Microsoft SharePoint Limited Access Permission Bypass

Microsoft SharePoint suffers from a Limited Access permission bypass vulnerability.

MD5 | 0295554bf43ae5430a02da73edf4cfd7

vulnerability Title: Microsoft SharePoint 'Limited Access' Permission Bypass

This vulnerability was discovered by 'Behnam Vanda' January 07, 2018

I. About Vulnerability
A permission level bypass vulnerability has been identified in microsoft sharePoint 2013 & maybe prior. This vulnerability allows attackers to open or view restricted items in the site or library. An authenticated user can bypass 'Limited Acces' permission to browse a site page or library to access a specific content item that was restricted.

II. Exploit
#POC 1 :

1. Search for specific words inside web & mobile sharepoint search box: "password" "pass" "user" "domain\user" "name | lastname" & etc

[~] web search : http://site/BSearch/results.aspx
[~] mobie search : http://site/_layouts/mobile/MobileResults.aspx

example : http://site/BSearch/results.aspx?k=password
example : http://site/BSearch/results.aspx?k="NSA\1377"
example : http://site/_layouts/mobile/MobileResults.aspx?k=pass
example : http://site/_layouts/mobile/MobileResults.aspx?k=BOB

2. The page shown some of sharepoint's search results like restricted specific item,site,library urls

3. so click at the urls to access|viwe|read site page and other restricted library and items

#POC 2 :

after capturing packets between our system and sharepoint site (use fiddler or brupsiute , wireshark , etc) We have access to items,list,pages,sites urls like as the following :


so access to restricted items & lists by make /LIST#/ urls.

for example :

III. Affected Systems

Microsoft SharePoint 2013 & maybe prior

Behnam Vanda

E-Mail: beni[dot]vanda[at]

Related Posts