Joomulus Updated
Joomulus has been updated and fixes a possible XSS attack vulnerability.
Please download the update now, and please ensure that all Tag URL’s you enter into the module parameters include http:// at the start, i.e. they should not begin with www.
How was Joomulus Vulnerable To Cross-Site Scripting?
Joomulus uses SWFObject.js to embed and pass flashvars, both Adobe and Google recommend and support this.
Flashvars are a way of communicating information from your HTML page to the nifty little Joomulus.swf. So PHP outputs your tags, and Javascript and passes them along to ActionScript, which gives you the animated Joomulus tag cloud. The Joomulus tags are passed as HTML links (the TAGs) to the Joomulus swf. If you really know your stuff you could pass along Javascript to your link in the form of a TAG.
You may not want to do this, but a malicious person could embed the swf from your site (lets call it site A) to another site (site B). Then they could manipulate the tags and url, NOT on your site but on site B. Then the user could possibly grab your session ID and access your Joomla site via this (theoretically – no instances of this have been reported in the wild to date).
This could all be fixed with a clever .htaccess file, to stop the swf loading on other domains. However, the most recent Joomulus wont activate links that don’t start with http. Which stops the execution of Javascript or Vbscript on site A and B. The tag will still get rendered (be viewable) but wont be click-able, thus stopping any script from executing. No sensitive information is passed to Joomulus, but it is still recommended to update. Also remember to use http:// for all your links (if you weren’t already).
For The Future
Chinese and Japanese language support is coming folks. Also a K2 version of Joomulus should be out in the next week. It’s already built and in use on a live site, but we want to run a few more tests before releasing it. The K2 prototype can be seen running on Wordwolf – and you can see it is pulling in the K2 content tags.
Roy Tanck has built a prototype for Wordpress that supports unicode and we have embedded this below.
NOTE: This is NOT the updated version we are releasing today – the updated version is a security update - stay tuned for new feature releases in April.
[...] Joomulus has been updated, this is a security patch and all users are advised to upgrade. The more exciting news is that we have a K2 Joomulus prototype already developed and in use on a client site. This is driven by the K2 tagging system as opposed to manually entering tags. We will be releasing this in the coming weeks after a little more testing. We have also been hard at work on an enhanced solution to provide better support for other languages and character sets. This is also extremely close and you can read more about both these upcoming releases, the security patch and get your download link here. [...]
I installed joomulus, unicode is still not working.
I had old version, now simply install new one, maybe this is what?
Thank you.
I am new to Joomla and have installed your Joomulus and works well for what it is. I also have a site with wordpress and this cloud is automatically updated with tags. Is this what your next version will be? Im not sure what K2 is, but ill do some reading on it. Thanks for the mod.
Thanks for updating the current version. It is really great when developers take security issues seriously.
thanks again!
I’ve installed the patch – works fine, thank you! For future releases, what about a ‘colour option’ (option to define not only name, url, and size, but also the text color, for each tag). Even without that, one of the my favorite extensions!
How did you get all of the different languages to show up in the sample top of these comments? I’d like to use a variety of languages.
Hi,
I would like to repeat the same question that Grover has asked; How did you get all of the different languages to show up in the sample.
I’m trying to show cloud-tag in Hindi (India’s national language) language; but joomulus is not showing any tag.
hi, need to change the FONT FAMILY
INI-FILES !?
# $Id: en-GB.mod_joomulus.ini Version 1.0.7.3 2009-01-13 17:15:19Z name $
# License http://www.gnu.org/licenses/gpl-2.0.html GNU/GPL
DESC_JOOMULUS=Joomulus allows you to display your site’s tags using a Flash movie that rotates them in 3D. It works just like a regular tags cloud, but is more visually exciting. This is an IE6 proof version of Joomulus using user defined tags only. This cuts down on server load and is much more relible
##### Module Parameters
MODULE_CLASS_SUFFIX=Module Class Suffix
LANGUAGE=Language
DESC_LANGUAGE=Choose language encoding type
LOAD_SWFOBJECT=Use swfobject
DESC_LOAD_SWFOBJECT=Use javascript to embed flash. Doing so avoids the IE active-X
WIDTH=Width
DISPLAY_WIDTH=Display width
HEIGHT=Height
DISPLAY_HEIGHT=Display height
SCALE_X=Scale X
DESC_SCALES_X=Scales the width of tagcloud by factor i. If scale_x = scale_y the tagcloud is round, otherwise oval
SCALE_Y=Scale Y
DESC_SCALES_Y=Scales the height of tagcloud by factor i. If scale_x = scale_y the tagcloud is round, otherwise oval
TEXT_COLOR_1=Text Color 1
DESC_COLOR_1=Text Color 1
TEXT_COLOR_2=Text Color 2
DESC_COLOR_2=Text Color 2
HIGHLIGHT_COLOR=Highlight Color
DESC_HIGHLIGHT=Set a highlight color (shown if tag is selected).
FONT_TYPE=Font type
DESC_FONT=Select your prefered font type
BACKGROUND_COLOR=Background Color
DESC_BACKGROUND_COL=Background color of flash movie.
SPEED=Speed
DESC_SPEED=Speed of the text movement. Warning if it’s set very high it’ll be come hard to select tags.
PLS AFVIe
URGENT AND SUCH
thx
sam
Hi Sam,
Do you have ftp access to your site? Or access to a file manager? Otherwise I think there is a component called Joomla Explorer which allows your tamper with your sites files, use at your own risk.
Hi again Rashmirathi,
this is coming, but its not necessarily a total solution. It will work for any one with the correct languages enabled on their computer. So it should be fine for 98% of a sites user base. It is coming! I promise, Roy Tanck is away at the moment. I know he an another PHP developer have been ironing out some bugs on the word press version.