Tag: Security

Posted on

SharePoint Site/List/Item Effective Permission Finder!

This is amazing, I was simply trying to figure out what the SharePoint Designer (Site->Contributor Settings) would do to permissions in the database.  So, I built this entire application to do it, but then realized after I got it built that SPDesigner simply creates a file in the _contributor_settings directory in the content database and doesn't tough anything else. DOH!  

This tool will find the effective permission for an object in a site.  It uses a combination of object model (to get the siteid) and direct calls to the content database (rather than slow object model).  This tool must be run by an administrator on a SP box in the farm.  I went ahead and added in my "Find empty permission objects" code too.

Oh, and by the way, there is a column called PermMaskDeny in the Roles table.  Even though SharePoint doesn't have a front end UI or object model deny mechanism…it seems they are thinking ahead to be able to implement explicit "deny" in SharePoint!  Maybe in 2010?  I did try setting it to something (all 1s), but it didn't do anything 🙁  Oh well…

Enjoy!
Chris

Posted on

Console program that dumps the contents of the Content Database (no SP Object Model)

I have been a big proponent of encrypting the content database for a long long time.  You can see that is proved via the event handlers and custom actions via SharePoint Designer labs that I have built in my 50064 course.  When you do encryption though, you gain security at the loss of functionality (Search, browsing, all kinds of things…).  But on the other hand, just leaving your content database for a DBA to handle means that you have a security hole (the DBA).  They simply have to run the attached program to dump the contents of the Content Database.  Super easy…super big hole…and…super fast!

using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Data.SqlClient;
using System.IO;
using System.Xml;
using System.Collections.Generic;
using System.Text;

namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            Hashtable ht = new Hashtable();
           
            SqlConnection conn = new SqlConnection("server=localhost;database=wss_Content;uid=sa;pwd=Pa$$w0rd");
            conn.Open();
            SqlCommand cmd = conn.CreateCommand();
            cmd.CommandType = CommandType.Text;
            cmd.CommandText = "select * from alldocs ad, alldocstreams ads where ad.id=ads.id";

            SqlDataReader reader = cmd.ExecuteReader();

            int count;

            while (reader.Read())
            {
                string filename = reader["leafname"].ToString();

                if (ht.ContainsKey(filename))
                {
                    int cnt = (int)ht[filename];
                    filename += cnt.ToString();
                    cnt++;
                    ht[filename] = cnt;
                }
                else
                {
                    ht.Add(filename, 0);                   
                }

                byte[] file = (byte[])reader["content"];
                File.WriteAllBytes("c:\" + filename, file);
            }

            conn.Close();

            //Done stealing your data…press enter to walk away 🙂
            Console.ReadLine();
        }
    }
}
 

Use auditing on your databases.

Chris

Posted on

Most Commonly Missed Best Practice with Internet Sites

Wanna know what it is?  It is a disaster waiting to happen!  

Some day an IIS 6.0 vulnerability will come out that allows you to get administrator access to the _vti_bin directory of your SharePoint site.  You will then be able to execute a call to the Lists web service and delete the "Pages" document library!  

To prove it, do a search on Pages/default.aspx in google.  You will get a listing on all the sites on the internet that are running sharepoint as their internet site.  Check their _vti_bin directory access by appending /_vti_bin/lists.asmx

 If you get the web service page for the list service, that company has setup there site WRONG!

The correct way of doing things is to create an extended web application that HAS the _vti_bin and the original with the _vti_bin DELETED!  The original is the internet accessable one and the extended one is accessible only by internal staff (so you can use SharePoint Designer and such).

Anyone feel like writing a vulnerability and the code to delete all the pages  document libraries on the internet to prove my point???  Couldn't be too hard 🙂

CJG