ReFlex Gallery 1.3 - Multiple persistent XSS:
http://wordpress.org/extend/plugins/reflex-gallery/
'Enter Gallery Name' and 'Enter Gallery Description' are vulnerable to XSS.
Try to filter inputs from users in add-gallery.php:
<code>
43: <p><input type="text" name="galleryCode" value="[ReflexGallery id='<?php echo $this->reflexdb->getNewGalleryId(); ?>']" size="40" /></p></div>
70: <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
75: <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
</code>
To patch it, just add htmentities(). Like this:
<code>
kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$ grep htmlentities -n add-gallery.php
70: <td><input type="text" size="30" name="galleryName" value="<?php echo htmlentities($galleryName); ?>" /></td>
75: <td><input type="text" size="50" name="galleryDescription" value="<?php echo htmlentities($galleryDescription); ?>" /></td>
kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$
</code>
:)
No comments:
Post a Comment
What do You think...?