Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Chris 9 posts 90 karma points
    Jul 08, 2020 @ 10:15
    Chris
    0

    XSLT Visualizer Security Vulnerability

    Hey,

    A security audit carried out by an external company has highlighted the XSLT Visualizer as a potential security risk. XSLT allows embedding of C# code which can be used to access config files and potentially execute commands.

    As we don't use it, is there any way in Umbraco 7 to

    1. Disable XSLT macros
    2. Disable the XSLT Visualizer
    3. Disable embedding of scripting languages in XSLT?

    Thanks, Chris

  • Huw Reddick 1702 posts 5999 karma points MVP c-trib
    Jul 26, 2020 @ 08:38
    Huw Reddick
    0

    I believe this is only true if you are allowing

    1. normal end users to upload their own XSLT files
    2. normal end users to enter values which are then used in the xslt template without validation.

    AFAIK, the macro xslt is generated by backoffice users not normal users so they should not be able to do 1.

    If you are accepting end user input to use in XSLT then YOU should validate it first.

    So in conclusion it is only a security risk if used badly.

  • Chris 9 posts 90 karma points
    Jul 28, 2020 @ 11:05
    Chris
    0

    It's also true if someone manages to lure you to a Phishing site while you are logged in as an admin and triggers a post to that endpoint.

    As stated in the original question, we don't use it, badly or otherwise, it's just bad, therefore we'd like to remove it as cleanly as possible. Right now the only way we have to do that is to block the URL and delete the aspx file.

Please Sign in or register to post replies

Write your reply to:

Draft