WordPress.org

Ready to get started?Download WordPress

Forums

Grand Flagallery - Photo Gallery Plugin
[resolved] [Plugin: GRAND FlAGallery - Best Photo & Media Gallery] XSS-vulnerability (7 posts)

  1. henrisalo
    Member
    Posted 2 years ago #

    Original post: http://www.securityfocus.com/archive/1/520691

    What versions are affected? Is this valid advisory? Has this issue been fixed in some version?

    "http://www.site.com/[path]/wp-content/plugins/flash-album-gallery/facebook.php?i=[xss]"

    I am unable to reproduce.

    http://wordpress.org/extend/plugins/flash-album-gallery/

  2. Rattus
    Member
    Plugin Author

    Posted 2 years ago #

    fixed in v1.57

  3. henrisalo
    Member
    Posted 2 years ago #

    So how did you verify this issue exists?

    SCM URL: http://plugins.svn.wordpress.org/flash-album-gallery/trunk/changelog.txt
    """
    GRAND FlAGallery
    by Sergey Pasyuk & CodEasily DEV Team

    = v1.57 - 01.12.2011 =
    * Bugfix: Error when update from very old version
    * Bugfix: xss vulnerability
    * Updated: 3D FlatWall, 3D Cube and Afflux skins compatibility with GRAND Pages

    = v1.56 - 23.11.2011 =
    """
    I really don't understand how this was fixed or I did something wrong as these commands doesn't give any information:

    diff flash-album-gallery-156/flagshow.php flash-album-gallery-trunk/flagshow.php (where 156 means 1.56)
    diff flash-album-gallery-155/flagshow.php flash-album-gallery-trunk/flagshow.php
    diff flash-album-gallery-155/lib/core.php flash-album-gallery-trunk/lib/core.php

  4. henrisalo
    Member
    Posted 2 years ago #

    Could you please tell me how this was fixed as it is fixed says your changelog?

  5. henrisalo
    Member
    Posted 2 years ago #

    I solved this: http://wordpress.org/support/topic/plugin-grand-flagallery-best-photo-media-gallery-another-xss-vulnerability-report-flagshowphppid and let's move conversation here.

    1.5, 1.51 and 1.52 was tested with my friend to be vulnerable (Seriffi) for facebook.php. I don't know what mistake I made when I did test this.

    I still don't understand how this flagshow.php-issue was fixed.

  6. Rattus
    Member
    Plugin Author

    Posted 2 years ago #

    here is changelog for facebook.php: http://plugins.trac.wordpress.org/changeset/469785
    and flagshow.php file is false-positive report... anyway I've changed it too: http://plugins.trac.wordpress.org/changeset/478702#file0

  7. henrisalo
    Member
    Posted 2 years ago #

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic