Seeker Advisory Sep11: Insecure Redirect in Microsoft SharePoint Portal

From: Irene Abezgauz <>
Subject: Seeker Advisory Sep11: Insecure Redirect in Microsoft SharePoint Portal

Seeker Research Center Security Advisory 

This vulnerability was discovered by Seeker(r) Automatic Run-Time
Application Security Testing Solution 
Disclosed By Irene Abezgauz, September 13th, 2011

I. Overview
An Insecure Redirect vulnerability has been identified in Microsoft
SharePoint shared infrastructure. This vulnerability allows an attacker
to craft links that contain redirects to malicious sites in the source
parameter used throughout SharePoint portal.

The exploitation technique detailed in this document bypasses the cross
application redirection restriction which normally limits such redirects
restricting access to external sites. 

A friendly formatted version of this advisory is available at: 

II. Details
Multiple pages and components in Microsoft Sharepoint use the source
parameter to redirect users to a new location after accessing a certain
page, such as:
In order to avoid cross application redirects (which pose a threat to
the system), Microsoft Sharepoint enforces checks on these redirects,
and limits them to localhost or, or the SharePoint server IP
(the IP redirect is only valid if the redirect is to an actual
SharePoint page on the server, redirects to localhost or will
work regardless of existence of relevant page). 
The implementation of this verification, however, is flawed, and can be
circumvented by creating hostnames which begin with the string
localhost, or even if they are not localhost.
Due to domain naming restrictions the prefix cannot be used in
exploitation, as is not a valid domain
name - subdomain names cannot be digits only. However, redirects to or are
valid. The following prefixes can be provided into the Source parameter
to exploit this vulnerability: 
      localhostaaa,, etc. 
An attacker can generate an attack by creating a site containing
localhost in its name, and crafting a URL which embeds into the source
parameter a link that lead to sites outside the current application.
Once a victim follows the specially crafted link he indeed arrives at
the selected page of the vulnerable SharePoint application. Once the
page operation is completed, the user will be redirected to the URL in
the source parameter. 

III. Exploit
Sample exploitation of this vulnerability would be crafting the
following link: 
It is important to note that in many situations, even if the application
does not use the source parameter by default, this parameter can be
added manually to the URL, leading to exploitation of this

IV. Affected Systems
Microsoft SharePoint 2007
Microsoft SharePoint 2010

V. Solution
Microsoft has released a fix for this vulnerability, see for further

VI. Credit
The vulnerability was automatically discovered by Seeker(r) - New
generation application security testing solution, utilizing ground
breaking BRITE(tm) technology (Behavioral Runtime Intelligent Testing
Further research and publication was performed by Irene Abezgauz,
Product Manager, Seeker Security. 
For more information please visit

Irene Abezgauz
Product Manager
Seeker Security

Copyright © 1995-2020 All rights reserved.