Multiple XSS vulnerabilities found in latest WP Easy Gallery:
XSS is possible because parameter "galleryName" is not filtered.
User can add JS/HTML as a 'Gallery Name', so exploitation is possible.
As you can see below, 'galleryDescription' is also vulnerable.
If you want to check which one parameter is vulnerable here too, type at console:
<code>
kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$ grep -n echo add-gallery.php | grep php | grep -e "\\$"
(...)
75: <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
80: <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
85: <td><input id="upload_image" type="text" size="36" name="upload_image" value="<?php echo $imagepath; ?>" />
91: <td><input type="text" size="10" name="gallerythumbwidth" value="<?php echo $thumbwidth; ?>" /></td>
96: <td><input type="text" size="10" name="gallerythumbheight" value="<?php echo $thumbheight; ?>" /></td>
(...)
kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$
</code>
------------------------------------
Update:
Also parameter "select_gallery" is vulnerable to this attack.
Update : 27.12.2012:
galleryName, galleryDescription, upload_image, gallerythumbwidth, gallerythumbheight
parameters are not filtered after users input.
Payload to reproduce this vulnerability:
']"/><body onload=alert(/boom/)>
No comments:
Post a Comment
What do You think...?