Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 14 Feb 2013 08:37:29 -0200
From: Henrique Montenegro <typoon@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request - Full Path disclosure on Wordpress plugin NextGEN Gallery

Good morning,

I have found an issue with a full-path disclosure in the NextGEN Gallery
1.9.10 and 1.9.11 for Wordpress, a plugin with 6+ million downloads.
This issue would let an user to obtain information about paths he/she is
not supposed to know in the server.
This does not depend on php's display_errors being set to ON, as the
information is disclosed by a xml/json that is generated by the plugin code.

PoC:

http://wordpress.gilgalab.com.br/?callback=json&api_key=true&format=json&method=gallery&id=1

http://wordpress.gilgalab.com.br/?callback=json&api_key=true&format=xml&method=recent&limit=1

Plugin page at wordpress:
http://wordpress.org/extend/plugins/nextgen-gallery/

I have informed the wordpress team on this issue on February 8th, but no
response has been given about it.

Regards,

Henrique

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.