Tuesday 18 December 2012

[EN] ReFlex Gallery 1.3 - Persistent XSS

ReFlex Gallery 1.3 - Multiple persistent XSS:
http://wordpress.org/extend/plugins/reflex-gallery/

'Enter Gallery Name' and 'Enter Gallery Description' are vulnerable to XSS.

Try to filter inputs from users in add-gallery.php:
<code>
43:    <p><input type="text" name="galleryCode" value="[ReflexGallery id='<?php echo $this->reflexdb->getNewGalleryId(); ?>']" size="40" /></p></div>
70:                <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
75:                <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
</code>

To patch it, just add htmentities(). Like this:

<code>

kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$ grep htmlentities -n add-gallery.php
70:  <td><input type="text" size="30" name="galleryName" value="<?php echo htmlentities($galleryName); ?>" /></td>
75:  <td><input type="text" size="50" name="galleryDescription" value="<?php echo htmlentities($galleryDescription); ?>" /></td>
kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$

</code>


:)

No comments:

Post a Comment

What do You think...?