Remote XSL inclusion

Remote XSL inclusion

Published on 2008-05-02. Updated on 2009-04-22.

Description:
This script is possibly vulnerable to remote XSL inclusion. The path to the XSL file can be controlled by the attacker. Therefore, it's possiblle to include malicious XSL files.

Impact:
It is possible for a remote attacker to include a remote XSL file from local or remote resources. An attacker can use this flaw to perform XSS (cross-site scripting attacks), partial file inclusion attacks and in some case even execute PHP code.

Recommendation:
Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of accepted filenames and restrict the input to that list.

Tags: Parameter manipulation

Alert Tags: file_inclusion
ApplicableApplicationServer : All
ApplicableOS: All
ApplicableWebServer: All

References:

Acunetix

Go Back

• Product Information
• Download
• Product Tour
• Brochure (PDF)
• Pricing
• Testimonials
• Customer references
• Resell Acunetix
• Acunetix in the Press
• List of vulnerability checks

• Learn more
• SQL Injection
• Cross site scripting
• Web Security
• Directory Traversal
• Ajax Application Security
• Google Hacking