|
|
|
|
| |
Credit:
The information has been provided by Alejandro Rodriguez.
The original article can be found at: http://www.coresecurity.com/content/nextgen-gallery-xss-vulnerability
|
| |
Vulnerable Systems:
* NextGEN Gallery 1.5.0
* NextGEN Gallery 1.5.1
Immune Systems:
* NextGEN Gallery 1.5.2
This vulnerablity is triggered because the mode parameter on the media-rss.php script is not correctly escaped to avoid HTML code injection. Its worth to note that the Content-Type is chosen safely by the plugin, but this is not enough to avoid code injection because some browsers (most notably Microsoft Internet Explorer) choose the content type by parsing the content the web-server returns instead of obeying the proper headers.
This vulnerability can be triggered on any Wordpress installation with the NextGEN Gallery extension installed by visiting the following URL on a browser with this issue. If using IE 8 the XSS Filter must be turned off.
http://localhost/wordpress/wp-content/plugins/nextgen-gallery/xml/media-rss.php?mode=%3Cscript%3Ealert(1)%3C/script%3E
Workaround:
On the server side, you can upgrade to a non-vulnerable version. On the client, you can use a browser that obeys the Content-Type header specified by the server, such as Mozilla Firefox, Google Chrome, Apple Safari or Opera. Internet Explorer 8 with the XSS Filter won't execute the malicious scripts.
CVE Information:
CVE-2010-1186
Disclosure Timeline:
2010-04-06: Date published
2010-03-25: Date of last update
|
|
|
|
|
