Microsoft Afkar was found to contain a cross-site scripting flaw

Apr 14, 2012 07:58 GMT  ·  By

Experts from Vulnerability Lab have been busy aiding Microsoft patch up some serious vulnerabilities that affected two of their services. The most important security hole was a persistent script code inject vulnerability that has been found in Microsoft Partner Network Cloud service.

To demonstrate their findings, the researchers made a video proof-of-concept in which the Lab’s CEO, Benjamin Kunz Mejri, shows how easily an attacker can leverage the persistent script code injection flaws on a Microsoft Cloud aspx service to execute his own malicious code.

“The vulnerability allows an remote attacker or local low privileged user account to inject/implement malicious persistent script code (Application-Side). Successful exploitation with low required user inter action can result in session hijacking against admin, moderator & customer sessions or allows an attacker to manipulate requests via persistent script code inject,” the experts explained.

Microsoft has been notified regarding the presence of medium severity flaws in the Company & Mobile Phone Number (Profile) and the Company Name Profile Listing modules on February 11, 2012.

After collaborating with the MSRC team and after ensuring that the issues have been addressed, Vulnerability Lab made available the video and a proof-of-concept in text format that can offer some great details for security enthusiasts.

The Microsoft Partner Network Cloud service wasn’t the only one that was found to be flawed. Microsofts Afkar, the site that allows Arabic users worldwide to play with new tools and ideas, was found to contain a cross-site scripting (XSS) weakness that could have allowed a remote attacker to hijack user sessions and manipulate context.

In the past month, the Vulnerability Lab team has been very busy helping high-profile companies fix the bugs that exposed their websites and services to malicious operations.

First, they helped Microsoft address a flash component vulnerability that affected the Bing Service Application. Then, Shadab Siddiqui notified Apple on some dangerous SQL Injection vulnerabilities present in the Education Seminars & Events site.

Oracle’s security team also welcomed the feedback from the experts in handling multiple blind SQL Injection security holes that existed on sites such as campus.oracle.com, education.oracle.com, academy.oracle.com, and shop.oracle.com.

Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1