SharePoint Security Vulnerability
Hi All,
There is a very severe SharePoint security vulnerability related to Web Dav protocol. User can see all site content by Browsing SharePoint Sites data through windows explorer view and by
1. Clicking Start, type path on Run as
\\yoursite\subsite\forms
or
\\yoursite\subsite\documents
It is alarming to see that any user can browse all SharePoint Site Directories with
"Use Client Integration Feature" and "Use Remote Interfaces"
permissions on the site.
P.S. If we rollback "Use Client Integration Feature" permission then user cannot create new item in any form library / SharePoint list. Therefore this permission is mandatory for us.
For more information you can see following URLs.
http://forums.iis.net/t/1149348.aspx
http://social.technet.microsoft.com/Forums/en-US/sharepointgeneral/thread/023f4b23-3ce6-4d83-8cb0-7398b88ba6ab
Any help in this regard will be greatly appreciated...
May 18th, 2010 6:02pm
I don't understand the issue very well, I entered \\mysharepointsite\subsite\forms in Start->Run. It tell me that I does not have permission.
I can open the SharePoint document library with WebDAV if I enter \\mysharepointsite\documents in Start->Run.
Do you mean that I can open \\mysharepointsite\subsite\forms
if I enable Web Dav in IIS?
Do you mean
what follows from http://blogs.technet.com/srd/archive/2009/05/20/answers-to-the-iis-webdav-authentication-bypass-questions.aspx
:
Question: Is Sharepoint vulnerable to the authentication bypass?
Answer: No, Sharepoint is not vulnerable to this vulnerability. The Sharepoint team does not use the same code as IIS. Their DAV server goes against their backend
SQL store, not the file system.
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2010 8:28am
Hi Gu Yuming,
My concern is to disable
directory browsing and explorer view.
Disabling only Web Dav is not the solution of the problem. Because SharePoint implements its own WebDAV functionality through
Stsfilt.dll ISAPI filter that is installed with both Windows SharePoint Services and SharePoint Portal Server.
Initially I was able to disable explorer view by disabling
permission “Use Client Integration Feature” and “
Use Remote Interfaces” from SharePoint Central Administration > Application Management > User Permission for Web Application. But by doing so, it also
disables launching client applications
and without this permission (Use Client Integration
Feature), users will have to work on documents locally and upload their changes manually.
Now what to do?
May 19th, 2010 9:44am
I understand that you want to disable Web DAV in IIS (Or you mean that you want to disable
directory browsing in IIS).
However, I still does not understand why you want to disable Explorer View in SharePoint? It’s a popular feature to copy files to and from SharePoint document
library.
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2010 10:03am
Hi GuYuming,
I have already disabled WebDAV in IIS also i have disable directory browsing in IIS. But problem is that SharePoint implements its own WebDAV functionality through
Stsfilt.dll ISAPI filter that is installed with both Windows SharePoint Services and SharePoint Portal Server.
The reason behind why I want to disable Explorer View is that any user with least permission (i.e. Restricted Read) can view all library and site content. In order to restrict
the user I have manually assign unique permissions on individual items which is not feasible as there are thousands of document in a library. Also this is my client's requirement to disable Explorer View.
May 26th, 2010 8:41am
Restricted Read Includes permissions to view pages and documents, but not historical versions or user rights information.
So I think its OK that any user with least permission (i.e. Restricted Read) can view all library and site content.
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2010 6:00am
Dear Gu Yuming,
User should only see the data which is pertaining to him. By Explorer View feature, user can access everything... Inorder to restrict it you have to uniquely assign permissions on every individual item which is really not feasible and it increases
your maintenance.
My simple Question is " Is there is any way to disable WebDav and Explorer View functionality ? "
May 31st, 2010 7:40am
There is no way to disable WebDAV and Explorer View functionality. However, I don't think this is a security issue since user can see no more than what he has permission to see in Explorer View.
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2010 9:40am