports and sells computer software, consumer electronics and personal computers and services.
Microsoft has launched Microsoft Education Partner Network (MEPN) for education-specific resources and training.
(Copy of the Vendor Homepage: https://www.mepn.com/MEPN/MEPNHome.aspx )
Abstract:
=========
An independent vulnerability laboratory researcher discovered a cross site scripting vulnerability in the Microsoft Education Partner Network (mepn) online service web application.
Report-Timeline:
================
2016-12-14: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Microsoft Corporation
Product: Education - Online Service (Web-Application) v2016 Q3
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
A cross site scripting web vulnerability has been discovered in the Microsoft Education Partner Network (mepn) online service web application.
The cross site vulnerability allows remote attackers to inject own malicious script codes in client-side browser to web-application requests.
The Microsoft Education Partner Network (mepn) online service web application allows to search for the content from different domains of Microsoft.
The service fails to sanitize a context which an attacker can leverage to carry out cross site based attacks. The stored cross site scripting vulnerability
is located in the 'query' parameter of 'mepncontentsearch.aspx` file GET method request. The cross site scripting vulnerability allows remote attackers
to inject own malicious script codes into the online service web applications on different domains of Microsoft (like `social.technet.microsoft.com` ,
`gallery.technet.microsoft.com` , `code.msdn.microsoft.com` , `social.msdn.microsoft.com` , `visualstudiogallery.msdn.microsoft.com` ,
`blogs.msdn.microsoft.com` etc...) which then can be triggered from mepn web application to exploit the vulnerability.
The security risk of the cross site scripting web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0.
Exploitation of the client-side cross site scripting vulnerability requires no privileged web-application user account and only low user interaction.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious
sources and non-persistent manipulation of affected or connected application modules.
Request Method(s):
[+] GET
Vulnerable Service(s):
[+] MEPN - Microsoft Education
Vulnerable File(s):
[+] mepncontentsearch.aspx
Vulnerable Parameter(s):
[+] query
Proof of Concept:
=================
The cross site scripting vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction.
For security demonstration or to reproduce the stored cross site scripting web vulnerability follow the provided information and steps below to continue.
PoC: Exploitation
https://www.mepn.com/MEPN/mepncontentsearch.aspx?query=">
PoC: Vulnerable Source (Results - query)