Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WP-Cumulus Variants Cross Site Scripting

🗓️ 11 Sep 2011 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 60 Views

Cross-Site Scripting vulnerability in WP-Cumulus variants for multiple engines and their plugins

Code
`Hello list!  
  
I want to warn you about Cross-Site Scripting vulnerability in multiple   
plugins for different engines (it's combinations of my two publications   
which I've made last week at my site). In plugins for RapidWeaver, Habari,   
DasBlo, eZ Publish, EE, Serendipity, Social Web CMS, PHP-Fusion, Magento and   
Sweetcron, which all are ports of WP-Cumulus. A lot of other such plugins   
for other engines can be vulnerable.  
  
This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed   
in 2009 (http://securityvulns.com/Wdocument842.html). Because these plugins   
are using tagcloud.swf made by author of WP-Cumulus. About such   
vulnerabilities I wrote in 2009-2011, particularly about millions of flash   
files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my   
article XSS vulnerabilities in 34 millions flash files   
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are all versions of WP-Cumulus for RapidWeaver.  
  
HB-Cumulus for Habari version 1.4 and previous versions are vulnerable to   
XSS (and all versions are vulnerable to HTML Injection),  
  
Vulnerable are all versions of Cumulus for DasBlog (old versions to XSS and   
all versions to HTML Injection).  
  
Vulnerable is EZcumulus 1.0 for eZ Publish  
  
Vulnerable are Simple Tags for Expression Engine version 1.6.3 and new   
versions (where support of this swf-file was added).  
  
Vulnerable are Freetag for Serendipity - Freetag 3.28 and previous versions   
to HTML Injection and Freetag 3.21 and previous versions to XSS (in version   
3.22 XSS was fixed after informing by Stefan Schurtz). Support of flash-file   
was added in version 2.103.  
  
Vulnerable are all versions of Tag cloud for Social Web CMS.  
  
Vulnerable are Animated tag cloud for PHP-Fusion version 1.4 and previous   
versions.  
  
Vulnerable are 3D Advanced Tags Clouds for Magento version 2.0.0 and   
previous versions.  
  
Vulnerable are all versions of Cumulus for Sweetcron.  
  
Besides these ones and those which I've disclosed in 2009-2011, a lot of   
other such plugins for other engines can be vulnerable.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
http://site/path/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E  
  
Code will execute after click. It's strictly social XSS. Also it's possible   
to conduct (like in WP-Cumulus) HTML Injection attack.  
  
HTML Injection (WASC-12):  
  
http://site/path/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E  
  
-------------------------------------------------  
Plugins with fixed version of swf-file:  
-------------------------------------------------  
  
Because in November 2009, after my informing, Roy Tanck (developer of   
WP-Cumulus) fixed only XSS vector, but not HTML Injection vector, it's still   
possible to conduct HTML Injection attacks (for injecting arbitrary links)   
to all versions of this swf-file (which can be found under name tagcloud.swf   
and other names). Including fixed version of the swf-file, with fixed XSS   
hole.  
  
So all those plugins, which developers fixed this vulnerability (after my   
informing or by informing from Roy or other people) by updating swf-file,   
are still vulnerable to HTML Injection.  
  
------------  
Timeline:  
------------  
  
2011.08.31 - disclosed at my site (about plugins for RapidWeaver, Habari,   
DasBlo, eZ Publish and EE).  
2011.09.01 - disclosed at my site (about plugins for Serendipity, Social Web   
CMS, PHP-Fusion, Magento and Sweetcron).  
2011.09.02 - started informing all developers of ten plugins.  
  
I mentioned about this vulnerabilities at my site:  
http://websecurity.com.ua/5240/  
http://websecurity.com.ua/5353/  
http://websecurity.com.ua/5356/  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Sep 2011 00:00Current
0.4Low risk
Vulners AI Score0.4
cross-site scriptingwp-cumulusrapidweaverhabaridasblogez publishexpression engineserendipitysocial web cmsphp-fusionmagentosweetcrontag cloudhtml injectionflash filesroy tancksecurity disclosure
60