Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Cross site Scripting (XSS) in NextGEN Gallery by Photocrati Version 2.1.15 #5

Open
cybersecurityworks opened this issue Sep 14, 2015 · 0 comments
Labels

Comments

@cybersecurityworks
Copy link
Owner

cybersecurityworks commented Sep 14, 2015

Details

Word Press Product Bugs Report
Bug Name: Multiple Cross Site Scripting (XSS)
Software: NextGen Gallery
Version: 2.1.15
Last Updated: 09-09-2015
Homepage: https://wordpress.org/plugins/nextgen-gallery/download/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6.1 or higher)
Severity High
Status: Not Fixed
Exploitation Requires Authentication?: yes
Vulnerable URL: http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1/
Vulnerable Variable: images[1][alttext] & path
POC URL: https://www.youtube.com/watch?v=FYpOdlehFfo

Description

Cross Site Scripting (XSS) vulnerability in WordPress plugin Gravity Forms. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

Proof of concept: (POC)

Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 and modify the value of images[1][alttext] and path variable in NextGEN Gallery Photocrati Version 2.1.10 with ’)”></script><script>alert(document.cookie);</script> payload and save it to view further.

Now, the added XSS payload will be executed whenever the user reviews it.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.

define( 'DISALLOW_UNFILTERED_HTML', true );

Issue 1:

POST request parameter images[1][alttext] variable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 of NextGEN Gallery Plugin version 2.1.10 is vulnerable to Cross Site Scripting (XSS)

1

Figure 1: XSS Payload injected to images[1][alttext]variable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1

2

Figure 2: XSS Payload gets executed in the browser whenever the user views it.

xss_02

Figure 3: XSS Payload injected to pathvariable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=3&paged=1

xss_03

Figure 4: XSS Payload gets executed in the browser whenever the user views it.


Reproducing Steps

  1. Logon into any wordpress application (localhost or public host)
  2. Modifying the variable images[1][alttext] in NextGEN Gallery Photocrati Version 2.1.10 (recently updated version) in the URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1
  3. Fill all the variables with ’)”></script><script>alert(document.cookie);</script> payload and save it to view further.
  4. Now, the added XSS payload will be executed whenever the user reviews it.

Users: You MUST be an Administrator and logged into the site as an Administrator in order to enter/test XSS html testing code in the reported variables. Please do NOT actually try this test. It has been updated for security awareness


Timeline

2015-02-17 – Discovered in NextGen Gallery 2.1.7 version.
2015-02-17 – Reported to plugins@wordpress.org
2015-02-18 – Vendor responded saying, "Thank you, we'll inform NGG about this."
2015-09-04 – Same vulnerability again discovered in NextGen Gallery 2.1.10 version.
2015-09-04 – Reported to plugins@wordpress.org
2015-09-09 – Same vulnerability found & still exist in NextGen Gallery 2.1.15 version.
2015-09-14 – Reported on Multiple XSS on version 2.1.15 directly to photocrati Vendor. Also reminded the developer on following dates: 27-10-2015, 02-11-2015 & 12-11-2015 and no response as of date 25-11-2015.


Discovered by:
Sathish from Cyber Security Works Pvt Ltd

@cybersecurityworks cybersecurityworks changed the title XSS in NextGEN Gallery by Photocrati Version 2.1.15 Multiple Cross site Scripting (XSS) in NextGEN Gallery by Photocrati Version 2.1.15 Nov 25, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant