WordPress.org

Ready to get started?Download WordPress

Forums

NextGEN Gallery
[resolved] XSS Vulnerability in NextGEN Gallery WordPress Plugin (5 posts)

  1. craigtommola
    Member
    Posted 4 years ago #

  2. Paulio51
    Member
    Posted 4 years ago #

    Is it me or does it say that version 1.5.2 is non-vulnerable?

    Can you recreate the vulnerability with the latest version?

    Here is also the Report Timeline which states that Alex Rabe has fixed it.

    9. Report Timeline

    * 2010-03-25: Core Security Technologies notifies Alex Rabe of the vulnerability, offering a draft for this advisory in plaintext or encrypted form (if proper keys are sent). April 5th, 2010, is proposed as a release date.

    * 2010-03-25: Alex Rabe acknowledges Core Security Technologies's e-mail, and asks for the advisory draft in plain text.

    * 2010-03-25: Core Security Technologies sends the advisory draft to Alex Rabe.

    * 2010-03-25: Alex Rabe acknowledges the vulneravility, confirms it for NextGEN Gallery 1.5.0 and 1.5.1, and informs than 1.5.2 (due to be released on March 26th) will contain a fix.

    * 2010-03-26: NextGEN Gallery 1.5.2 is released.

    * 2010-04-06: Advisory CORE-2010-0323 is published.

  3. Samuel B
    moderator
    Posted 4 years ago #

    NextGEN has a hole in it. When will it be fixed?

    this was dealt with quite a while back

  4. Alex Rabe
    Member
    Posted 4 years ago #

    Please read better the text, fixed since 1.5.2 :

    http://alexrabe.de/2010/03/25/new-bugfix-release-2/

  5. craigtommola
    Member
    Posted 3 years ago #

    Sorry for the lack of due diligence on that one. I was in the midst of cleaning up after a nasty cretin hacked about 30 of my WP sites which I had to clean up ASAP. (johnnyA ring a bell?) Had to basically strip and rebuild all of them myself, and it got a little frantic and chaotic. I posted this in the midst of that.

    Note to self - a developer who suggests that we disable core and plugin notifications so the clients don't see the alert is actually wrong, regardless of him having more experience than myself.

    Moral of the story, Up to date = good. Out of date = bad. Hunches = Often correct.

    Thank you for taking the time to respond to my post.
    I truly appreciate it.
    CT

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.