Re: Reading CGI-Params by only using XSLT

S Woodside Fri, 28 Feb 2003 18:02:46 -0800

The axkit: URI doesn't allow access to documents on other sites. I think that the document function does though, so it's probably best NOT to use a parameter as the argument for a document call. not very safe, that! Still, what's the worst they could do? Again, just inject some XML into the input stream. Again, just a DOS attack.

simon

On Friday, February 28, 2003, at 06:46 PM, Jeremy Mates wrote:

A problem I can see is if a <xsl:param> is used as an argument to
something that can pull in remote resources such as the document
function, xsl:include, or xsl:import.  An attacker could in theory
download and inject their own stylesheet into the mix for an cross-site
scripting or information leak attack.  Most likely would blow things up
unless they had access to the stylesheet source.

--
www.simonwoodside.com -- 99% Devil, 1% Angel


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Reading CGI-Params by only using XSLT

Reply via email to