Jump to content
Nytro

New XSS vulnerability in WP-Cumulus for WordPress and millions web sites

By Nytro, in Stiri securitate

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

New XSS vulnerability in WP-Cumulus for WordPress and multiple web applications and m

From: "MustLive" <mustlive () websecurity com ua>

Date: Sun, 20 Nov 2011 23:40:48 +0200

Hello list!

I want to warn you about new Cross-Site Scripting vulnerability in

WP-Cumulus for WordPress and multiple web applications and millions web

sites.

Earlier I wrote about XSS vulnerability in WP-Cumulus, which I've disclosed

in 2009 (Security Advisory: Vulnerabilities in WP-Cumulus for WordPress - security vulnerabilities database), and many other plugins

(and widgets and themes) for different engines, which are using tagcloud.swf

made by author of WP-Cumulus. About millions of flash files tagcloud.swf

which are vulnerable to XSS attacks I mentioned in my article XSS

vulnerabilities in 34 millions flash files

([WEB SECURITY] XSS vulnerabilities in 34 millions flash files).

-------------------------

Affected products:

-------------------------

Vulnerable are all versions of WP-Cumulus. At that Roy Tanck's patch

(version of flash-file for WP-Cumulus 1.23) will work for this vulnerability

too, so in fixed versions of flash-file the XSS will not work, only HTML

Injection.

Also must be vulnerable Joomulus for Joomla, JVClouds3D for Joomla,

Blogumus, 3D Cloud for Joomla, Tagcloud for DLE, t3m_cumulus_tagcloud for

TYPO3, Cumulus for BlogEngine.NET, tagcloud for Kasseler CMS, 3D user cloud

for Joomla, Flash Tag Cloud for Blogsa and other ASP.NET engines, b-cumulus,

Cumulus for Drupal, sfWpCumulusPlugin for symfony, Flash Tag Cloud For MT 4,

MT-Cumulus for Movable Type, Tumulus for Typepad, WP-Cumulus for

RapidWeaver, HB-Cumulus for Habari, Cumulus for DasBlog, EZcumulus and eZ

Flash Tag Cloud for eZ Publish, Simple Tags for Expression Engine (version

1.6.3 and new versions, where support of this swf-file was added), Freetag

for Serendipity (of this flash-file was added in version 2.103), Tag cloud

for Social Web CMS, Animated tag cloud for PHP-Fusion, 3D Advanced Tags

Clouds for Magento, Cumulus for Sweetcron and other web applications with

this flash-file.

And also themes for engines, particularly for Drupal

(http://websecurity.com.ua/5407/), which are using this flash-file (I've

wrote earlier about five vulnerable themes for Drupal). As I mentioned

bellow, vulnerable are only web applications with new versions of this

flash-file (and a lot of web applications and sites are using exactly new

versions of it). But when web developers or admins of sites, which are using

old versions of swf-file (unaffected) will decided to update it (just "to

update" or to fix first XSS vulnerability, which can be done by updating to

fixed version from Roy Tanck), then they will become vulnerable to this

hole.

----------

Details:

----------

If previous vulnerability in tagcloud.swf concerned parameter mode, then new

vulnerability concerns parameter xmlpath.

XSS (WASC-08):

http://site/tagcloud.swf?xmlpath=xss.xml

http://site/tagcloud.swf?xmlpath=http://site/xss.xml

File xss.xml:

<tags>

<a href="javascript:alert(document.cookie)" style="font-size:+40pt">Click

me</a>

<a href="http://websecurity.com.ua"; style="font-size:+40pt">Click me</a>

</tags>

Code will execute after click. It's strictly social XSS

(Strictly social XSS - Websecurity -). Also it's possible to conduct (like in

WP-Cumulus) HTML Injection attack.

The attack will work only in new versions of flash-file, where support of

parameter xmlpath was added. In old versions (not affected) in context menu

is mentioned "WP-Cumulus by Roy Tanck", and in new versions (affected)

mentioned "WP-Cumulus by Roy Tanck and Luke Morton". The attack will work

only when xml-file is placed at the same site (the path can be relative or

absolute). Extension of the file can be arbitrary.

------------

Timeline:

------------

2011.11.09 - found vulnerability.

2011.11.17 - disclosed at my site.

2011.11.19 - informed developer of WP-Cumulus. All developers of forks of

WP-Cumulus and developers of web applications, which are using this

flash-file, can read about this issue at my site and in security mailing

lists. In any case, the correct fix for first XSS hole (in links handling

algorithm) also fixes the second XSS hole, so after I've informed all

above-mentioned developers during 2009-2011, if they fixed first hole, then

they fixed the second one.

I mentioned about this vulnerability at my site:

http://websecurity.com.ua/5505/

Best wishes & regards,

MustLive

Administrator of Websecurity web site

Websecurity -

Sursa: Full Disclosure: New XSS vulnerability in WP-Cumulus for WordPress and multiple web applications and millions web sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...