I want to inform you about multiple vulnerabilities in your software. These are Denial of Service, XML Injection, Cross-Site Scripting, Full path disclosure and Insufficient Anti-automation vulnerabilities.
This is possible with corresponding PHP settings, when warnings are shown.
Description of other Denial of Service, XML Injection, Cross-Site Scripting, Full path disclosure and Insufficient Anti-automation vulnerabilities read in my advisories.
Vulnerable are all versions of joomleague-2-komplettpaket, which includes this plugin. I have already informed developers of JoomLeague.
Hello developers of joomleague-2-komplettpaket!
I want to inform you about multiple vulnerabilities in your software. These are Denial of Service, XML Injection, Cross-Site Scripting, Full path disclosure and Insufficient Anti-automation vulnerabilities.
These holes are in Googlemaps plugin for Joomla, which you use in your plugin. In 2013-2014 I wrote advisories about multiple vulnerabilities in Google Maps plugin (http://securityvulns.ru/docs29645.html, http://securityvulns.ru/docs29670.html and http://seclists.org/fulldisclosure/2014/Feb/53).
Denial of Service (WASC-10):
http://site/components/com_joomleague/plugins/system/plugin_googlemap3/plugin_googlemap3_proxy.php?url=google.com
Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html).
Cross-Site Scripting (WASC-08):
http://site/components/com_joomleague/plugins/system/plugin_googlemap3/plugin_googlemap3_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E
This is possible with corresponding PHP settings, when warnings are shown.
Description of other Denial of Service, XML Injection, Cross-Site Scripting, Full path disclosure and Insufficient Anti-automation vulnerabilities read in my advisories.
Vulnerable are all versions of joomleague-2-komplettpaket, which includes this plugin. I have already informed developers of JoomLeague.