Date: Thu, 26 Feb 2015 14:43:19 -0500 (EST) From: cve-assign@...re.org To: hanno@...eck.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Joomla Google Maps Plugin -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://tech.reumer.net/Google-Maps/Documentation-of-plugin-Googlemap/security-release-3-1-of-plugin-googlemaps.html > http://cxsecurity.com/issue/WLB-2014020215 > http://www.saotn.org/joomla-websites-abused-open-proxy-denial-service-attacks/ > http://seclists.org/fulldisclosure/2013/Jul/158 > Denial of Service / reflection issue (this seems the one akamai is > most concerned about) We think the earliest disclosure of this was http://securityvulns.ru/docs29645.html and it is assigned CVE-2013-7428. > XML injection We think the earliest disclosure of this was http://securityvulns.ru/docs29645.html again. We are not sure what set of impacts would typically have occurred from XML injection within unpatched versions of this "Google Maps by Reumer" product. The current version calls libxml_disable_entity_loader. XML injection could cause a denial of service, in part depending on the version of libxml2 that is used by the version of PHP. We have assigned CVE-2013-7429 for this. The ability to place an XSS payload within an XML document is considered another XSS attack vector (see the next CVE) disclosed at the same time, and is not within the scope of CVE-2013-7429. If anyone decides to research older versions of this product, in order to identify other vulnerabilities associated with the product's use of the PHP libxml extension, then additional CVE IDs may be possible. > XSS We think the earliest disclosure of this was http://securityvulns.ru/docs29645.html again. Use CVE-2013-7430. As mentioned above, an attack such as <div xmlns="http://www.w3.org/1999/xhtml">[XSS]</div> using a .xml filename is within the scope of CVE-2013-7430. > path disclosure We think the earliest disclosure of this was http://securityvulns.ru/docs29645.html again. Use CVE-2013-7431. Two additional vulnerabilities were disclosed on the http://securityvulns.ru/docs29670.html page, apparently 10 days later in 2013. Some older versions of the proxy component lack any restrictions on requests. This issue is not being assigned a CVE ID even though the researcher lists it as an "Insufficient Anti-automation (IAA)" vulnerability. In these older versions, the vendor was not trying to impose restrictions, and imposing restrictions would thus be considered an opportunity for security hardening, not a vulnerability. However, the vendor later created a protection mechanism that was intended to impose these restrictions. The researcher found a way to bypass this protection mechanism. That is assigned CVE-2013-7432. Specifically, the way to bypass this protection mechanism is "the token can be found at page which uses plugin of the site (and it's setting in URL). This data can be taken from the site automatically." Also, the researcher provides a new XSS attack vector, a reference to a .html filename such as url=site/xss.html in the query string. This is apparently caused by an incomplete fix for the older finding in which the XSS payload was embedded directly in the query string. Use CVE-2013-7433 for this later-disclosed XSS variant. (We understand that url=site/xss.html is conceptually not very different from url=site/xss.xml - however, we are using separate CVE IDs, in part because of the different disclosure date.) Finally, the researcher disclosed one new finding in 2014 in the http://seclists.org/fulldisclosure/2014/Feb/53 post. This new finding is a variant of CVE-2013-7428, but applies specifically to the case where the attacker controls a subdomain of the victim's domain name. Use CVE-2014-9686. The researcher gives an apparently realistic example in which the attacker controls site.wordpress.com and the attack target is the wordpress.com web site. For this issue, one might argue that the attack involving the plugin_googlemap2_proxy.php filename and the attack involving the plugin_googlemap3_kmlprxy.php filename have different affected versions and could have separate CVE IDs. We have decided to use only one CVE ID because the security problem is caused by the same code in essentially the same place, even though the file was renamed and modified somewhat. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU73a8AAoJEKllVAevmvmsrKcH/0Mw8heuHy/vrgDrgbc4GD7b t/RRa02dQ5ljcdnyDLJvWxS9bwJk34NKsoV5IX5etoYm5SUj+m59lTT2nHQNcA0C k4FyPH5iQVfYcceH4ngaQFvtJBpXwWszagyrgfYyk7J6a+zMiREkYNeFSWY8onGd nSPvX+ilpYVFrfHj7TLbJJhf3O9zriguq+zNhGynbTmsiPTIdwuS5POvthMYueiL r0+CippBrKH2F8klDABNSyD0s2wqMmQxZLGAN0vUJ/gE7At5sOK81c/NjqWb0VzV kUggTtYOVU45ISaPjHLJtGW3fHTw+JCu/DR+8G5nVxqdiUi+bcV/TwBtLJBQ8WA= =W3e1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.