A client's security team have recently done some testing on their website which uses a cumulus tag cloud on their website. They have pointed out this vulnerability and have asked us to resolve. I was wondering if you knew of the problem and if there is a way to fix:
Cross Site Scripting (XSS) vulnerabilities allow attackers to embed arbitrary HTML or JavaScript code in the context of a trustworthy webpage. The embedding happens on the client side, meaning that not the webserver, but the browser of the user gets attacked.
The tag cloud's content is specified entirely using a flashvars parameter.
The tagcloud FlashVars parameter defines an XML structure using HTML anchor tags. The text contents of the anchor tags provide the names of the tags in the cliud to show and the anchor tag's href attribute the destination to open when such a tag is clicked. opening the Flash application directly and adding the FlashVars to the URL, allows to change the text for the tags as well as the destination when such a tag is clicked. By using a Javascript handler, it is also possible to run arbitrary JavaScript commands when a tag is clicked.
Proposed Solutions:
Parameters passed as FlashVars should never be used unfiltered by the flash application. They are manipulable by the user in the same way as HTTP GET parameters and can be passed directly to the Flash application. Their contents therefore need to be checked thoroughly before usage.
I have stopped using the application on HTTPS pages to keep them happy for now, but as this is used on a website for a very large company, their security team are not going to let this go (and the client doesn't want to lose their flash tag cloud!)
Thanks in advance for any help!
Comments
Comment #1
webflo commentedThe latest version accepts absolute urls (form the current domain) only. This should fixed in c5bcf89.
Comment #3
karengrey commentedHi Webflo,
I put the new .swf on my site (changed name from tagcloud.swf to cumulus.swf) but the tags are no longer highlighted when the hover over them and are no longer clickable.
Do any changes need to be made to the tagadelic module, as im assuming the 'tagadelic_get_weighted_tags' function passes back relative URL's, not absolute.
I also changed:
widget_so.addParam("allowScriptAccess", "always");
to
widget_so.addParam("allowScriptAccess", "sameDomain");
Comment #4
David_Rothstein commentedFor future reference, please do not report security issues like this in the public issue queue of a module with a stable release. Instead, use the procedure for reporting a security issue privately (http://drupal.org/node/101494) which is linked to from the issue creation form.
For this particular cross-site scripting issue, the report here was not the first public disclosure (it had actually been disclosed elsewhere on the internet previously), but either way, the principle is the same.
A new official release of the module containing this security fix has now been made (see SA-CONTRIB-2011-049). Since the original security fix is complete, I'm marking this issue closed for now. If there are other non-security-related bugs with the new cumulus.swf file, separate issues can be created for those, of course.