XSS - NEXTGEN GALLERY 0.96 WORDPRESS PLUGIN
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: XSS - NEXTGEN GALLERY 0.96 WORDPRESS PLUGIN
- From: "Eduardo Jorge" <serrano.neves@xxxxxxxxx>
- Date: Sat, 7 Jun 2008 23:07:36 -0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=EoDPa1tg4VqvH1xjtKKUeLxxs0C5U0MxcoUni51A+ho=; b=cEaDdiRN4AItDgj/vJEd1Kn6AXfFiTyAVP345zhENP8vhphFBx8izynTGqN7uszl/4 U7adgIsW23CBC67pJV6jUSCYnGYDQFM6lhmzGXCakZdnr8Qtn5VbEoBmc+OTWvETjAXa pPtwhMEiCm+Hsgteu41Q/EFX9nnlt/bzyKlvU=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=mxMKd6cX2bI1H/Bx3l+3IlMpoSJ3CEwy5J7biFZRmM44BtOHn/v3hLUmCEYUW15Aq5 QYp1vsbK1H1Bk0WL4166bzjvrX2MNDxurJyVyHSJol6uaQrQOIVBjYDKfTcEPQil4pjJ VRf/oeDOIQZ9PWsDaHUydGsLPeaj52PXAeER0=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
==============================
XSS - Nextgen gallery 0.96 wordpress plugin
==============================
Author: Eduardo Neves a.k.a _eth0_
Date: 07 june 2008
Site: webappsecurity.wordpress.com
—————————————
APPLICATION : Nextgen gallery
VERSION : <= 0.96
VENDOR : http://wordpress.org/extend/plugins/nextgen-gallery/
DOWNLOAD : http://wordpress.org/extend/plugins/nextgen-gallery/
—————————————
IMPACT: XSS, XSRF, etc….
—————————————
Descrition:
This vulnerability can be explored writing in the descritption textbox
a mailicous (or not) code
link:
http://[host]/[directory]/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=[galleryID]&_wpnonce=0b3c0996ed
In the description textbox write the text:
<script>alert('xss');</script>
And when the gallery was posted, user click in photo and the script
was executed!
--
|_|0|_| Serrano Neves - a.k.a eth0
|_|_|0| http://webappsecurity.wordpress.com
|0|0|0| "Talk is cheap. Show me the code." - Linus Torvalds