Simple tip for identifying Sharepoint site (server information leakage)

Just the other day, when implementing a new Sharepoint solution I spotted a strange behaviour in Sharepoint 2010.   For the current solution some querystring parameters had to be passed around between various pages. One of these parameters happened to have a name of "id". When using this I started seeing a strange behaviour on my Sharepoint site. Suddenly it started throwing exceptions when navigating to pages with this parameter. After testing it on some other websites (that I knew to be Sharepoint sites) I succeeded in invoking the same behaviour and thus forcing a exception to be thrown.   An example can be seen here Based on the issue and the behaviour of Document libraries it seems to be related somehow to the fact that pages are stored in document libraries and then when adding the "id" parameter to the url, Sharepoint begins searching for a item with that id in the library, which it may have trouble finding and then throwing an error.   This is most likely by design, but it also leaks information about the website and if not locked down properly it might even reveal information about the server running the site.   So always remember using af custom error page on a public facing website to prevent information leakage.

Sharepoint Self-Service

When trying to take advantage of the Sharepoint Self-service in Sharepoint 2010, we attempted to provide to access a group of user with as little Sharepoint rights as possible. Looking it the rights, the obvious only selection to give rights to was Use Self-Service Site Creation Giving that right only gave the infamous “Access Denied” from Sharepoint. So after looking a bit further into the basic rights of Sharepoint 2010, I came across this page, which displays all the permission levels + the name of the groups that has them as default. Here you can see some permissions that has the listing of “All”, so in order to provide minimum rights to a user, you also have to give those permissions which are: View application pages View Pages Browse User Information Open So the conclusion was, that to give minimum rights to a user to create sites via self-service, you actually need to grant 5 permissions.

Relative Sharepoint Urls

Just the other day I was reminded of 2 “shortcuts” in Sharepoint that can be used for url-references. ~site, which will provide the url of the current site that you are located in ~sitecollection, which will provide the url of the sitecollection The last one is especially useful when deploying Sandbox solution where you include and reference deployed stylesheets, scripts and other types of content.


Having recently changed jobs, I am now involved in a Sharepoint upgrade project from Sharepoint 2007 to 2010, so my intentions for this blog will be for the time to come to write about some of the experiences that I will learn throughout the upgrade period, so stay tuned…