Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Feb 2015 14:43:19 -0500 (EST)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Joomla Google Maps Plugin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://tech.reumer.net/Google-Maps/Documentation-of-plugin-Googlemap/security-release-3-1-of-plugin-googlemaps.html
> http://cxsecurity.com/issue/WLB-2014020215
> http://www.saotn.org/joomla-websites-abused-open-proxy-denial-service-attacks/
> http://seclists.org/fulldisclosure/2013/Jul/158

> Denial of Service / reflection issue (this seems the one akamai is
> most concerned about)

We think the earliest disclosure of this was
http://securityvulns.ru/docs29645.html and it is assigned
CVE-2013-7428.


> XML injection

We think the earliest disclosure of this was
http://securityvulns.ru/docs29645.html again. We are not sure what set
of impacts would typically have occurred from XML injection within
unpatched versions of this "Google Maps by Reumer" product. The
current version calls libxml_disable_entity_loader. XML injection
could cause a denial of service, in part depending on the version of
libxml2 that is used by the version of PHP. We have assigned
CVE-2013-7429 for this. The ability to place an XSS payload within an
XML document is considered another XSS attack vector (see the next
CVE) disclosed at the same time, and is not within the scope of
CVE-2013-7429. If anyone decides to research older versions of this
product, in order to identify other vulnerabilities associated with
the product's use of the PHP libxml extension, then additional CVE IDs
may be possible.


> XSS

We think the earliest disclosure of this was
http://securityvulns.ru/docs29645.html again. Use CVE-2013-7430. As
mentioned above, an attack such as <div
xmlns="http://www.w3.org/1999/xhtml">[XSS]</div> using a .xml filename
is within the scope of CVE-2013-7430.


> path disclosure

We think the earliest disclosure of this was
http://securityvulns.ru/docs29645.html again. Use CVE-2013-7431.


Two additional vulnerabilities were disclosed on the
http://securityvulns.ru/docs29670.html page, apparently 10 days later in 2013.

Some older versions of the proxy component lack any restrictions on
requests. This issue is not being assigned a CVE ID even though the
researcher lists it as an "Insufficient Anti-automation (IAA)"
vulnerability. In these older versions, the vendor was not trying to
impose restrictions, and imposing restrictions would thus be
considered an opportunity for security hardening, not a vulnerability.
However, the vendor later created a protection mechanism that was
intended to impose these restrictions. The researcher found a way to
bypass this protection mechanism. That is assigned CVE-2013-7432.
Specifically, the way to bypass this protection mechanism is "the
token can be found at page which uses plugin of the site (and it's
setting in URL). This data can be taken from the site automatically."

Also, the researcher provides a new XSS attack vector, a reference to
a .html filename such as url=site/xss.html in the query string. This
is apparently caused by an incomplete fix for the older finding in
which the XSS payload was embedded directly in the query string. Use
CVE-2013-7433 for this later-disclosed XSS variant. (We understand
that url=site/xss.html is conceptually not very different from
url=site/xss.xml - however, we are using separate CVE IDs, in part
because of the different disclosure date.)

Finally, the researcher disclosed one new finding in 2014 in the
http://seclists.org/fulldisclosure/2014/Feb/53 post. This new finding
is a variant of CVE-2013-7428, but applies specifically to the case
where the attacker controls a subdomain of the victim's domain name.
Use CVE-2014-9686. The researcher gives an apparently realistic
example in which the attacker controls site.wordpress.com and the
attack target is the wordpress.com web site.

For this issue, one might argue that the attack involving the
plugin_googlemap2_proxy.php filename and the attack involving the
plugin_googlemap3_kmlprxy.php filename have different affected
versions and could have separate CVE IDs. We have decided to use only
one CVE ID because the security problem is caused by the same code in
essentially the same place, even though the file was renamed and
modified somewhat.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU73a8AAoJEKllVAevmvmsrKcH/0Mw8heuHy/vrgDrgbc4GD7b
t/RRa02dQ5ljcdnyDLJvWxS9bwJk34NKsoV5IX5etoYm5SUj+m59lTT2nHQNcA0C
k4FyPH5iQVfYcceH4ngaQFvtJBpXwWszagyrgfYyk7J6a+zMiREkYNeFSWY8onGd
nSPvX+ilpYVFrfHj7TLbJJhf3O9zriguq+zNhGynbTmsiPTIdwuS5POvthMYueiL
r0+CippBrKH2F8klDABNSyD0s2wqMmQxZLGAN0vUJ/gE7At5sOK81c/NjqWb0VzV
kUggTtYOVU45ISaPjHLJtGW3fHTw+JCu/DR+8G5nVxqdiUi+bcV/TwBtLJBQ8WA=
=W3e1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.