lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 7 Feb 2014 23:58:22 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: New vulnerabilities in Google Maps plugin for
	Joomla

Hello list!

Last year I wrote about multiple vulnerabilities in Google Maps plugin. 
After my informing the developer fixed them, but this year I found new 
vulnerabilities.

These are Denial of Service and Insufficient Anti-automation vulnerabilities 
in Google Maps plugin for Joomla.

-------------------------
Affected products:
-------------------------

Vulnerable are Google Maps plugin v3.2 for Joomla and previous versions. 
Except versions 2.19, 2.20 and 3.1 of the plugin where proxy functionality 
was removed.

I've informed the developer about these holes. Now he is working on a new 
version of the plugin. He hasn't released Google Maps v3.2 yet, only put it 
on his site. And after fixing all reported vulnerabilities, he will release 
it to the public.

-------------------------
Affected vendors:
-------------------------

Mike Reumer
http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147

----------
Details:
----------

Denial of Service (WASC-10):

It's possible to conduct attacks on target sites, where domain of web site 
with Google Maps plugin is used as subdomain.

For old versions of the plugin "plugin_googlemap2_proxy.php" is used and for 
new versions of the plugin "plugin_googlemap3_kmlprxy.php" is used. E.g. 
request for attack on site wordpress.com via script at web site "site":

http://site/plugins/system/plugin_googlemap2_proxy.php?url=site.wordpress.com

http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site.wordpress.com

It's needed by bypass security filter (domain restriction) if it's turned 
on. Thus it's possible to attack web sites, which allow arbitrary 
subdomains.

Besides conducting DoS attack manually, it's also possible to conduct 
automated DoS and DDoS attacks with using of DAVOSET 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008879.html).

Insufficient Anti-automation (WASC-21):

Last year in Google Maps plugin v3.2 the developer made protection from 
automated attacks, but it's not effective. And use of above-mentioned domain 
check can be bypassed.

In this functionality there is no reliable protection from automated 
requests. To bypass protection for accessing this script (appeared in 
version 3.2) it's needed to set referer, cookie and token. The referer is 
current site, the cookie is set by the site (Joomla) itself and the token 
can be found at page which uses plugin of the site (and it's setting in 
URL). This data can be taken from the site automatically.

Referer: http://site
Cookie: dc9023a0ff4f8a00f9b2f4e7600c17f4=69c59f0263b70f9343e0a75a93bd44a0

I have disclosed it at my site (http://websecurity.com.ua/6987/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists