Document Title: =============== Microsoft (MEPN EDU) - Client Side Cross Site Vulnerability Date: ===== 2016-12-14 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1930 MSRC ID: 34153 TRK: 0497000318 VL-ID: ===== 1930 Common Vulnerability Scoring System: ==================================== 3 Introduction: ============= Microsoft Corporation is an American multinational technology company headquartered in Redmond, Washington, that develops, manufactures, licenses, supports and sells computer software, consumer electronics and personal computers and services. Microsoft has launched Microsoft Education Partner Network (MEPN) for education-specific resources and training. (Copy of the Vendor Homepage: https://www.mepn.com/MEPN/MEPNHome.aspx ) Abstract: ========= An independent vulnerability laboratory researcher discovered a cross site scripting vulnerability in the Microsoft Education Partner Network (mepn) online service web application. Report-Timeline: ================ 2016-12-14: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Microsoft Corporation Product: Education - Online Service (Web-Application) v2016 Q3 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A cross site scripting web vulnerability has been discovered in the Microsoft Education Partner Network (mepn) online service web application. The cross site vulnerability allows remote attackers to inject own malicious script codes in client-side browser to web-application requests. The Microsoft Education Partner Network (mepn) online service web application allows to search for the content from different domains of Microsoft. The service fails to sanitize a context which an attacker can leverage to carry out cross site based attacks. The stored cross site scripting vulnerability is located in the 'query' parameter of 'mepncontentsearch.aspx` file GET method request. The cross site scripting vulnerability allows remote attackers to inject own malicious script codes into the online service web applications on different domains of Microsoft (like `social.technet.microsoft.com` , `gallery.technet.microsoft.com` , `code.msdn.microsoft.com` , `social.msdn.microsoft.com` , `visualstudiogallery.msdn.microsoft.com` , `blogs.msdn.microsoft.com` etc...) which then can be triggered from mepn web application to exploit the vulnerability. The security risk of the cross site scripting web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0. Exploitation of the client-side cross site scripting vulnerability requires no privileged web-application user account and only low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious sources and non-persistent manipulation of affected or connected application modules. Request Method(s): [+] GET Vulnerable Service(s): [+] MEPN - Microsoft Education Vulnerable File(s): [+] mepncontentsearch.aspx Vulnerable Parameter(s): [+] query Proof of Concept: ================= The cross site scripting vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction. For security demonstration or to reproduce the stored cross site scripting web vulnerability follow the provided information and steps below to continue. PoC: Exploitation https://www.mepn.com/MEPN/mepncontentsearch.aspx?query=">
XSS">
"> - social.msdn.microsoft.com

--- PoC Session Logs [GET] --- Status: 200[OK] GET https://www.mepn.com/MEPN/mepncontentsearch.aspx?query=">