oss-sec mailing list archives
CVE Request - Full Path disclosure on Wordpress plugin NextGEN Gallery
From: Henrique Montenegro <typoon () gmail com>
Date: Thu, 14 Feb 2013 08:37:29 -0200
Good morning, I have found an issue with a full-path disclosure in the NextGEN Gallery 1.9.10 and 1.9.11 for Wordpress, a plugin with 6+ million downloads. This issue would let an user to obtain information about paths he/she is not supposed to know in the server. This does not depend on php's display_errors being set to ON, as the information is disclosed by a xml/json that is generated by the plugin code. PoC: http://wordpress.gilgalab.com.br/?callback=json&api_key=true&format=json&method=gallery&id=1 http://wordpress.gilgalab.com.br/?callback=json&api_key=true&format=xml&method=recent&limit=1 Plugin page at wordpress: http://wordpress.org/extend/plugins/nextgen-gallery/ I have informed the wordpress team on this issue on February 8th, but no response has been given about it. Regards, Henrique
Current thread:
- CVE Request - Full Path disclosure on Wordpress plugin NextGEN Gallery Henrique Montenegro (Feb 14)
- Re: CVE Request - Full Path disclosure on Wordpress plugin NextGEN Gallery Kurt Seifried (Feb 14)