| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Feb 2014 23:58:22 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: New vulnerabilities in Google Maps plugin for Joomla Hello list! Last year I wrote about multiple vulnerabilities in Google Maps plugin. After my informing the developer fixed them, but this year I found new vulnerabilities. These are Denial of Service and Insufficient Anti-automation vulnerabilities in Google Maps plugin for Joomla. ------------------------- Affected products: ------------------------- Vulnerable are Google Maps plugin v3.2 for Joomla and previous versions. Except versions 2.19, 2.20 and 3.1 of the plugin where proxy functionality was removed. I've informed the developer about these holes. Now he is working on a new version of the plugin. He hasn't released Google Maps v3.2 yet, only put it on his site. And after fixing all reported vulnerabilities, he will release it to the public. ------------------------- Affected vendors: ------------------------- Mike Reumer http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147 ---------- Details: ---------- Denial of Service (WASC-10): It's possible to conduct attacks on target sites, where domain of web site with Google Maps plugin is used as subdomain. For old versions of the plugin "plugin_googlemap2_proxy.php" is used and for new versions of the plugin "plugin_googlemap3_kmlprxy.php" is used. E.g. request for attack on site wordpress.com via script at web site "site": http://site/plugins/system/plugin_googlemap2_proxy.php?url=site.wordpress.com http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site.wordpress.com It's needed by bypass security filter (domain restriction) if it's turned on. Thus it's possible to attack web sites, which allow arbitrary subdomains. Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008879.html). Insufficient Anti-automation (WASC-21): Last year in Google Maps plugin v3.2 the developer made protection from automated attacks, but it's not effective. And use of above-mentioned domain check can be bypassed. In this functionality there is no reliable protection from automated requests. To bypass protection for accessing this script (appeared in version 3.2) it's needed to set referer, cookie and token. The referer is current site, the cookie is set by the site (Joomla) itself and the token can be found at page which uses plugin of the site (and it's setting in URL). This data can be taken from the site automatically. Referer: http://site Cookie: dc9023a0ff4f8a00f9b2f4e7600c17f4=69c59f0263b70f9343e0a75a93bd44a0 I have disclosed it at my site (http://websecurity.com.ua/6987/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists