New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

any eta on xss fix #149

Open
anantshri opened this Issue May 5, 2015 · 6 comments

Comments

Projects
None yet
4 participants
@anantshri

Someone reported a Dom XSS vector in 07-2014
http://www.perucrack.net/2014/07/haciendo-un-xss-en-plugin-prettyphoto.html

I can see evidences of this issue being exploited in wild. Can you suggest when a fix would be ready.

Created a public issue coz the disclosure was long back but still a lot of people are using this library and all of them are susceptible to this attack.

@ethicalhack3r

This comment has been minimized.

Show comment
Hide comment
@ethicalhack3r

ethicalhack3r May 5, 2015

The blog post says La vulnerabilidad fue reportada al autor y arreglada al día siguiente

Translation: The vulnerability was reported to the author and fixed the day after

I wonder who he reported it to and who fixed what? This repo hasn't been updated since '13 and his blog post is from July '14.

I thought maybe he was talking about the WordPress prettyphoto plugin - https://wordpress.org/plugins/prettyphoto/ - but that hasn't been updated since '13 either. The current version, 1.1, has prettyphoto version 3.1.4 so the plugin is probably vulnerable too.

The blog post says La vulnerabilidad fue reportada al autor y arreglada al día siguiente

Translation: The vulnerability was reported to the author and fixed the day after

I wonder who he reported it to and who fixed what? This repo hasn't been updated since '13 and his blog post is from July '14.

I thought maybe he was talking about the WordPress prettyphoto plugin - https://wordpress.org/plugins/prettyphoto/ - but that hasn't been updated since '13 either. The current version, 1.1, has prettyphoto version 3.1.4 so the plugin is probably vulnerable too.

@ethicalhack3r

This comment has been minimized.

Show comment
Hide comment
@ethicalhack3r

ethicalhack3r May 5, 2015

Confirmed the WordPress plugin is vulnerable. I will contact the author.

Confirmed the WordPress plugin is vulnerable. I will contact the author.

@cezarpopa

This comment has been minimized.

Show comment
Hide comment
@cezarpopa

cezarpopa May 6, 2015

The only fix i see regarding this XSS vulnerability is on this repo
https://github.com/Duncaen/prettyphoto/blob/3ef0ddfefebbcc6bbe9245f9cea87e26838e9bbc/js/jquery.prettyPhoto.js
Tested it and seemed to be ok.

The only fix i see regarding this XSS vulnerability is on this repo
https://github.com/Duncaen/prettyphoto/blob/3ef0ddfefebbcc6bbe9245f9cea87e26838e9bbc/js/jquery.prettyPhoto.js
Tested it and seemed to be ok.

@scaron

This comment has been minimized.

Show comment
Hide comment
@scaron

scaron May 6, 2015

Owner

I'll review and try to update the plugin tonight.

Owner

scaron commented May 6, 2015

I'll review and try to update the plugin tonight.

@anantshri

This comment has been minimized.

Show comment
Hide comment
@anantshri

anantshri May 6, 2015

Cool, good to see some progress on this one. Now once the patch is in repository we are left with updating/informing the dependent softwares of the new release.

@scaron would it be possible that you can mark the new release as a security fix and a note stating that people are requested to update to the new version ASAP.

-Anant

Cool, good to see some progress on this one. Now once the patch is in repository we are left with updating/informing the dependent softwares of the new release.

@scaron would it be possible that you can mark the new release as a security fix and a note stating that people are requested to update to the new version ASAP.

-Anant

@anantshri

This comment has been minimized.

Show comment
Hide comment
@anantshri

anantshri May 21, 2015

jsDelivr is still service old files and is looking for someone to make a pull request. can the author please make a pull request to get 3.1.6 in jsdelivr repository. Refer : jsdelivr/jsdelivr#4878

Edit: Looks like its updated so no need for a pull request.

jsDelivr is still service old files and is looking for someone to make a pull request. can the author please make a pull request to get 3.1.6 in jsdelivr repository. Refer : jsdelivr/jsdelivr#4878

Edit: Looks like its updated so no need for a pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment