Normally I’m happy to announce that NextGEN gallery reached 4 million downloads, but due to a security fixes I need to advice that everybody should update to the latest release 1.8.4. If you whatever reason prefer not to update the plugin, I suggest to download the file tags.php and overwrite this file in your nextgen-gallery/admin folder
In this minutes I’ve uploaded a new bugfix release NextGEN Gallery Version 1.5.2 . There is one XSS bug fixed in the media-rss script and I also solved a issue with old shortcodes. I encouraged everybody to update to the latest version, or if you on whatever reason stay would stay at your version, please update the file media-rss.php from here : http://code.google.com/p/nextgen-gallery/source/detail?r=718
Please report further problems in the forums, thanks !
Before to many people starts writing that there is a security problem, I would like to give my statement . In the current version of NextGEN Gallery it’s possible to include javascript commands inside the description field (So called XSS vulnerability) as long as the user has admin access to the blog . It was my intention to allow here HTML code and I see no security flaw unless somebody has access to your blog… but then he can enter also a javascript code inside a blog post or a page or do other bad things.
So is this now a problem or not ? It’s a simple thing to strip out any HTML code, but does somebody see a real security problem ? Should I disallow any HTML code for editors , auhors and admins ?
alex.rabe 