Multiple vulnerabilities in joomleague-2-komplettpaket

[MustLive]

Hello developers of joomleague-2-komplettpaket!

I want to inform you about multiple vulnerabilities in your software. These are Denial of Service, XML Injection, Cross-Site Scripting, Full path disclosure and Insufficient Anti-automation vulnerabilities.

These holes are in Googlemaps plugin for Joomla, which you use in your plugin. In 2013-2014 I wrote advisories about multiple vulnerabilities in Google Maps plugin (http://securityvulns.ru/docs29645.html, http://securityvulns.ru/docs29670.html and http://seclists.org/fulldisclosure/2014/Feb/53).

Denial of Service (WASC-10):

http://site/components/com_joomleague/plugins/system/plugin_googlemap3/plugin_googlemap3_proxy.php?url=google.com

Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html).

Cross-Site Scripting (WASC-08):

http://site/components/com_joomleague/plugins/system/plugin_googlemap3/plugin_googlemap3_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E

This is possible with corresponding PHP settings, when warnings are shown.

Description of other Denial of Service, XML Injection, Cross-Site Scripting, Full path disclosure and Insufficient Anti-automation vulnerabilities read in my advisories.

Vulnerable are all versions of joomleague-2-komplettpaket, which includes this plugin. I have already informed developers of JoomLeague.