SharePoint: In Defense of Cross-Site Scripting Attacks

Microsoft introduced SharePoint in 2001.  Originally designed as an intranet for team collaboration and content management, SharePoint has evolved with every new version and enterprises have found additional innovative ways to customize it and manage their line of business applications, to some SharePoint is considered a Web Application.

Today we can find several solutions for help desk, wiki sites, blogging, proposal management, resource and project management, emergency response application, to name just a few, which are all based on SharePoint.

The popularity and functionality of Microsoft’s SharePoint continues to increase. In 2009, it generated $1.3 billion in revenues from an installed base of 100+ million users and it has been growing at a rate of 20,000 SharePoint users per day, every day for the last five years and that’s over 7 million new SharePoint users every year. [1]

SharePoint 2013

Microsoft’s CEO Sever Blamer’s referred to it as "… the definitive OS or platform for the middle tier,.." [2] in his keynote address at the Convergence conference on March 14, 2007, and whether you think of it as a Web OS or simply an Enterprise Information Portal its complexity becomes apparent when you take notice of all the underlying technologies that supports it.

SharePoint is built primarily on Visual C#, Visual Basic, Microsoft .NET Framework, ASP.NET, HTML/CSS, Document Object Model, Silverlight, it interfaces with Microsoft Active Directory, but it can be configured with LDAP, and is designed for use with Microsoft SQL Server and Internet Explorer. Consequently is not without its share of security vulnerabilities.

In fact there has been at nearly 300 vulnerabilities affecting SharePoint and related products over the years many of which have been cross-site scripting allowing remote attackers to inject arbitrary web script or HTML code via crafted JavaScript elements. [3]

One defense mechanism that Microsoft has integrated in SharePoint to protect users against cross-site scripting attacks is the inclusion a form digest for each ASPX web page requested.

The form digest is a security validation specific to a user, site, and time period. It is generated for each HTTP Request and placed on the ASPX page before serving it; it will then get validated on the server side when the user submits the form.

Form Digest embedded in the HTML Form

This mechanism is a feature available to developers who create new Web Pages with just a simple point and click.

Developers have also the option to create their own custom web pages but careful consideration needs to be taken care of to avoid security validation errors, which result in Exceptions errors being thrown out.

Security Validation Exception Error

The way to correct this is by including the appropriate controls in the ASPX page [4], which will instruct the server to create, include, and manage the form digest

ASPX FormDigest Tag

An SPWeb.ValidateFormDigest or SPUtility.ValidateFormDigest [5] method can then be invoked to explicitly check the security validation used in the ASPX page, and works on a second page on which the first ASPX page posts or on the first one, if there is no second page involved.

This mechanism help developers build their own HTTP POST requests to submit and update SharePoint data, but how can we submit data to the server using HTTP GET requests?

The solution is not without some level of risk. The object model provides developers with a method to instruct the server to bypass the form digest validation by setting the AllowUnsafeUpdates [6] property of the SPSite object to true.

However, setting this property to true opens security risks, potentially introducing cross-site scripting vulnerabilities as noted in the remarks for the class reference, so it must be reset programmatically as soon as the update has taken place.

AllowUnsafeUpdates

Several events can also reset the property and prevent the update to the database [7], [8]:

·      SPRoleDefinitionCollection.BreakInheritance ()

·      BreakRoleInheritance ()

·      ResetRoleInheritance ()

·      An Exception being thrown out

The cross-site scripting protection just described may result in errors if you are writing server-side code not necessarily designed to respond to a POST Request.

If your web pages are designed to respond to a GET Request [9] or if you are creating your own SPSite or SPweb objects using the SharePoint object model and you are required to update the database you must then use the AllowUnsafeUpdate property prior to executing the update.

There are also instances in which you may not be updating the database but instead calling functions, which in turn perform a database update. One such case is the call to EnsureUser () which looks for the specified user login in the Site Users collection and if the login is not found then SharePoint looks to see if it is a valid user in the Active Directory, if it is it then adds the login to the Site Users collection resulting in an update to the database.

In case like this you must also make use of the AllowUnsafeUpdates function and set it to true, but remember to always set it back to false --or at least to its previous state-- after the operation is complete, so that other code in your program will not run in unsafe mode.

Many examples I have found on posts on the web, reset it right after line of code executing the database update and sometimes fail to consider exception errors, therefore is always a good idea to reset its value in the finally block of a try and catch. [10]

Use of finally block to ensure reset to unsafe updates

References:

[1] Microsoft: We’re adding 20,000 new SharePoint users aday

[2] SharePoint: The next big ‘operating system’ from Microsoft

[3] CVE Security Vulnerability Database

[4] Form Digest class

[5] SPUtility.ValidateFormDigest class

[6] SPSIte.AllowUnsafeUpdates property

[7] SharePoint Internals – Hristo Pavlov’s Blog. What You Need To Know About AllowUnsafeUpdates (Part 1)

[8] SharePoint Internals – Hristo Pavlov’s Blog. What You Need To Know About AllowUnsafeUpdates (Part 2)

[9] Microsoft SharePoint 2010 Developer Reference

[10] SharePoint Solutions by Infoyen. SPWeb.AllowUnsafeUpdates

For additional

SharePoint or Project Server

related articles please visit my website at:

www.gustavogarcia.net

SharePoint List filter wildcard search on multple columns .. LIKE

This implementation on how to use a SharePoint List filter with a wildcard  on multiple columns is a solution for MOSS 2007 and it requires SharePoint Designer.

The idea here is that given a search string a SharePoint view will then display all records that contains the string value in any of the several columns specified.

So for example if I specify 'AAA' as the value for the search string the result set will be Items #1 and  #2 because we can find the 'AAA' value in Item  #1 / Column 1  and Item #3 / Column 2



First thing I do is to add a Calculated Column to the list that will contain the concatenation of Colums 1,2, and 3.



So now my list looks like:



I then create a web page where the filter and the result set will be displayed.



I then add a Text String search web part to the newly created page. I have used Choice Fileter and SharePoint List Filter with similar results, but in this example I will use Text String because is the easier to use.



I edit the search web part and give it a name. We'll need this name latter on in the solution. In this example I will use the 'Multiple Column Search' name for the filter as illustrated below.



The web part will have a warning note indicating that it is not yet connected to another web part.  We will leave it like this for now and come back to connect it after we've edit the web page using SharePoint Designer.



Edit this web page using SharePoint designer and notice the SharePoint List in the Task Pane on the right hand side under the Data Source Library tab.  If this tab is not displayed, make sure to check the 'Data Source Library' menu option under Task Panes.



Drag and drop the SharePoint list, in this example 'My Custom List' to the web page.



You can edit this view to remove the default columns it has added and add the columns that you wish to display by clicking on the 'Edit .Columns...' menu choice in the Common Data View Tasks dialog window.

In this case I will remove the 'Modified By' and 'Modified' columns that were automatically added and I will instead display the 'Column #1', 'Column #2' and 'Column 3' in addition to the 'Title' column already selected for display.



I will then click on the 'Filter' menu option in the Common Data View Tass dialog window to specify a filter criteria.



Add a new clause In the Filter Criteria dialog window.



Select the calculated field that was created in the Field Name prompt and for comparison choose 'contains'. In the Value promp select Create a New Parameter from the pull down menu.



The Data View Parameters dialog windows will show up creating a new parameter called 'Param1' as the default. Select 'Form' for the arameter Source and for the 'Form Field' enter the name of the filter web part that we had placed in the web page, in this case 'Multiple Column Search'



Save the web page in SharePoint Designer and then refersh the browser where the web page was being edited.  The filter web part is now ready to be connected to the SharePoint Data View web part.

From the Connections Menu select 'Get Parameters From' and then choose the 'Multiple Columns Search' filter.



In the Configure Connection dialog window select 'Param1' from the pull down menu and click the Finish Button.  Then Finish editing the web page in the browser.



The Multiple Column Search filter is now ready to use.  You can type 'AAA' in the search value and confirm that only Record #1 and #3 will be dislayed.

For additional

SharePoint or Project Server

related articles please visit my website at:

www.gustavogarcia.net

Building a single server Project Server 2010 with SQL Server Part 6

Configure SQL Server

In order for the report author to be able to access the Project Server 2010 Reporting database from Microsoft Excel, you must configure Microsoft SQL Server access and add a SQL Server login. The login must enable specific access to the Project Server 2010 Reporting database to gain access to schema information and data. Use the domain group that you created for report viewers (SDRED\ProjReportAuthors).

To add a login for a report author

1. Log on to Dev-SQL using the sdred\SQLAdmin account.
2. Click Start, All Programs, Microsoft SQL Server 2008, SQL Server Management Studio. 
3. On the Connect to Server dialog box, type localhost in the Server name box, and then click Connect.
4. Expand Security, right-click Logins, and then click New Login.
5. On the General page, click Search.
6. Click Object Types, and select the Groups check box.
7. Click OK.                                                                                       
8. Type SDRED\ProjReportAuthor
9. Click Check Names.
10. Click OK.
11. Select the User Mapping page.
12. In the Users mapped to this login list, select the row that contains the Project Server 2010 Reporting database (ProjectServer_Reporting).
    
13. Select the Map check box for the Project Server 2010 Reporting database.
14. Select the db_datareader database role membership check box.
    
    


15. Click OK.

Configure Excel Services

Project Server 2010 requires Excel Services in Microsoft SharePoint Server 2010. The first step to configuring Excel Services is to turn on the Excel Calculation Services service.


To turn on the Excel Calculation Services service

1. On the SharePoint Central Administration Web site, in the System Settings section, click Manage services on server.
2. In the Service list, click Start next to Excel Calculation Services.

Once the Excel Services service is running, the next step is to create an Excel Services service application.

To create an Excel Services service application

1. On the SharePoint Central Administration Web site, in the Application Management section, click Manage service applications.
2. On the Service Applications tab, click New, and then click Excel Services.
3. In the Name box, type Excel Services Service App.
4. In the Application pool name box, type ExcelServicesAppPool.
5. Choose SDRED\SVCApp from the Configurable list.
6. Click OK.

Once Excel Services has been configured, you must configure trusted file locations for the Project Server 2010 Sample Reports and Templates libraries.

Follow this procedure two times: one time for each library.

To configure a trusted file location

1. In Central Administration, in the Application Management section, click Manage service applications.
2. Click the Excel Services service application.
3. On the Manage Excel Services page, click Trusted File Locations.                                                                                   
4. Click Add Trusted File Location.        
   
5. In the Address box, type:
   
   For the Templates library:
   
   http://dev2010/pwa/ProjectBICenter/Templates/
   
   or
   
   For the Sample Reports library:
   
   http://dev2010/pwa/ProjectBICenter/Sample%20Reports/
6. Under Trust Children, confirm that the Children trusted check box is selected.
7. In the External Data section:
   
   
   1. Under Allow External Data, select the Trusted data connection libraries and embedded option.
   2. Under Warn on Refresh, clear the Refresh warning enabled check box.           

Click OK.

You must configure trusted data connection libraries in order to give users access to the connectors that link the report spreadsheets to the data in the Project Server 2010 Reporting database and OLAP databases. Perform the following procedure to set up the trusted data connection libraries.


To set up trusted data connection libraries

1. In Central Administration, in the Application Management section, click Manage Service Applications.
2. Click the Excel Services service application.
3. Click Trusted Data Connection Libraries.
4. Click Add Trusted Data Connection Library. 
   
   


5. In the Address box, type:
   
   http://dev2010/pwa/ProjectBICenter/Data%20Connections%20for%20PerformancePoint/English%20(United%20States)                          
6. Click OK.

Configure Secure Store

In SharePoint Server 2010, the Secure Store Service enables users to access multiple system resources without having to provide authentication credentials multiple times. SharePoint Server 2010 implements Secure Store Service authentication by including a Windows service and a secure credentials database.

The next step is to configure Secure Store by turning on the Secure Store Service and creating a Secure Store Service service application. Perform the following procedure to turn on the Secure Store Service.

To turn on the Secure Store Service

1. On the SharePoint Central Administration Web site, in the System Settings section, click Manage services on server.
2. In the Service list, click Start next to Secure Store Service.   
   
   

Once the Secure Store service is running, you must create a Secure Store Service Application. Use the following procedure.

To create a Secure Store Service service application

1. On the SharePoint Central Administration Web site, in the Application Management section, click Manage service applications.
2. On the Service Applications tab, click New, and then click Secure Store Service.
3. In the Name box, type Secure Store Service Application.  
4. In the Application pool name box, type SecureStoreAppPool.
5. Choose a managed account from the Configurable list.
6. Click OK.
7. When the service application has been successfully created, click OK.
   
   

When the Secure Store Service Application has been created, you must generate a Secure Store Service key before the Secure Store service can be used. Perform the following procedure to generate a key.

To generate a Secure Store Service key

1. On the SharePoint Central Administration Web site, in the Application Management section, click Manage service applications.
2. Click the Secure Store service application.
3. On the Edit tab, click Generate New Key.
4. Type and confirm a Pass Phrase, and then click OK.
   
   

Once Secure Store is configured, you must create a Secure Store target application.

 
To create a Secure Store target application

1. On the SharePoint Central Administration Home page, in the Application Management section, click Manage Services Applications.
2. Click the Secure Store Service.
3. On the Secure Store Service page, select the Edit tab.
4. Click New.
   
5. On the Create New Secure Store Target Application page:
   
   
   
   1. In the Target Application ID box, type ProjectServerApplication. (Value is case sensitive)
   
   
   2. In the Display Name box, type ProjectServerApplication.
   
   
   3. In the Contact Email box, type an e-mail address.
   
   
   4. From the Target Application Type drop-down list, select Group.
   
   
   5. Click Next.


6. On the Specify the credential fields for your Secure Store Target Application page, click Next.                                                        


7. On the Specify the membership settings page:
   
   
   1. In the Target Application Administrators box, type SDRED\Developer.
   
   
   2. In the Members box, type SDRED\ProjReportViewers.
   
   
   3. Click OK.


8. On the Secure Store Service Application page, select the check box for the target application that you just created.
9. On the ribbon, click Set Credentials.
10. On the Set Credentials for Secure Store Target Application (Group) dialog box, type the user name and password of the SDRED\ProjDataAccess account.  This account must have db_datareader permissions on the Project Server Reporting database. This can be achieved by adding the SDRED\ProjDataAccess account to the SDRED\ProjReportAuthors group.
    
    


11. Click OK.

The Project Server 2010 reporting and business intelligence functionality is now configured and ready for use.

For additional

SharePoint or Project Server

related articles please visit my website at:

www.gustavogarcia.net

Creating a PSI Extension for Project Server 2010

This post refers to the Project 2010 SDK Sep 2010 Update.



This updates contains to sample PSI Extensions.  The 'Hello World' and the 'ListProjects' examples. Missing from the accompaning documentation is the following:

1) You need to include the System.Web reference not only in the 'using' statement but in the list of referenced external libraries.



2) There is a bug in the GetServiceUri function of the Hello  World PSI extension.  A variable is declared with the name requestUri but referenced as requestUrl (with an L at the end) inside the function.  



Following the rest of the instructions in the examples was easy including the deployment instructions. However when I tested the web service I got this generic catch all error: 'Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service':



After verifying that my development server had indeed Windows Authentication enabled



I then deployed the PSI extension in the Information Worker VHD provided by Microsoft to eliminate the possibility of having mis-configured my development machine, but there I got the same error condition.

After a few hours of research, I learned that while the deployment of Project Server was done using NTLM provider and the web.config was specified as NTLM in the SDK documentation.  I had to change the Providers configuration setting in the web server to include 'Negotiate'.



With the addition of this Provider setting, an iisreset and an IE clear cache I was able to access the PSI extensions without additional problems.

For additional
SharePoint or Project Server
related articles please visit my website at:
www.gustavogarcia.net