Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 Sep 2015 14:27:48 +0530
From: Dis close <disclose@...ersecurityworks.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE Request - LFI/Path Traversal in NextGen Gallery WordPress Plugin.

Hi List:


"Correction in the information."

The vulnerability is still not fixed even in the latest version 2.1.9. It
can still be exploited.

On 1 September 2015 at 13:00, Dis close <disclose@...ersecurityworks.com>
wrote:

> Hi List:
>
>
> After the vulnerability was disclosed in public the vendor has fixed the
> issue on the same day 28-08-2015 in the latest version i.e NextGen Gallery
> 2.1.9. (https://wordpress.org/plugins/nextgen-gallery/) .
>
> Please let us know the status for the CVE.
>
>
> On 28 August 2015 at 15:50, Dis close <disclose@...ersecurityworks.com>
> wrote:
>
>> Hi List:
>>
>>
>> We are requesting CVE for the below mentioned security issue in NextGen
>> Gallery Plugin:
>>
>>
>> Plugin Details:
>> ==============
>> Plugin Name: NextGen Gallery
>> Version: 2.1.7
>> Homepage: https://wordpress.org/plugins/nextgen-gallery/
>>
>>
>>
>> Description
>> ===============
>> NextGEN Gallery is most popular *WordPress Gallery Plugin *with over 13
>> millions downloads.
>>
>> Vulnerability
>> ===============
>> The plugin fails to validate user input in one of the variables, which
>> allows a  log-in user to access system files and other unauthorized files
>> on the server.
>>
>> POC Video Link: https://www.youtube.com/watch?v=KkPVMxubUis
>>
>>
>> Proof of Concept
>> ================
>>
>> Accessing the POST request http://localhost/wordpress/?photocrati_ajax=1
>> and modifying the *dir* variable with ../../../ input user can traverse
>> file system and access files even outside the application directory.
>>
>>
>> Disclosure Timeline
>> ==================
>>
>> 17-02-2015: Reported to WP Plugins
>> 18-02-2015: Acknowledged by WP Plugin, saying that vendor will be
>> informed. But till now no response from WP plugin or vendor.
>>
>>
>> Discovered by ( Please provide credit to following)
>> =====================================
>>
>> Sathish Kumar
>> Cyber Security Works Pvt Ltd.
>>
>>
>> ----------
>> Cheers !!!
>>
>> Team CSW
>>
>
>
>
> --
> ----------
> Cheers !!!
>
> Team CSW
>



-- 
----------
Cheers !!!

Team CSW

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ