WP-Cumulus updated to address yet another security issue

danger signA few weeks ago I rushed out an update to fix a potentially dangerous Cross-Site Scripting (XSS) vulnerability in WP-Cumulus. With the PHP part of the plugin shielded from ‘outside use’, I was hoping no more issues would pop up. Still, I’m glad MustLive alerted me to another issue that uses the Flash movie itself. The exploit worked by calling the SWF file directly, and supplying link with javascript. I’m not quite sure how dangerous this is, but I’ve modified the movie so it only executes regular links.

Please update your copy of WP-Cumulus to 1.23 asap. For most users it should only take two clicks.

The should not affect how WP-Cumulus works on WordPress blogs. But there have been a number of ports and other projects that use the Flash movie. I urge the authors of those projects to examine the new Flash movie, and see if it still works in/with their product. The exploit is not unique to WordPress, and they may need to modify the security check to fit their project.

13 Comments

  1. 沙发

    Comment by 叶子 — November 16, 2009 @ 1:26 pm

  2. I’m a chinese boy, so I want to translate the options into Chinese, please give me a mandate, I do not want to infringe your copyright,please。

    Comment by 叶子 — November 16, 2009 @ 1:33 pm

    • If you could hang in there for a little while, we’re working on a new version that supports translations through language files. I’m probably going to set up an online tool that allows you to translate the plugin without touching a single line of code.

      Comment by Roy — November 16, 2009 @ 4:20 pm

  3. Hi Roy – wonderful app! Thanx a million!

    I modified it and would like to use it on my web page (please go to http://www.bsten.se to see example) – what about copyright issues etc?

    Is it possible to have an image in the background (I tried using the style sheet url code, but it didn’t work).

    Also, is it possible to remove the frames from the tags/links when hovering?

    Cheers from Sweden!! :-)

    Comment by Bengt Stenstrom — November 17, 2009 @ 8:28 pm

    • Hi Bengt. You’re completely welcome to use it on your site. The GPL license allows it, so I wouldn’t be able to stop you if I wanted to. The border is in the Flash movie, so you’d need to edit and recompile the movie to take it out. If you set the movie to transparent (wmode flashvar) the background of the page will be visible through Cumulus. Or you can add a picture inside the fla file.

      Comment by Roy — November 18, 2009 @ 12:11 pm

  4. Thank you so much!! :-) Take care!!

    Comment by Bengt Stenstrom — November 24, 2009 @ 9:00 am

  5. Link: WordPress WP-Cumulus Plugin “tagcloud” Cross-Site Scripting Vulnerability « Bug-Blog
  6. Hi,

    I discovered your plugin via MinMaps Unleashed and love its effects.

    Is this only available on WordPress or can I use it for my (blogger) blog?

    Thanks

    Helen

    Comment by Helen — November 26, 2009 @ 1:59 pm

    • Hi Helen. Yes, there’s a Blogger port over on bloggerbuster.com (look for ‘Blogumus’).

      Comment by Roy — November 27, 2009 @ 3:05 pm

  7. Link: Nube de tags en flash para Wordpress | Blog personal de InKiLiNo
  8. Roy

    There are really many flash files tagcloud.swf (which you developed for your plugin) in Internet. As I wrote in December in my article XSS vulnerabilities in 8 millions flash files about XSS holes in flash banners all over the Web, there are up 34 millions tagcloud.swf files which are potentially vulnerable to XSS attacks.

    But there have been a number of ports and other projects that use the Flash movie.

    Yes, there are other projects with you flash file.

    These 34 millions flashes include not only your plugin WP-Cumulus for WordPress, but also other plugins for other engines. As I found in December, such XSS hole exists in Joomulus for Joomla (and I informed the author of Joomulus, but with no response from him). And there are many other projects with this swf file which can be vulnerable. So these projects and their authors must be found and informed about the risk of XSS hole in tagcloud.swf.

    Comment by MustLive — January 7, 2010 @ 10:56 pm

  9. Hi MustLive. I feel it’s the port authors’ responsibility to keep their projects in sync with WP-Cumulus. There are so many that I can’t possibly inform all of them of changes and new features. My project is freely available through SVN, and there’s an archive of earlier releases. This means that anyone serious about maintaining a port can check for new versions any time they’d like. Updates are also announced on my blog, so subscribing to the RSS feed would be a good start.

    As you said, there are many Flash files out there that call urls. It’s common practice for Flash developers to not store data inside movies but feed it to them through Flashvars, which can be overwritten. WP-Cumulus now blocks javascript calls which makes it much more robust, all I can do is hope other projects will get updated too.

    Comment by Roy — January 8, 2010 @ 3:20 pm

  10. Hi Roy!

    It’s good that you quickly fixed XSS hole in your plugin after I informed you, but besides XSS, there is also HTML Injection hole (because WP-Cumulus functionality allows both these attacks). As I wrote about it later in my advisory about vulnerabilities in WP-Cumulus and in my article XSS vulnerabilities in 34 millions flash files (on English). So after your fix, the HTML Injection attacks are still possible.

    > I feel it’s the port authors’ responsibility to keep their projects in sync with WP-Cumulus.

    Yes, their ones. But don’t forget that you are the author of the most widespread vulnerable flash file in Internet (there are about 34 millions of tagcloud.swf), as it clearly seen from my above-mentioned article. So you also need to take some responsibility ;-).

    > There are so many that I can’t possibly inform all of them of changes and new features.

    I understand it. And I took this mission on myself. Besides you, I already informed 3 authors of plugins with this swf-file (Joomulus, JVClouds3D and Blogumus) and would try to continue this work.

    > WP-Cumulus now blocks javascript calls which makes it much more robust

    Yes, it’s already XSS free (and during my researches I found sites which used new version of swf-file). But there still HTML Injection vulnerability in it.

    Comment by MustLive — January 13, 2010 @ 10:49 pm