NextLabs’ Entitlement Manager Issue #5 - Users could workaround to display restricted lists through SharePoint 2010 RPC calls

We are evaluating NextLabs EntitlementManager to restrict the users belong to some security groups toaccess selected site collections with sensitive information even these users have been granted the permission through individual account, any AD groups, or email list groups. One of the test cases is to verify access permissions through SharePoint Foundation RPC Protocol (RPC) methods.

SharePoint Foundation RPC Protocol (RPC) methods that can be used in URL protocol to make HTTP GET requests. Although this may not be a very common method for end users, this is one of the security concerns. The test result is very promising since after we applied policy to deny acccess to the list or library, users will get error when he/she try to access the list or library through SharePoint RPD calls with only one cavity. Here is the set up and explination.

We have set up one site with one library named lib1 http://xnetsbx-sp/it/nextlab1/lib1 with two documents. The list GUID is E757FF25-7CE0-406C-991D-D078FB008B39.

We applied the deny access to both http://xnetsbx-sp/it/nextlab1/** and http://xnetsbx-sp/it/nextlab1/lib1/** from NextLabs.

We have set up several RPC cases based some references. We got deny access error when accesing following RPC calls with error message looks like this.

Here are some of the RPC test cases and the URL syntex embedded as link.

• Export list to Excel steps  
• Exports this SharePoint List as a CAML file(.XML)
• Display list or library metadata
• Opens a view of the document libraries within a site

If you have the permission, you should have the following outputs.

1. Picture 1 - Exports the list as CAML

 

2. Picture 2 - Display list or library metadata

 

3. Picture 3 -  Open a view of the document library in a view

 

Everything seems perfect and contents are blocked after applying the deny access polcy from NextLabs until I accidently typied in one wrong URL to open a view of the document library in a view. Here is the issue.

If you type in the correct URL http://xnetsbx-sp/it/nextlab1/_vti_bin/owssvr.dll?dialogview=FileOpen&location=lib1, you will get error message. 

If you append some other parameters to the URL like this

http://xnetsbx-sp/it/nextlab1/_vti_bin/owssvr.dll?dialogview=FileOpen&location=lib1?dialogview=FileOpen&location=lib1, you are able to get the view in browser as above picture 3!!!

The good thing is users still could not open the documents even they could view the library. I guess more testing need to be done.