Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27335
HistoryNov 21, 2011 - 12:00 a.m.

New XSS vulnerability in WP-Cumulus for WordPress and multiple web applications and millions web sites

2011-11-2100:00:00
vulners.com
34

Hello 3APA3A!

I want to warn you about new Cross-Site Scripting vulnerability in WP-Cumulus for WordPress and multiple web applications and millions web sites.

Earlier I wrote about XSS vulnerability in WP-Cumulus, which I've disclosed in 2009 (http://securityvulns.com/Wdocument842.html), and many other plugins (and widgets and themes) for different engines, which are using tagcloud.swf made by author of WP-Cumulus. About millions of flash files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my article XSS vulnerabilities in 34 millions flash files (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).


Affected products:

Vulnerable are all versions of WP-Cumulus. At that Roy Tanck's patch (version of flash-file for WP-Cumulus 1.23) will work for this vulnerability too, so in fixed versions of flash-file the XSS will not work, only HTML Injection.

Also must be vulnerable Joomulus for Joomla, JVClouds3D for Joomla, Blogumus, 3D Cloud for Joomla, Tagcloud for DLE, t3m_cumulus_tagcloud for TYPO3, Cumulus for BlogEngine.NET, tagcloud for Kasseler CMS, 3D user cloud for Joomla, Flash Tag Cloud for Blogsa and other ASP.NET engines, b-cumulus, Cumulus for Drupal, sfWpCumulusPlugin for symfony, Flash Tag Cloud For MT 4, MT-Cumulus for Movable Type, Tumulus for Typepad, WP-Cumulus for RapidWeaver, HB-Cumulus for Habari, Cumulus for DasBlog, EZcumulus and eZ Flash Tag Cloud for eZ Publish, Simple Tags for Expression Engine (version 1.6.3 and new versions, where support of this swf-file was added), Freetag for Serendipity (of this flash-file was added in version 2.103), Tag cloud for Social Web CMS, Animated tag cloud for PHP-Fusion, 3D Advanced Tags Clouds for Magento, Cumulus for Sweetcron and other web applications with this flash-file.

And also themes for engines, particularly for Drupal (http://websecurity.com.ua/5407/), which are using this flash-file (I've wrote earlier about five vulnerable themes for Drupal). As I mentioned bellow, vulnerable are only web applications with new versions of this flash-file (and a lot of web applications and sites are using exactly new versions of it). But when web developers or admins of sites, which are using old versions of swf-file (unaffected) will decided to update it (just "to update" or to fix first XSS vulnerability, which can be done by updating to fixed version from Roy Tanck), then they will become vulnerable to this hole.


Details:

If previous vulnerability in tagcloud.swf concerned parameter mode, then new vulnerability concerns parameter xmlpath.

XSS (WASC-08):

http://site/tagcloud.swf?xmlpath=xss.xml
http://site/tagcloud.swf?xmlpath=http://site/xss.xml

File xss.xml:

<tags>
<a href="javascript:alert(document.cookie)" style="font-size:+40pt">Click me</a>
<a href="http://websecurity.com.ua" style="font-size:+40pt">Click me</a>
</tags>

Code will execute after click. It's strictly social XSS (http://websecurity.com.ua/5476/&#41;. Also it's possible to conduct (like in WP-Cumulus) HTML Injection attack.

The attack will work only in new versions of flash-file, where support of parameter xmlpath was added. In old versions (not affected) in context menu is mentioned "WP-Cumulus by Roy Tanck", and in new versions (affected) mentioned "WP-Cumulus by Roy Tanck and Luke Morton". The attack will work only when xml-file is placed at the same site (the path can be relative or absolute). Extension of the file can be arbitrary.


Timeline:

2011.11.09 - found vulnerability.
2011.11.17 - disclosed at my site.
2011.11.19 - informed developer of WP-Cumulus. All developers of forks of WP-Cumulus and developers of web applications, which are using this flash-file, can read about this issue at my site and in security mailing lists. In any case, the correct fix for first XSS hole (in links handling algorithm) also fixes the second XSS hole, so after I've informed all above-mentioned developers during 2009-2011, if they fixed first hole, then they fixed the second one.

I mentioned about this vulnerability at my site:
http://websecurity.com.ua/5505/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua