Date: Tue, 1 Sep 2015 14:27:48 +0530 From: Dis close <disclose@...ersecurityworks.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE Request - LFI/Path Traversal in NextGen Gallery WordPress Plugin. Hi List: "Correction in the information." The vulnerability is still not fixed even in the latest version 2.1.9. It can still be exploited. On 1 September 2015 at 13:00, Dis close <disclose@...ersecurityworks.com> wrote: > Hi List: > > > After the vulnerability was disclosed in public the vendor has fixed the > issue on the same day 28-08-2015 in the latest version i.e NextGen Gallery > 2.1.9. (https://wordpress.org/plugins/nextgen-gallery/) . > > Please let us know the status for the CVE. > > > On 28 August 2015 at 15:50, Dis close <disclose@...ersecurityworks.com> > wrote: > >> Hi List: >> >> >> We are requesting CVE for the below mentioned security issue in NextGen >> Gallery Plugin: >> >> >> Plugin Details: >> ============== >> Plugin Name: NextGen Gallery >> Version: 2.1.7 >> Homepage: https://wordpress.org/plugins/nextgen-gallery/ >> >> >> >> Description >> =============== >> NextGEN Gallery is most popular *WordPress Gallery Plugin *with over 13 >> millions downloads. >> >> Vulnerability >> =============== >> The plugin fails to validate user input in one of the variables, which >> allows a log-in user to access system files and other unauthorized files >> on the server. >> >> POC Video Link: https://www.youtube.com/watch?v=KkPVMxubUis >> >> >> Proof of Concept >> ================ >> >> Accessing the POST request http://localhost/wordpress/?photocrati_ajax=1 >> and modifying the *dir* variable with ../../../ input user can traverse >> file system and access files even outside the application directory. >> >> >> Disclosure Timeline >> ================== >> >> 17-02-2015: Reported to WP Plugins >> 18-02-2015: Acknowledged by WP Plugin, saying that vendor will be >> informed. But till now no response from WP plugin or vendor. >> >> >> Discovered by ( Please provide credit to following) >> ===================================== >> >> Sathish Kumar >> Cyber Security Works Pvt Ltd. >> >> >> ---------- >> Cheers !!! >> >> Team CSW >> > > > > -- > ---------- > Cheers !!! > > Team CSW > -- ---------- Cheers !!! Team CSW
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ