Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 30 Apr 2014 11:42:28 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Re: XSS in NextCellent Gallery 1.9.13 WordPress plugin

Hi All,

Sorry I should have been more clear,  May I have a CVE assigned to this issue?

Thanks!

Larry C$
On Apr 27, 2014, at 8:56 AM, Larry W. Cashdollar <larry0@...com> wrote:

> Title: XSS in NextCellent Gallery 1.9.13 WordPress plugin
> Author: Larry W. Cashdollar, @_larry0
> Download: http://wpgetready.com/nextcellent-gallery/
> 
> Vendor Notified: 3/20/2014
> 
> CVE: Please assign one at your leisure. 
> 
> Vulnerability Fixed: 4/24/2014 in Nextcellent Gallery v1.19.18.
> 
> 
> The user supplied data for the Alt & Title Text field isn't escaped before being printed out in the value field:
> 
> Vulnerability:
> From nextcellent-gallery-nextgen-legacy/admin/manage-images.php lines:
> 503 <td <?php echo $attributes ? >> 
> 504 <input placeholder=" <?php _e("Alt & title text",'nggallery'); ?>" name="alttext[<?php echo $pid ?>]" type="text" style="width:95%; margin-bottom: 2px;" value="<?php echo stripslashes($picture->alttext) ?>" 
> 505 <textarea placeholder="<?php _e("Description",'nggallery'); ?>" name="description[<?php echo $pid ?>]" style="width:95%; margin: 1px;" rows="2" ><?php echo stripslashes($picture->description) ?></textarea>
> 506 </td>
> The HTML code produced is:
> 
> <td class='alt_title_desc column-alt_title_desc'> <input placeholder="Alt & title text!" name="alttext[1]" type="text" style="width:95%; margin-bottom: 2px;" value=""><script>alert('hi')</script>"<" /><br/> <textarea placeholder="Description" name="description[1]" style="width:95%; margin: 1px;" rows="2" >"</a><script>alert('hi')</script><a>"</textarea> </td>
> <td class='tags column-tags'><textarea placeholder="Separated by commas"name="tags[1]" style="width:95%;" rows="2"></textarea></td> <td class='exclude column-exclude'><input name="exclude[1]" type="checkbox" value="1" /></td>
> 
> A screen shot is shown with the full advisory by following the link below.
> 
> Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/nextCellent-gallery-1.9.13/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ