This week an announcement was made on Seclist.org about a XSS and HTML Injection vulnerability in all the plugins that use the original tagcloud.swf from WP-Cumulus (which includes HB-Cumulus).

The XSS vulnerability was fixed a long long time ago in HB-Cumulus - 19 December 2009 to be precise - so if you are running HB-Cumulus 1.4 or earlier, you MUST upgrade.

The HTML Injection issue hasn't and can't be resolved due to the way the plugin works. That said, I'm not sure this is really much of an issue.

In short, the way the tagcloud.swf works is it takes input in the form of a string (as an argument) or from a xml file. The only HTML tag that are used and accepted by the plugin is the <a> tag. This is how the tag cloud knows that to display and link to without actually having to rebuild the Flash file repeatedly.

Now the HTML injection vulnerability basically states that this "feature" allows anyone to set any link they like, which is correct and true. Now this could be used to insert links to malicious sites, but in order for that to happen the "hacker" would have to have control of the HTML page in which the tagcloud.swf is embedded and thus effectively using the tagcloud.swf as it was designed.

This can NOT be used to exploit the security of the site hosting the tagcloud.swf file.

I have whipped up a rebuild of the tagcloud.swf that doesn't stop this issue (I can't else the plugin wouldn't work and everyone would need to recompile the tagcloud.swf everytime they updated a post) but it does limit the effectiveness of the links and by only displaying the links if they link to a domain that is the same as that hosting the tagcloud.swf file.

I'll test this for a couple of days on my own sites (it's in place on this site already) and if I don't spot any problems, I'll release an updated version of HB-Cumulus with this updated file in it.