Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 4 May 2014 23:31:39 -0400 (EDT)
From: cve-assign@...re.org
To: larry0@...com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: XSS in NextCellent Gallery 1.9.13 WordPress plugin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> XSS in NextCellent Gallery 1.9.13 WordPress plugin
> 
> Vulnerability Fixed: 4/24/2014 in Nextcellent Gallery v1.19.18.
> 
> http://wordpress.org/plugins/nextcellent-gallery-nextgen-legacy/changelog/
> 
> http://www.vapid.dhs.org/advisories/wordpress/plugins/nextCellent-gallery-1.9.13/

Comparing the http://openwall.com/lists/oss-security/2014/02/20/12
post to the http://openwall.com/lists/oss-security/2014/04/27/1 post,
the former says "If a user with permission to add media or edit media
uploads a file with "<script>alert(1)</script>" as the title they can
XSS the site admin user."

The latter does not describe how the attack crosses privilege
boundaries.

add_image seems to be protected by:

  // Check if you have the correct capability for upload
  if ( !current_user_can('NextGEN Upload images') ) {
          logIO('O', '(NGG) User does not have upload_files capability');
          $this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.'));
          return $this->error;


update_image seems to be protected by:

  if ( !current_user_can( 'NextGEN Manage gallery' ) && !nggAdmin::can_manage_this_gallery($image->author) )
      return new IXR_Error( 401, __( 'Sorry, you must be able to edit this image' ) );


These functions make use of the $alttext and $description values.

So, apparently any user with the "NextGEN Upload images" or "NextGEN
Manage gallery" or "NextGEN Manage others gallery" capability can
conduct an XSS attack against a user with the Administrator role, in
order to gain privileges.

Use CVE-2014-3123.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTZwWdAAoJEKllVAevmvmsDmcIALAj+V+s46tOKj8pR3orAs2U
jRHQjdnwSZPI5imSYlr4XregLTwCTVXVW8Yig1Mv7H7R47ks1V7Sywc6k6va6iSd
kcq4mEqDE/3ozMR3vfOzSR8FYEHCjHqj862zPT3LhcaiBw/fb3AMcghhhnT8XY5z
0ahsXph9W3fWg8YeRwy2DXsGRKuuSGAoQG2jZ8wmOvJhG/ldcU8cVFLy/hhVDyIX
wfR/dLj+ZANP39P7YEYtXgaQZAwt8nLeSvYffEBvckzW5hSAkHVj9iQhB4mv6uTo
HnL2WuNE+pXHzWnz7NkW9dlw0MH3COfC+jvdfPALa3ELh9vIZoJvkJiFRae8VUM=
=Fspe
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ