oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request - Full Path disclosure on Wordpress plugin NextGEN Gallery

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 14 Feb 2013 22:09:30 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/14/2013 03:37 AM, Henrique Montenegro wrote:

Good morning,

I have found an issue with a full-path disclosure in the NextGEN
Gallery 1.9.10 and 1.9.11 for Wordpress, a plugin with 6+ million
downloads. This issue would let an user to obtain information about
paths he/she is not supposed to know in the server. This does not
depend on php's display_errors being set to ON, as the information
is disclosed by a xml/json that is generated by the plugin code.

PoC:

http://wordpress.gilgalab.com.br/?callback=json&api_key=true&format=json&method=gallery&id=1

 
http://wordpress.gilgalab.com.br/?callback=json&api_key=true&format=xml&method=recent&limit=1

 Plugin page at wordpress: 
http://wordpress.org/extend/plugins/nextgen-gallery/

I have informed the wordpress team on this issue on February 8th,
but no response has been given about it.

Regards,

Henrique


Please use CVE-2013-0291 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRHcMKAAoJEBYNRVNeJnmTEaYQANKQlvgNCBWzBj0TU2ejVV8Q
PToCxfufToiPE1sPAeQtLBsgDJFS+K6Wizng1XWGKTToGHR3Eh4kOO3vlZPPvnei
yLam5lHcAjVcs7qMN5Kso47i+2Rrl6ilmJevBn/O7yajAUV7tl2nHJOfoclhEeia
MixBVXY59qU3+ATEJiYktyx++rNiFFdrVb/tbyNpX5RAVpp9Oi5NiULcSV/iFoRW
tiDIPiE/cGdylWq5U2MsixWCmfcAZ0rPxEq4klpNOu31Ub47Djr4XogGIyJN2r/e
a6dlov0dPvJiMR99Lxr7f86vGB+LveBH7XvCaT1isB89OoTR0nXvic/nnAoXGqUR
1Ebkcu2aVO84IViOtFYOPXC6MxPVJJ/W+I9t4fuNpkUcCawEY4nip3HCQFu51gA7
ufIM7W8tQ7tn90wESuUYnm7i4TQpxSft0+5VcGMXx6+6qrHfXBh2EXo2oXYsWOWx
0t56PzDepoXodi6QX/fC388yJqEcJCDmnIwg35ddQrDYJVBWQTY4aHMjEtedHzcJ
amUir/q1rg6Z+NQtQc69cVB4bIiPzTNnq6C/fU+xtcOo1akKnf07jHsfYd2m/F0J
CAsj/lNk//cJcik6kIKQN6jIC3r6hVhjrPxNd5d576VRl7rZoBbnyZrcCdt+i5Sj
C051vCASlTOHksK18Eu4
=z2uB
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: