Last couple of days, February 2015, there are new blogs about possible security risks in Google Maps Plugin:
This blogs post are still based on the security risk found in 2014 with plugin versions lower then 3.1 and that was published at: http://websecurity.com.ua/6987/ (english: http://seclists.org/fulldisclosure/2014/Feb/53)
Abusively the reporter mention that version 3.2 is vulnerable, but that is not right. Version 3.2 was not yet released to the public at the time that the risk was reported. It was still tested in cooperation with the reporter Eugene Dokukin aka MustLive and was released after it was tested successful without any security risk.
So upgrade to the latest version 3.2!
Also available for Joomla 1.5, but please upgrade to the latest Joomla version 3.x.
Version 3.2 added the following security protection:
- Checks if the origin is the website itself and not another referrer.
- Checks if the token of Joomla is set and it is valid.
- Checks if the url is a valid url.
- Checks if the requested content is an xml based response.
- It protects against automation because the plugin checks if the url/content is authorised and used in the article that the visitor of the website requested.
- The kml proxy is by default switched off in the configuration of the plugin and makes the proxy for kml files method not available.
If your website is under attack or if you want to be sure that you are not vulnerable, do the following steps:
- Version 2 of this plugin is deprecated, update to version 3.2 and deinstall the old version 2.
- Check and remove the plugin_googlemap2_proxy.php file, often located in /plugins/system/, /plugins/content/ or /plugins/system/plugin_googlemap2.
- Also check this article.
I am sorry for the trouble I may have caused.
I hope you can have fun again with the plugin.