Thursday, March 29, 2012

Protect SharePoint from Framesniffing Attack


What is Framesniffing attack?
The Framesniffing technique uses an HTML iframe to load a target website inside of an attacker’s webpage. All web browsers have security restrictions that prevent a webpage from directly reading the contents of pages loaded in frames. However, this attack bypasses those measures, allowing a malicious webpage to read certain pieces of information about the structure of a framed page, by using anchor elements.

How does it affect SharePoint?
Even though SharePoint is accessible on internal network, but it’s loading in web browser. By default, SharePoint 2007 and 2010 do not send the X-Frame-Options header. This means that any website that knows the URL of organisation’s SharePoint can load it in an iframe. This attack works by checking for anchors on search result pages.

Watch this demo how Framesniffing works with SharePoint - http://www.contextis.co.uk/research/blog/framesniffing/

The video shows an attacker extracting sensitive information from a fictional corporate SharePoint installation. The attacker then searches the server to discover crucial information about upcoming acquisition. To achieve this, the attacker first lures a user with access to the SharePoint server to a malicious web page. While the user is viewing the page, the attacker uses the Framesniffing to infer information from the SharePoint server through their web browser.

What Microsoft Says about this vulnerability?
“We have concluded our investigation and determined that this is by-design in current versions of SharePoint. We are working to set the X-Frame options in the next version of SharePoint”.

How to protect SharePoint against Framesniffing?
Websites can protect themselves against Framesniffing attacks by sending the X-Frame-Options HTTP header. Protecting SharePoint from this attack is a simple matter of adding the X-Frame-Options header.
Following steps describe how to add the custom header in IIS7. This is for SharePoint as an example, but the instructions will work for any site:
  1. Open IIS Manager (Run > InetMgr)
  2. In the left pane navigate to the relevant web site ( SharePoint – 80)
  3. In the right pane Select the ‘Features View’ present at lower left corner
  4. Double-click the ‘HTTP Response Headers’ icon
  5. Click the ‘Add…’ link in the right pane
  6. Enter ‘X-Frame-Options’ in the name field and ‘SAMEORIGIN’ in the value field. Hit OK.
Note – This setting will prevent SharePoint from being open in frame, it could potentially break SharePoint in some setups – for example if another intranet application uses SharePoint via a frame. Be sure to test this change before putting it into production.

Browser Protection against Framesniffing Attacks
Users of the Firefox browser are already protected against Framesniffing. However the latest versions of Internet Explorer, Chrome and Safari are still vulnerable to these attacks.

Tuesday, March 13, 2012

SharePoint Code Samples

Microsoft has created 101 code samples for SharePoint 2010. These samples cover a wide range of useful tasks from working with lists and document libraries, to using BCS.
Check them out.
Sharepoint 2010 101 code samples

Friday, March 9, 2012

Removing author from search results

Follow these instructions to remove the author from search results.

- Navigate to the Advanced Search Page;
- Perform a search to return some search results;
- Edit the page (Site Settings | Edit Page);
- Edit the Search Core Results WebPart (Edit | Modify Shared WebPart);
- Under the Data View Properties click the XSL Editor button;
- Select all the XSL and save it somewhere to back up the default XSL;

Remove these lines and save the changes.
< xsl:call-template name="DisplayString">
<xsl:with-param name="str" select="author" />
< /xsl:call-template>

Hope this will help!                   

Thursday, March 1, 2012

Show all versions of multiline text field (Appended text)

1. Open site with SharePoint Designer and Insert a DataView WebPart(DVWP) on a page including your multiline field.
2. Switch to codeview and find the line that reference the field. (need to replace - <xsl:value-of select="@Comments" disable-output-escaping="yes" />

3. Replace with:

<SharePoint:AppendOnlyHistory runat="server" FieldName="Comments" ControlMode="Display" ItemId="{@ID}"/>

You will see the all the comments with author and dates.

To get all the versions for Multiline text field

allComments = "";
foreach (SPListItemVersion versionListItem in item.Versions)
{
        if (versionListItem["Comments"] != null){
               allComments += versionListItem["Comments"].ToString();
        }
}

CU for MOSS 2007 and WSS 3.0

Check out the New updates (Feb 2012 CU) for MOSS 2007 and WSS 3.0 

Microsoft Office SharePoint Sever 2007

Feb 2012 CU
Version:12.0.6658.5000
Link:2597958
  
WSS 3.0
Feb 2012 CU
Version:12.0.6658.5000
Link:2597959