jzySaber1996
commented
6 months ago Hello, we're investigating the issue reports in security. Since we observed that this issue may relate to a potential vulnerability, has it been disclosed in CVE already? Hope to receive your reply.
Details
Word Press Product Bugs Report Bug Name XSS (Cross Site Scripting) Software: NextGen Gallery Version: 2.1.7 Last Updated: 12-08-2015 Homepage: https://wordpress.org/plugins/nextgen-gallery/download/ Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6.1 or higher) Severity High Description: Multiple XSS vulnerability in WordPress plugin NextGen Gallery
Proof of concept: (POC)
Visit the following page on a site with this plugin installed. http://wordpresssite.com/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 and modify the value of path variable in NextGEN Gallery Photocrati Version 2.1.10 with ’> payload and save it to view further.
Now, the added XSS payload will be executed whenever the user reviews it.
Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.
Issue 1: Vulnerable URL: http://wordpresssite.com/wordpress/wp-admin/admin.php?page=ngg_display_settings Request: POST Vulnerable Variable list: • photocrati-nextgen_basic_thumbnails[thumbnail_width] • photocrati-nextgen_basic_thumbnails[thumbnail_height] • photocrati-nextgen_basic_thumbnails[template] • photocrati-nextgen_basic_imagebrowser[template] • photocrati-nextgen_basic_singlepic[template] • photocrati-nextgen_basic_compact_album[template] • photocrati-nextgen_basic_compact_album[thumbnail_width] • photocrati-nextgen_basic_compact_album[thumbnail_height] • photocrati-nextgen_basic_extended_album[template] • photocrati-nextgen_basic_extended_album[thumbnail_width] • photocrati-nextgen_basic_extended_album[thumbnail_height]
Figure 1: HTTP Request & response for the vulnerable variable photocrati-nextgen_basic_thumbnails[thumbnail_width]
Issue 2: Vulnerable URL: http://wordpresssite.com/wordpress/wp-admin/admin.php?page=ngg_other_options Request: POST Vulnerable Variable list: • thumbnail_settings[thumbwidth] • thumbnail_settings[thumbheight] • watermark_options[wmXpos] • watermark_options[wmYpos]
Figure 2: HTTP Request & response for the vulnerable variable thumbnail_settings[thumbwidth]
Figure 3: XSS response executed in browser
Reproducing Steps
1) Logon into any wordpress application (localhost or public host) 2) Modifying the above mentioned variables in NextGEN Gallery Photocrati Version 2.1.7 (recently updated version) 3) Fill all the variables with
“><img src=x onerror=prompt(1)>payload and save it to view further. 4) Now, the added XSS payload will be executed whenever we review it.Timeline 31-08-2015 – Discovered in NextGen Gallery 2.1.7 version 31-08-2015 – Reported to WP Plugin 01-09-2015 – Fixed in 2.1.10 version of NextGen Gallery
Discovered by: Sathish from Cyber Security Works Pvt Ltd