Tuesday 18 December 2012

[EN] WP Easy Gallery 2.6 XSS'ed - updated

Multiple XSS vulnerabilities found in latest WP Easy Gallery:

XSS is possible because parameter "galleryName" is not filtered.
User can add JS/HTML as a 'Gallery Name', so exploitation is possible.

As you can see below, 'galleryDescription' is also vulnerable.

If you want to check which one parameter is vulnerable here too, type at console:

<code>
kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$ grep -n echo add-gallery.php | grep php | grep -e "\\$"

(...)
75: <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
80: <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
85: <td><input id="upload_image" type="text" size="36" name="upload_image" value="<?php echo $imagepath; ?>" />
91: <td><input type="text" size="10" name="gallerythumbwidth" value="<?php echo $thumbwidth; ?>" /></td>
96: <td><input type="text" size="10" name="gallerythumbheight" value="<?php echo $thumbheight; ?>" /></td>

(...)
 kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$
</code>
------------------------------------

Update:
Also parameter "select_gallery" is vulnerable to this attack.

Update : 27.12.2012:

galleryName, galleryDescription, upload_image, gallerythumbwidth, gallerythumbheight
parameters are not filtered after users input.

Payload to reproduce this vulnerability:
']"/><body onload=alert(/boom/)>



No comments:

Post a Comment

What do You think...?