Joomulus has been updated and fixes a possible XSS attack vulnerability.
Please download the update now, and please ensure that all Tag URL’s you enter into the module parameters include http:// at the start, i.e. they should not begin with www.
How was Joomulus Vulnerable To Cross-Site Scripting?
Joomulus uses SWFObject.js to embed and pass flashvars, both Adobe and Google recommend and support this.
You may not want to do this, but a malicious person could embed the swf from your site (lets call it site A) to another site (site B). Then they could manipulate the tags and url, NOT on your site but on site B. Then the user could possibly grab your session ID and access your Joomla site via this (theoretically – no instances of this have been reported in the wild to date).
For The Future
Chinese and Japanese language support is coming folks. Also a K2 version of Joomulus should be out in the next week. It’s already built and in use on a live site, but we want to run a few more tests before releasing it. The K2 prototype can be seen running on Wordwolf – and you can see it is pulling in the K2 content tags.
Roy Tanck has built a prototype for WordPress that supports unicode and we have embedded this below.
NOTE: This is NOT the updated version we are releasing today – the updated version is a security update – stay tuned for new feature releases in April.