[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001201cf244f$db086310$9b7a6fd5@pc>
Date: Fri, 7 Feb 2014 23:58:22 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: New vulnerabilities in Google Maps plugin for
Joomla
Hello list!
Last year I wrote about multiple vulnerabilities in Google Maps plugin.
After my informing the developer fixed them, but this year I found new
vulnerabilities.
These are Denial of Service and Insufficient Anti-automation vulnerabilities
in Google Maps plugin for Joomla.
-------------------------
Affected products:
-------------------------
Vulnerable are Google Maps plugin v3.2 for Joomla and previous versions.
Except versions 2.19, 2.20 and 3.1 of the plugin where proxy functionality
was removed.
I've informed the developer about these holes. Now he is working on a new
version of the plugin. He hasn't released Google Maps v3.2 yet, only put it
on his site. And after fixing all reported vulnerabilities, he will release
it to the public.
-------------------------
Affected vendors:
-------------------------
Mike Reumer
http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147
----------
Details:
----------
Denial of Service (WASC-10):
It's possible to conduct attacks on target sites, where domain of web site
with Google Maps plugin is used as subdomain.
For old versions of the plugin "plugin_googlemap2_proxy.php" is used and for
new versions of the plugin "plugin_googlemap3_kmlprxy.php" is used. E.g.
request for attack on site wordpress.com via script at web site "site":
http://site/plugins/system/plugin_googlemap2_proxy.php?url=site.wordpress.com
http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site.wordpress.com
It's needed by bypass security filter (domain restriction) if it's turned
on. Thus it's possible to attack web sites, which allow arbitrary
subdomains.
Besides conducting DoS attack manually, it's also possible to conduct
automated DoS and DDoS attacks with using of DAVOSET
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008879.html).
Insufficient Anti-automation (WASC-21):
Last year in Google Maps plugin v3.2 the developer made protection from
automated attacks, but it's not effective. And use of above-mentioned domain
check can be bypassed.
In this functionality there is no reliable protection from automated
requests. To bypass protection for accessing this script (appeared in
version 3.2) it's needed to set referer, cookie and token. The referer is
current site, the cookie is set by the site (Joomla) itself and the token
can be found at page which uses plugin of the site (and it's setting in
URL). This data can be taken from the site automatically.
Referer: http://site
Cookie: dc9023a0ff4f8a00f9b2f4e7600c17f4=69c59f0263b70f9343e0a75a93bd44a0
I have disclosed it at my site (http://websecurity.com.ua/6987/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists