The quarterly publication of the International Legal Technology Association
Issue link: http://read.uberflip.com/i/80353
best practices • In SharePoint 2010, change the behavior of how attachments are handled. Instead of displaying the page inline, you could have SharePoint download the file. This way, the harmful page is not executed under your site URL. Application source code contains implementation details that can be used to refine existing attacks. Source Code Exposure Many SharePoint pages — such as images, CSS, templates and master pages — are stored in special document libraries. Some of them are static files, such as images and style files, while others are more dynamic, such as master pages and page templates. Any user with read access can get to these special libraries and download these files. These files can expose the internal logic of how data are gathered, the name and path of machines, developers' comments, and contact information. Source code disclosure vulnerabilities are an extremely popular target for malicious users because application source code contains implementation details that can be used to refine existing attacks against an application. Remedies: There are a couple of approaches to mitigating source code exposure: • Write a custom HTTP handler that can prevent access to the page by examining IDs. • Develop best practices that eliminate writing sensitive data or comments in these pages, periodically reviewing code to make sure no sensitive information is exposed. Mobile Pages SharePoint comes with two kinds of pages: ones designed for PCs and others for mobile devices. Mobile pages are designed for small screens with minimal and simple user interfaces. However, Sheetal Jain is the Chief Technology Officer and co-founder of Prosperoware LLC. He has designed and developed business solutions on the Microsoft enterprise platform for over a decade. Sheetal was part of the Microsoft developer feedback team for SharePoint 2007, sharing insight on early releases and product enhancements. More recently, Sheetal served as an architect/development manager at Interwoven/iManage, where he was responsible for WorkSite Web and WorkSite for SharePoint. Sheetal can be contacted at sheetal@prosperoware.com. they usually display some information about the site and the list. Developers typically ensure that only relevant links are displayed on the PC interface, or they use security-trimming controls to hide certain links from most users. But they often forget that if you are hiding the links through security trimming or by simply removing the links, this customization also needs to be performed on the mobile pages. If it's not, a smart user could simply go to the mobile links to access the information. You also need to remember that the mobile links are not just accessible via mobile phones or tablets; they can also be accessed from a PC as long as the URL is known (most mobile pages can be accessed from the /_layouts/mobile directory). Remedies: There are a couple of solutions for preventing exposure of information on mobile pages: • If you are not supporting a mobile interface, block access to the /_layouts/mobile directory. • If you are using a mobile interface, make sure that all mobile pages are tested. Sleep Better at Night SharePoint is an excellent collaboration platform with many features for deploying a client extranet. However, as with any external-facing Web application, security is the primary consideration. Your SharePoint project should include a security review of your current design and security testing to ensure you don't expose information you didn't intend to expose, directly or indirectly. You should also periodically perform a security audit of your site or have it audited by a third-party security company. Forewarned is forearmed, and you'll sleep better at night. 20 Peer to Peer