XSS Vulnerability in NextGEN Gallery Wordpress Plugin
Advisory Information
Title: XSS Vulnerability in NextGEN Gallery Wordpress Plugin
Advisory Id: CORE-2010-0323
Advisory URL:
http://www.coresecurity.com/content/nextgen-gallery-xss-vulnerability
Date published: 2010-04-06
Date of last update: 2010-03-25
Vendors contacted: Alex Rabe
Release mode: Coordinated release
Vulnerability Information
Class: Cross site scripting [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-1186
Vulnerability Description
An XSS[1] vulneravility has been discovered in NextGEN Gallery[2], a
very popular and commonly used plugin for the Wordpress content
management system commonly found as a blogging platform. This
vulnerability results from reflected unsanitized imput that can be
crafted into an attack by a malicious user by manipulating the 'mode'
parameter of the 'xml/media-rss.php' script.
Vulnerable packages
. NextGEN Gallery 1.5.0
. NextGEN Gallery 1.5.1
. Older versions are probably affected too, but they were not checked.
Non-vulnerable packages
. NextGEN Gallery 1.5.2
Solutions and Workarounds
On the server side, you can upgrade to a non-vulnerable version. Onthe
client you can use a browser that obeys the Content-Type header
specified by the server, such as Mozilla Firefox, Google Chrome, Apple
Safari or Opera. Internet Explorer 8 with the XSS Filter won't execute
the malicious scripts.
Credits
These vulnerabilities were discovered and researched by Alejandro
Rodriguez, from Core Security Technologies, during Core Bugweek 2009
as a member of the "Los Herederos de Don Pablo (HDP)" team.
Technical Description / Proof of Concept Code
This vulerablity is triggered because the 'mode' parameter on the
'media-rss.php' script is not correctly escaped to avoid HTML code
injection.
/-----
$mode = $_GET["mode"];
- -----/
This parameter is reflected back to the user if no correct 'mode' is
selected:
Its worth to note that the 'Content-Type' is chosen safely by the
plugin, but this is note enough to avoid code injection because some
browsers (most notably Microsoft Internet Explorer) choose the content
type by parsing the content the web-server returns instead of obeying
the proper headers.
This vulnerability can be triggered on any Wordpress instalation with
the NextGEN Gallery extension installed by visiting the following URL
on a browser with this issue. If using IE 8 the XSS Filter must be
turned off.
. 2010-03-25:
Core Security Technologies notifies Alex Rabe of the vulnerability,
offering a draft for this advisory in plaintext or encrypted form (if
proper keys are sent). April 5th, 2010, is proposed as a release date.
. 2010-03-25:
Alex Rabe acknowledges Core Security Technologies's e-mail, and asks
for the advisory draft in plain text.
. 2010-03-25:
Core Security Technologies sends the advisory draft to Alex Rabe.
. 2010-03-25:
Alex Rabe acknowledges the vulneravility, confirms it for NextGEN
Gallery 1.5.0 and 1.5.1, and informs than 1.5.2 (due to be released on
March 26th) will contain a fix.
. 2010-03-26:
NextGEN Gallery 1.5.2 is released.
. 2010-04-06:
Advisory CORE-2010-0323 is published.
CoreLabs, the research center of Core Security Technologies, is
charged with anticipating the future needs and requirements for
information security technologies. We conduct our research in several
important areas of computer security including system vulnerabilities,
cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for
new technologies. CoreLabs regularly publishes security advisories,
technical papers, project information and shared software tools for
public use at: http://www.coresecurity.com/corelabs.
About Core Security Technologies
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources
are exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and
software security auditing. Based in Boston, MA and Buenos Aires,
Argentina, Core Security Technologies can be reached at 617-399-6980
or on the Web at http://www.coresecurity.com.
Disclaimer
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper
credit is given.
PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: GnuPT v3.6.3
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
{"id": "SECURITYVULNS:DOC:23587", "bulletinFamily": "software", "title": "CORE-2010-0323: XSS Vulnerability in NextGEN Gallery Wordpress Plugin", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\nXSS Vulnerability in NextGEN Gallery Wordpress Plugin\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: XSS Vulnerability in NextGEN Gallery Wordpress Plugin\r\nAdvisory Id: CORE-2010-0323\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/nextgen-gallery-xss-vulnerability\r\nDate published: 2010-04-06\r\nDate of last update: 2010-03-25\r\nVendors contacted: Alex Rabe\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Cross site scripting [CWE-79]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: N/A\r\nCVE Name: CVE-2010-1186\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nAn XSS[1] vulneravility has been discovered in NextGEN Gallery[2], a\r\nvery popular and commonly used plugin for the Wordpress content\r\nmanagement system commonly found as a blogging platform. This\r\nvulnerability results from reflected unsanitized imput that can be\r\ncrafted into an attack by a malicious user by manipulating the 'mode'\r\nparameter of the 'xml/media-rss.php' script.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . NextGEN Gallery 1.5.0\r\n . NextGEN Gallery 1.5.1\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . NextGEN Gallery 1.5.2\r\n\r\n\r\n6. *Solutions and Workarounds*\r\n\r\nOn the server side, you can upgrade to a non-vulnerable version. Onthe\r\nclient you can use a browser that obeys the Content-Type header\r\nspecified by the server, such as Mozilla Firefox, Google Chrome, Apple\r\nSafari or Opera. Internet Explorer 8 with the XSS Filter won't execute\r\nthe malicious scripts.\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Alejandro\r\nRodriguez, from Core Security Technologies, during Core Bugweek 2009\r\nas a member of the "Los Herederos de Don Pablo (HDP)" team.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThis vulerablity is triggered because the 'mode' parameter on the\r\n'media-rss.php' script is not correctly escaped to avoid HTML code\r\ninjection.\r\n\r\n/-----\r\n$mode = $_GET["mode"];\r\n- -----/\r\n\r\nThis parameter is reflected back to the user if no correct 'mode' is\r\nselected:\r\n\r\n/-----\r\n} else {\r\n header('content-type:text/plain;charset=utf-8');\r\n echo sprintf(__("Invalid MediaRSS command (%s).","nggallery"), $mode);\r\n exit;\r\n}\r\n- -----/\r\n\r\n Its worth to note that the 'Content-Type' is chosen safely by the\r\nplugin, but this is note enough to avoid code injection because some\r\nbrowsers (most notably Microsoft Internet Explorer) choose the content\r\ntype by parsing the content the web-server returns instead of obeying\r\nthe proper headers.\r\n\r\n This vulnerability can be triggered on any Wordpress instalation with\r\nthe NextGEN Gallery extension installed by visiting the following URL\r\non a browser with this issue. If using IE 8 the XSS Filter must be\r\nturned off.\r\n\r\n/-----\r\nhttp://localhost/wordpress/wp-content/plugins/nextgen-gallery/xml/media-rss.php?mode=%3Cscript%3Ealert(1)%3C/script%3E\r\n- -----/\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2010-03-25:\r\nCore Security Technologies notifies Alex Rabe of the vulnerability,\r\noffering a draft for this advisory in plaintext or encrypted form (if\r\nproper keys are sent). April 5th, 2010, is proposed as a release date.\r\n\r\n. 2010-03-25:\r\nAlex Rabe acknowledges Core Security Technologies's e-mail, and asks\r\nfor the advisory draft in plain text.\r\n\r\n. 2010-03-25:\r\nCore Security Technologies sends the advisory draft to Alex Rabe.\r\n\r\n. 2010-03-25:\r\nAlex Rabe acknowledges the vulneravility, confirms it for NextGEN\r\nGallery 1.5.0 and 1.5.1, and informs than 1.5.2 (due to be released on\r\nMarch 26th) will contain a fix.\r\n\r\n. 2010-03-26:\r\nNextGEN Gallery 1.5.2 is released.\r\n\r\n. 2010-04-06:\r\nAdvisory CORE-2010-0323 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)\r\n[2] http://wordpress.org/extend/plugins/nextgen-gallery/\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is\r\ncharged with anticipating the future needs and requirements for\r\ninformation security technologies. We conduct our research in several\r\nimportant areas of computer security including system vulnerabilities,\r\ncyber attack planning and simulation, source code auditing, and\r\ncryptography. Our results include problem formalization,\r\nidentification of vulnerabilities, novel solutions and prototypes for\r\nnew technologies. CoreLabs regularly publishes security advisories,\r\ntechnical papers, project information and shared software tools for\r\npublic use at: http://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources\r\nare exposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and\r\nsoftware security auditing. Based in Boston, MA and Buenos Aires,\r\nArgentina, Core Security Technologies can be reached at 617-399-6980\r\nor on the Web at http://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper\r\ncredit is given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\nComment: GnuPT v3.6.3\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/\r\n \r\niEYEARECAAYFAku7mowACgkQyNibggitWa3vfQCeP8eGzt/eGSrAREsNRfrGsaLs\r\n8UEAnAuRs9cgmZkfeq1DU8BCNoxLgFFI\r\n=wL6j\r\n-----END PGP SIGNATURE-----", "published": "2010-04-07T00:00:00", "modified": "2010-04-07T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23587", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-1186"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:34", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "54b6742ce709f7dd8c9ad4e6756d236b"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "c3e146e593e6bb3146c3e451b094cde6"}, {"key": "href", "hash": "7e43cd8f29ed4bc40ac6731ba5ea47ac"}, {"key": "modified", "hash": "79800da6e93c4ae30f10caf82ed9e6fd"}, {"key": "published", "hash": "79800da6e93c4ae30f10caf82ed9e6fd"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "534d0bef96e12af277b051a38f689492"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "6974a338e0c49affd38fdd93076ee9fa20815620d4a33868d5f7c99333299cee", "viewCount": 4, "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2018-08-31T11:10:34"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-1186"]}, {"type": "seebug", "idList": ["SSV:68196", "SSV:19430"]}, {"type": "exploitdb", "idList": ["EDB-ID:12098"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:88155"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10748"]}], "modified": "2018-08-31T11:10:34"}, "vulnersScore": 6.8}, "objectVersion": "1.3", "affectedSoftware": []}
{"cve": [{"lastseen": "2017-08-17T11:14:45", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in xml/media-rss.php in the NextGEN Gallery plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the mode parameter.", "modified": "2017-08-16T21:32:17", "published": "2010-04-07T11:30:00", "id": "CVE-2010-1186", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1186", "title": "CVE-2010-1186", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:01", "bulletinFamily": "exploit", "description": "", "modified": "2010-04-07T00:00:00", "published": "2010-04-07T00:00:00", "href": "https://packetstormsecurity.com/files/88155/Core-Security-Technologies-Advisory-2010.0323.html", "id": "PACKETSTORM:88155", "type": "packetstorm", "title": "Core Security Technologies Advisory 2010.0323", "sourceData": "`XSS Vulnerability in NextGEN Gallery Wordpress Plugin \n \n1. Advisory Information \n \nTitle: XSS Vulnerability in NextGEN Gallery Wordpress Plugin \nAdvisory Id: CORE-2010-0323 \nAdvisory URL: http://www.coresecurity.com/content/nextgen-gallery-xss-vulnerability \nDate published: 2010-04-06 \nDate of last update: 2010-03-25 \nVendors contacted: Alex Rabe \nRelease mode: Coordinated release \n \n2. Vulnerability Information \n \nClass: Cross site scripting [CWE-79] \nImpact: Code execution \nRemotely Exploitable: Yes \nLocally Exploitable: No \nBugtraq ID: N/A \nCVE Name: CVE-2010-1186 \n \n3. Vulnerability Description \n \nAn XSS[1] vulneravility has been discovered in NextGEN Gallery[2], a very popular and commonly used plugin for the Wordpress content management system commonly found as a blogging platform. This vulnerability results from reflected unsanitized imput that can be crafted into an attack by a malicious user by manipulating the mode parameter of the xml/media-rss.php script. \n \n4. Vulnerable packages \n \n* NextGEN Gallery 1.5.0 \n* NextGEN Gallery 1.5.1 \n* Older versions are probably affected too, but they were not checked. \n \n5. Non-vulnerable packages \n \n* NextGEN Gallery 1.5.2 \n \n6. Solutions and Workarounds \n \nOn the server side, you can upgrade to a non-vulnerable version. Onthe client you can use a browser that obeys the Content-Type header specified by the server, such as Mozilla Firefox, Google Chrome, Apple Safari or Opera. Internet Explorer 8 with the XSS Filter won't execute the malicious scripts. \n \n7. Credits \n \nThese vulnerabilities were discovered and researched by Alejandro Rodriguez, from Core Security Technologies, during Core Bugweek 2009 as a member of the \"Los Herederos de Don Pablo (HDP)\" team. \n \n8. Technical Description / Proof of Concept Code \n \nThis vulerablity is triggered because the mode parameter on the media-rss.php script is not correctly escaped to avoid HTML code injection. \n \n$mode = $_GET[\"mode\"]; \n \nThis parameter is reflected back to the user if no correct mode is selected: \n \n} else { header('content-type:text/plain;charset=utf-8'); echo sprintf(__(\"Invalid MediaRSS command (%s).\",\"nggallery\"), $mode); exit; } \n \nIts worth to note that the Content-Type is chosen safely by the plugin, but this is note enough to avoid code injection because some browsers (most notably Microsoft Internet Explorer) choose the content type by parsing the content the web-server returns instead of obeying the proper headers. \n \nThis vulnerability can be triggered on any Wordpress instalation with the NextGEN Gallery extension installed by visiting the following URL on a browser with this issue. If using IE 8 the XSS Filter must be turned off. \nhttp://localhost/wordpress/wp-content/plugins/nextgen-gallery/xml/media-rss.php?mode=%3Cscript%3Ealert(1)%3C/script%3E \n \n9. Report Timeline \n \n* 2010-03-25: Core Security Technologies notifies Alex Rabe of the vulnerability, offering a draft for this advisory in plaintext or encrypted form (if proper keys are sent). April 5th, 2010, is proposed as a release date. \n* 2010-03-25: Alex Rabe acknowledges Core Security Technologies's e-mail, and asks for the advisory draft in plain text. \n* 2010-03-25: Core Security Technologies sends the advisory draft to Alex Rabe. \n* 2010-03-25: Alex Rabe acknowledges the vulneravility, confirms it for NextGEN Gallery 1.5.0 and 1.5.1, and informs than 1.5.2 (due to be released on March 26th) will contain a fix. \n* 2010-03-26: NextGEN Gallery 1.5.2 is released. \n* 2010-04-06: Advisory CORE-2010-0323 is published. \n \n10. References \n \n[1] http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) \n[2] http://wordpress.org/extend/plugins/nextgen-gallery/ \n11. About CoreLabs \n \nCoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. \n12. About Core Security Technologies \n \nCore Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. \n13. Disclaimer \n \nThe contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/88155/CORE-2010-0323.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T14:57:44", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-68196", "id": "SSV:68196", "title": "Wordpress Plugin NextGEN Gallery <= 1.5.1 - XSS Vulnerability", "type": "seebug", "sourceData": "\n XSS Vulnerability in NextGEN Gallery Wordpress Plugin\r\n\r\n1. Advisory Information\r\n\r\n\tTitle: XSS Vulnerability in NextGEN Gallery Wordpress Plugin\r\n\tAdvisory Id: CORE-2010-0323\r\n\tAdvisory URL: http://www.coresecurity.com/content/nextgen-gallery-xss-vulnerability\r\n\tDate published: 2010-04-06\r\n\tDate of last update: 2010-03-25\r\n\tVendors contacted: Alex Rabe\r\n\tRelease mode: Coordinated release\r\n\r\n2. Vulnerability Information\r\n\r\n\tClass: Cross site scripting [CWE-79]\r\n\tImpact: Code execution\r\n\tRemotely Exploitable: Yes\r\n\tLocally Exploitable: No\r\n\tBugtraq ID: N/A\r\n\tCVE Name: CVE-2010-1186\r\n\r\n3. Vulnerability Description\r\n\r\n\tAn XSS[1] vulneravility has been discovered in NextGEN Gallery[2], a very popular and commonly used plugin for the Wordpress content management system commonly found as a blogging platform. This vulnerability results from reflected unsanitized imput that can be crafted into an attack by a malicious user by manipulating the mode parameter of the xml/media-rss.php script.\r\n\r\n4. Vulnerable packages\r\n\r\n * NextGEN Gallery 1.5.0\r\n * NextGEN Gallery 1.5.1\r\n * Older versions are probably affected too, but they were not checked.\r\n\r\n5. Non-vulnerable packages\r\n\r\n * NextGEN Gallery 1.5.2\r\n\r\n6. Solutions and Workarounds\r\n\r\n\tOn the server side, you can upgrade to a non-vulnerable version. Onthe client you can use a browser that obeys the Content-Type header specified by the server, such as Mozilla Firefox, Google Chrome, Apple Safari or Opera. Internet Explorer 8 with the XSS Filter won't execute the malicious scripts.\r\n\r\n7. Credits\r\n\r\n\tThese vulnerabilities were discovered and researched by Alejandro Rodriguez, from Core Security Technologies, during Core Bugweek 2009 as a member of the "Los Herederos de Don Pablo (HDP)" team.\r\n\r\n8. Technical Description / Proof of Concept Code\r\n\r\n\tThis vulerablity is triggered because the mode parameter on the media-rss.php script is not correctly escaped to avoid HTML code injection.\r\n\r\n\t\t$mode = $_GET["mode"];\r\n\r\n\tThis parameter is reflected back to the user if no correct mode is selected:\r\n\r\n\t\t} else { header('content-type:text/plain;charset=utf-8'); echo sprintf(__("Invalid MediaRSS command (%s).","nggallery"), $mode); exit; }\r\n\r\n\tIts worth to note that the Content-Type is chosen safely by the plugin, but this is note enough to avoid code injection because some browsers (most notably Microsoft Internet Explorer) choose the content type by parsing the content the web-server returns instead of obeying the proper headers.\r\n\r\n\tThis vulnerability can be triggered on any Wordpress instalation with the NextGEN Gallery extension installed by visiting the following URL on a browser with this issue. If using IE 8 the XSS Filter must be turned off.\r\nhttp://localhost/wordpress/wp-content/plugins/nextgen-gallery/xml/media-rss.php?mode=%3Cscript%3Ealert(1)%3C/script%3E \r\n\r\n9. Report Timeline\r\n\r\n * 2010-03-25: Core Security Technologies notifies Alex Rabe of the vulnerability, offering a draft for this advisory in plaintext or encrypted form (if proper keys are sent). April 5th, 2010, is proposed as a release date.\r\n * 2010-03-25: Alex Rabe acknowledges Core Security Technologies's e-mail, and asks for the advisory draft in plain text.\r\n * 2010-03-25: Core Security Technologies sends the advisory draft to Alex Rabe.\r\n * 2010-03-25: Alex Rabe acknowledges the vulneravility, confirms it for NextGEN Gallery 1.5.0 and 1.5.1, and informs than 1.5.2 (due to be released on March 26th) will contain a fix.\r\n * 2010-03-26: NextGEN Gallery 1.5.2 is released.\r\n * 2010-04-06: Advisory CORE-2010-0323 is published. \r\n\r\n10. References\r\n\r\n[1] http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)\r\n[2] http://wordpress.org/extend/plugins/nextgen-gallery/\r\n11. About CoreLabs\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.\r\n12. About Core Security Technologies\r\n\r\nCore Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.\r\n13. Disclaimer\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.\n ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-68196"}, {"lastseen": "2017-11-19T18:12:42", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 39250\r\nCVE ID: CVE-2010-1186\r\n\r\nWordPress\u662f\u4e00\u6b3e\u514d\u8d39\u7684\u8bba\u575bBlog\u7cfb\u7edf\u3002\r\n\r\nWordPress\u6240\u4f7f\u7528\u7684NextGEN Gallery\u56fe\u5f62\u5e93\u63d2\u4ef6\u6ca1\u6709\u6b63\u786e\u5730\u8f6c\u4e49\u63d0\u4ea4\u7ed9media-rss.php\u811a\u672c\u7684mode\u53c2\u6570\uff1a\r\n\r\n/-----\r\n$mode = $_GET["mode"];\r\n- -----/\r\n\r\n\u5982\u679c\u6ca1\u6709\u9009\u62e9\u6b63\u786e\u7684mode\uff0c\u8be5\u53c2\u6570\u5c31\u88ab\u8fd4\u56de\u7ed9\u7528\u6237\uff1a\r\n\r\n/-----\r\n} else {\r\n header('content-type:text/plain;charset=utf-8');\r\n echo sprintf(__("Invalid MediaRSS command (%s).","nggallery"), $mode);\r\n exit;\r\n}\r\n- -----/\r\n\r\n\u5c3d\u7ba1\u63d2\u4ef6\u5b89\u5168\u7684\u9009\u62e9\u4e86Content-Type\uff0c\u4f46\u8fd8\u4e0d\u8db3\u4ee5\u9632\u8303\u4ee3\u7801\u6ce8\u5165\uff0c\u56e0\u4e3a\u4e00\u4e9b\u6d4f\u89c8\u5668\uff08\u5982Internet Explorer\uff09\u901a\u8fc7\u89e3\u6790web-server\u6240\u8fd4\u56de\u7684\u5185\u5bb9\u6765\u9009\u62e9\u5185\u5bb9\u7c7b\u578b\uff0c\u800c\u4e0d\u662f\u9075\u5faa\u6b63\u786e\u7684\u5934\n\nWordPress NextGEN Gallery 1.5.1\r\nWordPress NextGEN Gallery 1.5.0\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nWordPress\r\n---------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://wordpress.org/extend/plugins/nextgen-gallery/changelog/", "modified": "2010-04-09T00:00:00", "published": "2010-04-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19430", "id": "SSV:19430", "type": "seebug", "title": "WordPress NextGEN Gallery\u63d2\u4ef6mode\u53c2\u6570\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "sourceData": "\n http://localhost/wordpress/wp-content/plugins/nextgen-gallery/xml/media-rss.php?mode=%3Cscript%3Ealert(1)%3C/script%3E\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-19430", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-01T15:42:06", "bulletinFamily": "exploit", "description": "XSS Vulnerability in NextGEN Gallery Wordpress Plugin. CVE-2010-1186. Webapps exploit for php platform", "modified": "2010-04-06T00:00:00", "published": "2010-04-06T00:00:00", "id": "EDB-ID:12098", "href": "https://www.exploit-db.com/exploits/12098/", "type": "exploitdb", "title": "WordPress Plugin NextGEN Gallery <= 1.5.1 - XSS Vulnerability", "sourceData": "XSS Vulnerability in NextGEN Gallery Wordpress Plugin\r\n\r\n1. Advisory Information\r\n\r\n\tTitle: XSS Vulnerability in NextGEN Gallery Wordpress Plugin\r\n\tAdvisory Id: CORE-2010-0323\r\n\tAdvisory URL: http://www.coresecurity.com/content/nextgen-gallery-xss-vulnerability\r\n\tDate published: 2010-04-06\r\n\tDate of last update: 2010-03-25\r\n\tVendors contacted: Alex Rabe\r\n\tRelease mode: Coordinated release\r\n\r\n2. Vulnerability Information\r\n\r\n\tClass: Cross site scripting [CWE-79]\r\n\tImpact: Code execution\r\n\tRemotely Exploitable: Yes\r\n\tLocally Exploitable: No\r\n\tBugtraq ID: N/A\r\n\tCVE Name: CVE-2010-1186\r\n\r\n3. Vulnerability Description\r\n\r\n\tAn XSS[1] vulneravility has been discovered in NextGEN Gallery[2], a very popular and commonly used plugin for the Wordpress content management system commonly found as a blogging platform. This vulnerability results from reflected unsanitized imput that can be crafted into an attack by a malicious user by manipulating the mode parameter of the xml/media-rss.php script.\r\n\r\n4. Vulnerable packages\r\n\r\n * NextGEN Gallery 1.5.0\r\n * NextGEN Gallery 1.5.1\r\n * Older versions are probably affected too, but they were not checked.\r\n\r\n5. Non-vulnerable packages\r\n\r\n * NextGEN Gallery 1.5.2\r\n\r\n6. Solutions and Workarounds\r\n\r\n\tOn the server side, you can upgrade to a non-vulnerable version. Onthe client you can use a browser that obeys the Content-Type header specified by the server, such as Mozilla Firefox, Google Chrome, Apple Safari or Opera. Internet Explorer 8 with the XSS Filter won't execute the malicious scripts.\r\n\r\n7. Credits\r\n\r\n\tThese vulnerabilities were discovered and researched by Alejandro Rodriguez, from Core Security Technologies, during Core Bugweek 2009 as a member of the \"Los Herederos de Don Pablo (HDP)\" team.\r\n\r\n8. Technical Description / Proof of Concept Code\r\n\r\n\tThis vulerablity is triggered because the mode parameter on the media-rss.php script is not correctly escaped to avoid HTML code injection.\r\n\r\n\t\t$mode = $_GET[\"mode\"];\r\n\r\n\tThis parameter is reflected back to the user if no correct mode is selected:\r\n\r\n\t\t} else { header('content-type:text/plain;charset=utf-8'); echo sprintf(__(\"Invalid MediaRSS command (%s).\",\"nggallery\"), $mode); exit; }\r\n\r\n\tIts worth to note that the Content-Type is chosen safely by the plugin, but this is note enough to avoid code injection because some browsers (most notably Microsoft Internet Explorer) choose the content type by parsing the content the web-server returns instead of obeying the proper headers.\r\n\r\n\tThis vulnerability can be triggered on any Wordpress instalation with the NextGEN Gallery extension installed by visiting the following URL on a browser with this issue. If using IE 8 the XSS Filter must be turned off.\r\nhttp://localhost/wordpress/wp-content/plugins/nextgen-gallery/xml/media-rss.php?mode=%3Cscript%3Ealert(1)%3C/script%3E \r\n\r\n9. Report Timeline\r\n\r\n * 2010-03-25: Core Security Technologies notifies Alex Rabe of the vulnerability, offering a draft for this advisory in plaintext or encrypted form (if proper keys are sent). April 5th, 2010, is proposed as a release date.\r\n * 2010-03-25: Alex Rabe acknowledges Core Security Technologies's e-mail, and asks for the advisory draft in plain text.\r\n * 2010-03-25: Core Security Technologies sends the advisory draft to Alex Rabe.\r\n * 2010-03-25: Alex Rabe acknowledges the vulneravility, confirms it for NextGEN Gallery 1.5.0 and 1.5.1, and informs than 1.5.2 (due to be released on March 26th) will contain a fix.\r\n * 2010-03-26: NextGEN Gallery 1.5.2 is released.\r\n * 2010-04-06: Advisory CORE-2010-0323 is published. \r\n\r\n10. References\r\n\r\n[1] http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)\r\n[2] http://wordpress.org/extend/plugins/nextgen-gallery/\r\n11. About CoreLabs\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.\r\n12. About Core Security Technologies\r\n\r\nCore Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.\r\n13. Disclaimer\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/12098/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:36", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2010-04-07T00:00:00", "published": "2010-04-07T00:00:00", "id": "SECURITYVULNS:VULN:10748", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10748", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
