'[oss-security] Re: XSS in NextCellent Gallery 1.9.13 WordPress plugin'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: XSS in NextCellent Gallery 1.9.13 WordPress plugin
From:       "Larry W. Cashdollar" <larry0 () me ! com>
Date:       2014-04-30 15:42:28
Message-ID: 0B442A5E-3A81-4448-B67F-9CE4E99D713D () me ! com
[Download RAW message or body]

Hi All,

Sorry I should have been more clear,  May I have a CVE assigned to this issue?

Thanks!

Larry C$
On Apr 27, 2014, at 8:56 AM, Larry W. Cashdollar <larry0@me.com> wrote:

> Title: XSS in NextCellent Gallery 1.9.13 WordPress plugin
> Author: Larry W. Cashdollar, @_larry0
> Download: http://wpgetready.com/nextcellent-gallery/
> 
> Vendor Notified: 3/20/2014
> 
> CVE: Please assign one at your leisure. 
> 
> Vulnerability Fixed: 4/24/2014 in Nextcellent Gallery v1.19.18.
> 
> 
> The user supplied data for the Alt & Title Text field isn't escaped before being printed out \
> in the value field: 
> Vulnerability:
> From nextcellent-gallery-nextgen-legacy/admin/manage-images.php lines:
> 503 <td <?php echo $attributes ? >> 
> 504 <input placeholder=" <?php _e("Alt & title text",'nggallery'); ?>" name="alttext[<?php \
> echo $pid ?>]" type="text" style="width:95%; margin-bottom: 2px;" value="<?php echo \
> stripslashes($picture->alttext) ?>"  505 <textarea placeholder="<?php \
> _e("Description",'nggallery'); ?>" name="description[<?php echo $pid ?>]" style="width:95%; \
> margin: 1px;" rows="2" ><?php echo stripslashes($picture->description) ?></textarea> 506 \
> </td> The HTML code produced is:
> 
> <td class='alt_title_desc column-alt_title_desc'> <input placeholder="Alt & title text!" \
> name="alttext[1]" type="text" style="width:95%; margin-bottom: 2px;" \
> value=""><script>alert('hi')</script>"<" /><br/> <textarea placeholder="Description" \
> name="description[1]" style="width:95%; margin: 1px;" rows="2" \
> >"</a><script>alert('hi')</script><a>"</textarea> </td> <td class='tags \
> > column-tags'><textarea placeholder="Separated by commas"name="tags[1]" style="width:95%;" \
> > rows="2"></textarea></td> <td class='exclude column-exclude'><input name="exclude[1]" \
> > type="checkbox" value="1" /></td>
> 
> A screen shot is shown with the full advisory by following the link below.
> 
> Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/nextCellent-gallery-1.9.13/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic