alex.rabe » security

Security update 1.8.4 and 4.000.000 downloads

Alex Rabe — Wed, 26 Oct 2011 18:20:06 +0000

Normally I’m happy to announce that NextGEN gallery reached 4 million downloads, but due to a security fixes I need to advice that everybody should update to the latest release 1.8.4. If you whatever reason prefer not to update the plugin, I suggest to download the file tags.php and overwrite this file in your nextgen-gallery/admin folder

New bugfix release

Alex Rabe — Thu, 25 Mar 2010 20:06:39 +0000

In this minutes I’ve uploaded a new bugfix release NextGEN Gallery Version 1.5.2 . There is one XSS bug fixed in the media-rss script and I also solved a issue with old shortcodes. I encouraged everybody to update to the latest version, or if you on whatever reason stay would stay at your version, please update the file media-rss.php from here : http://code.google.com/p/nextgen-gallery/source/detail?r=718

Please report further problems in the forums, thanks !

Security issue or not ?

Alex Rabe — Wed, 18 Jun 2008 13:45:46 +0000

Before to many people starts writing that there is a security problem, I would like to give my statement . In the current version of NextGEN Gallery it’s possible to include javascript commands inside the description field (So called XSS vulnerability) as long as the user has admin access to the blog . It was my intention to allow here HTML code and I see no security flaw unless somebody has access to your blog… but then he can enter also a javascript code inside a blog post or a page or do other bad things.

So is this now a problem or not ? It’s a simple thing to strip out any HTML code, but does somebody see a real security problem ? Should I disallow any HTML code for editors , auhors and admins ?