oss-sec mailing list archives
Re: XSS in NextCellent Gallery 1.9.13 WordPress plugin
From: cve-assign () mitre org
Date: Sun, 4 May 2014 23:31:39 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
XSS in NextCellent Gallery 1.9.13 WordPress plugin Vulnerability Fixed: 4/24/2014 in Nextcellent Gallery v1.19.18. http://wordpress.org/plugins/nextcellent-gallery-nextgen-legacy/changelog/ http://www.vapid.dhs.org/advisories/wordpress/plugins/nextCellent-gallery-1.9.13/
Comparing the http://openwall.com/lists/oss-security/2014/02/20/12 post to the http://openwall.com/lists/oss-security/2014/04/27/1 post, the former says "If a user with permission to add media or edit media uploads a file with "<script>alert(1)</script>" as the title they can XSS the site admin user." The latter does not describe how the attack crosses privilege boundaries. add_image seems to be protected by: // Check if you have the correct capability for upload if ( !current_user_can('NextGEN Upload images') ) { logIO('O', '(NGG) User does not have upload_files capability'); $this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.')); return $this->error; update_image seems to be protected by: if ( !current_user_can( 'NextGEN Manage gallery' ) && !nggAdmin::can_manage_this_gallery($image->author) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit this image' ) ); These functions make use of the $alttext and $description values. So, apparently any user with the "NextGEN Upload images" or "NextGEN Manage gallery" or "NextGEN Manage others gallery" capability can conduct an XSS attack against a user with the Administrator role, in order to gain privileges. Use CVE-2014-3123. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTZwWdAAoJEKllVAevmvmsDmcIALAj+V+s46tOKj8pR3orAs2U jRHQjdnwSZPI5imSYlr4XregLTwCTVXVW8Yig1Mv7H7R47ks1V7Sywc6k6va6iSd kcq4mEqDE/3ozMR3vfOzSR8FYEHCjHqj862zPT3LhcaiBw/fb3AMcghhhnT8XY5z 0ahsXph9W3fWg8YeRwy2DXsGRKuuSGAoQG2jZ8wmOvJhG/ldcU8cVFLy/hhVDyIX wfR/dLj+ZANP39P7YEYtXgaQZAwt8nLeSvYffEBvckzW5hSAkHVj9iQhB4mv6uTo HnL2WuNE+pXHzWnz7NkW9dlw0MH3COfC+jvdfPALa3ELh9vIZoJvkJiFRae8VUM= =Fspe -----END PGP SIGNATURE-----
Current thread:
- XSS in NextCellent Gallery 1.9.13 WordPress plugin Larry W. Cashdollar (Apr 27)
- Re: XSS in NextCellent Gallery 1.9.13 WordPress plugin Larry W. Cashdollar (Apr 30)
- Re: XSS in NextCellent Gallery 1.9.13 WordPress plugin cve-assign (May 04)
- Re: XSS in NextCellent Gallery 1.9.13 WordPress plugin Larry W. Cashdollar (May 05)