Securin Zero-Days

CVE-2015-9537 - Multiple Cross Site Scripting in NextGen Gallery

Description

Multiple XSS vulnerabilities was identified on the WordPress NextGen Gallery plugin before 2.1.10, involving thumbnail_width, thumbnail_height, thumbwidth, thumbheight, wmXpos, and wmYpos, and template.

Proof of Concept (POC):

Visit the following page on a site with the plugin installed. http://wordpresssite.com/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 and modify the value of path variable in NextGEN Gallery Photocrati Version 2.1.10 with’></script><script>alert(document.cookie);</script> payload and save it to view further. Now, the added XSS payload is executed whenever the user reviews it.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file

Figure 01: HTTP Request & response for the vulnerable variable photocrati-nextgen_basic_thumbnails[thumbnail_width]

Figure 02: HTTP Request & response for the vulnerable variable thumbnail_settings[thumbwidth]

Figure 03: XSS response executed in the browser

Impact

An attacker can inject malicious code into the scope of vulnerable variables to a managed gallery page by providing XSS payload as a value.

Remediations

Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.

Timeline

Aug 31, 2015

Discovered in NextGen Gallery 2.1.7 version.

Aug 31, 2015

Reported to WP Plugin.

Sep 01, 2015

Fixed in 2.1.10 version of NextGen Gallery.

Securin Zero-Days

Let Securin level up your security posture!

Resources

Company