Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 27 Apr 2014 08:56:00 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: XSS in NextCellent Gallery 1.9.13 WordPress plugin

Title: XSS in NextCellent Gallery 1.9.13 WordPress plugin
Author: Larry W. Cashdollar, @_larry0
Download: http://wpgetready.com/nextcellent-gallery/

Vendor Notified: 3/20/2014

CVE: Please assign one at your leisure. 

Vulnerability Fixed: 4/24/2014 in Nextcellent Gallery v1.19.18.


The user supplied data for the Alt & Title Text field isn't escaped before being printed out in the value field:

Vulnerability:
>From nextcellent-gallery-nextgen-legacy/admin/manage-images.php lines:
503 <td <?php echo $attributes ? >> 
504 <input placeholder=" <?php _e("Alt & title text",'nggallery'); ?>" name="alttext[<?php echo $pid ?>]" type="text" style="width:95%; margin-bottom: 2px;" value="<?php echo stripslashes($picture->alttext) ?>" 
505 <textarea placeholder="<?php _e("Description",'nggallery'); ?>" name="description[<?php echo $pid ?>]" style="width:95%; margin: 1px;" rows="2" ><?php echo stripslashes($picture->description) ?></textarea>
506 </td>
The HTML code produced is:

<td class='alt_title_desc column-alt_title_desc'> <input placeholder="Alt & title text!" name="alttext[1]" type="text" style="width:95%; margin-bottom: 2px;" value=""><script>alert('hi')</script>"<" /><br/> <textarea placeholder="Description" name="description[1]" style="width:95%; margin: 1px;" rows="2" >"</a><script>alert('hi')</script><a>"</textarea> </td>
<td class='tags column-tags'><textarea placeholder="Separated by commas"name="tags[1]" style="width:95%;" rows="2"></textarea></td> <td class='exclude column-exclude'><input name="exclude[1]" type="checkbox" value="1" /></td>

A screen shot is shown with the full advisory by following the link below.

Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/nextCellent-gallery-1.9.13/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.