Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

New XSS vulnerability in WP-Cumulus for WordPress and multiple web applications and millions web sites
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 20 Nov 2011 23:40:48 +0200

Hello list!

I want to warn you about new Cross-Site Scripting vulnerability in
WP-Cumulus for WordPress and multiple web applications and millions web
sites.

Earlier I wrote about XSS vulnerability in WP-Cumulus, which I've disclosed
in 2009 (http://securityvulns.com/Wdocument842.html), and many other plugins
(and widgets and themes) for different engines, which are using tagcloud.swf
made by author of WP-Cumulus. About millions of flash files tagcloud.swf
which are vulnerable to XSS attacks I mentioned in my article XSS
vulnerabilities in 34 millions flash files
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of WP-Cumulus. At that Roy Tanck's patch
(version of flash-file for WP-Cumulus 1.23) will work for this vulnerability
too, so in fixed versions of flash-file the XSS will not work, only HTML
Injection.

Also must be vulnerable Joomulus for Joomla, JVClouds3D for Joomla,
Blogumus, 3D Cloud for Joomla, Tagcloud for DLE, t3m_cumulus_tagcloud for
TYPO3, Cumulus for BlogEngine.NET, tagcloud for Kasseler CMS, 3D user cloud
for Joomla, Flash Tag Cloud for Blogsa and other ASP.NET engines, b-cumulus,
Cumulus for Drupal, sfWpCumulusPlugin for symfony, Flash Tag Cloud For MT 4,
MT-Cumulus for Movable Type, Tumulus for Typepad, WP-Cumulus for
RapidWeaver, HB-Cumulus for Habari, Cumulus for DasBlog, EZcumulus and eZ
Flash Tag Cloud for eZ Publish, Simple Tags for Expression Engine (version
1.6.3 and new versions, where support of this swf-file was added), Freetag
for Serendipity (of this flash-file was added in version 2.103), Tag cloud
for Social Web CMS, Animated tag cloud for PHP-Fusion, 3D Advanced Tags
Clouds for Magento, Cumulus for Sweetcron and other web applications with
this flash-file.

And also themes for engines, particularly for Drupal
(http://websecurity.com.ua/5407/), which are using this flash-file (I've
wrote earlier about five vulnerable themes for Drupal). As I mentioned
bellow, vulnerable are only web applications with new versions of this
flash-file (and a lot of web applications and sites are using exactly new
versions of it). But when web developers or admins of sites, which are using
old versions of swf-file (unaffected) will decided to update it (just "to
update" or to fix first XSS vulnerability, which can be done by updating to
fixed version from Roy Tanck), then they will become vulnerable to this
hole.

----------
Details:
----------

If previous vulnerability in tagcloud.swf concerned parameter mode, then new
vulnerability concerns parameter xmlpath.

XSS (WASC-08):

http://site/tagcloud.swf?xmlpath=xss.xml
http://site/tagcloud.swf?xmlpath=http://site/xss.xml

File xss.xml:

<tags>
<a href="javascript:alert(document.cookie)" style="font-size:+40pt">Click
me</a>
<a href="http://websecurity.com.ua"; style="font-size:+40pt">Click me</a>
</tags>

Code will execute after click. It's strictly social XSS
(http://websecurity.com.ua/5476/). Also it's possible to conduct (like in
WP-Cumulus) HTML Injection attack.

The attack will work only in new versions of flash-file, where support of
parameter xmlpath was added. In old versions (not affected) in context menu
is mentioned "WP-Cumulus by Roy Tanck", and in new versions (affected)
mentioned "WP-Cumulus by Roy Tanck and Luke Morton". The attack will work
only when xml-file is placed at the same site (the path can be relative or
absolute). Extension of the file can be arbitrary.

------------
Timeline:
------------

2011.11.09 - found vulnerability.
2011.11.17 - disclosed at my site.
2011.11.19 - informed developer of WP-Cumulus. All developers of forks of
WP-Cumulus and developers of web applications, which are using this
flash-file, can read about this issue at my site and in security mailing
lists. In any case, the correct fix for first XSS hole (in links handling
algorithm) also fixes the second XSS hole, so after I've informed all
above-mentioned developers during 2009-2011, if they fixed first hole, then
they fixed the second one.

I mentioned about this vulnerability at my site:
http://websecurity.com.ua/5505/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • New XSS vulnerability in WP-Cumulus for WordPress and multiple web applications and millions web sites MustLive (Nov 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]