New vulnerabilities in Google Maps plugin for Joomla

2014-05-04T00:00:00
ID SECURITYVULNS:DOC:30599
Type securityvulns
Reporter Securityvulns
Modified 2014-05-04T00:00:00

Description

Hello 3APA3A!

Last year I wrote about multiple vulnerabilities in Google Maps plugin. After my informing the developer fixed them, but this year I found new vulnerabilities.

These are Denial of Service and Insufficient Anti-automation vulnerabilities in Google Maps plugin for Joomla.


Affected products:

Vulnerable are Google Maps plugin v3.2 for Joomla and previous versions. Except versions 2.19, 2.20 and 3.1 of the plugin where proxy functionality was removed.

I've informed the developer about these holes. Now he is working on a new version of the plugin. He hasn't released Google Maps v3.2 yet, only put it on his site. And after fixing all reported vulnerabilities, he will release it to the public.


Affected vendors:

Mike Reumer http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147


Details:

Denial of Service (WASC-10):

It's possible to conduct attacks on target sites, where domain of web site with Google Maps plugin is used as subdomain.

For old versions of the plugin "plugin_googlemap2_proxy.php" is used and for new versions of the plugin "plugin_googlemap3_kmlprxy.php" is used. E.g. request for attack on site wordpress.com via script at web site "site":

http://site/plugins/system/plugin_googlemap2_proxy.php?url=site.wordpress.com

http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site.wordpress.com

It's needed by bypass security filter (domain restriction) if it's turned on. Thus it's possible to attack web sites, which allow arbitrary subdomains.

Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008879.html).

Insufficient Anti-automation (WASC-21):

Last year in Google Maps plugin v3.2 the developer made protection from automated attacks, but it's not effective. And use of above-mentioned domain check can be bypassed.

In this functionality there is no reliable protection from automated requests. To bypass protection for accessing this script (appeared in version 3.2) it's needed to set referer, cookie and token. The referer is current site, the cookie is set by the site (Joomla) itself and the token can be found at page which uses plugin of the site (and it's setting in URL). This data can be taken from the site automatically.

Referer: http://site Cookie: dc9023a0ff4f8a00f9b2f4e7600c17f4=69c59f0263b70f9343e0a75a93bd44a0

I have disclosed it at my site (http://websecurity.com.ua/6987/).

Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua