A security audit carried out by an external company has highlighted the XSLT Visualizer as a potential security risk. XSLT allows embedding of C# code which can be used to access config files and potentially execute commands.
As we don't use it, is there any way in Umbraco 7 to
It's also true if someone manages to lure you to a Phishing site while you are logged in as an admin and triggers a post to that endpoint.
As stated in the original question, we don't use it, badly or otherwise, it's just bad, therefore we'd like to remove it as cleanly as possible. Right now the only way we have to do that is to block the URL and delete the aspx file.
XSLT Visualizer Security Vulnerability
Hey,
A security audit carried out by an external company has highlighted the XSLT Visualizer as a potential security risk. XSLT allows embedding of C# code which can be used to access config files and potentially execute commands.
As we don't use it, is there any way in Umbraco 7 to
Thanks, Chris
I believe this is only true if you are allowing
AFAIK, the macro xslt is generated by backoffice users not normal users so they should not be able to do 1.
If you are accepting end user input to use in XSLT then YOU should validate it first.
So in conclusion it is only a security risk if used badly.
It's also true if someone manages to lure you to a Phishing site while you are logged in as an admin and triggers a post to that endpoint.
As stated in the original question, we don't use it, badly or otherwise, it's just bad, therefore we'd like to remove it as cleanly as possible. Right now the only way we have to do that is to block the URL and delete the aspx file.
is working on a reply...