Securin Zero-Days
CVE-2015-9229 - Reflected Cross-Site Scripting in NextGEN Gallery
Description
Multiple Cross-Site Scripting (XSS) vulnerability was identified on the WordPress plugin Gravity Forms before 2.1.15 in the nggallery-manage-gallery page.
Proof of Concept (POC):
Visit the following page on a site with this plugin installed.
http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 and modify the value of images[1][alttext] and path variable in NextGEN Gallery Photocrati Version 2.1.10 with ’)”></script><script>alert(document.cookie);</script> payload and save it to view further. Now, the added XSS payload is executed whenever the user reviews it.
Note: XSS payload was tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file.
Define (‘DISALLOW_UNFILTERED_HTML’, true);
POST request parameter images[1][alttext] variable in the given URL http://localhost/wordpress/wpadmin/admin.php?page=nggallerymanagegallery&mode=edit&gid=1&paged=1 of NextGEN Gallery Plugin version 2.1.10 is vulnerable to Cross-Site Scripting (XSS).
Figure 01: [alttext]variable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1
Figure 02: XSS Payload gets executed in the browser whenever the user views it.
03: XSS Payload injected to pathvariable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=3&paged=1
Figure 04: XSS Payload gets executed in the browser whenever the user views it.
Impact
An XSS vulnerability allows an attacker to inject malicious code into the applications via the images [1] [alttext] parameter.
Remediations
Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.
Timeline
