Joomulus Updated

Joomulus has been updated and fixes a possible XSS attack vulnerability.

Please download the update now, and please ensure that all Tag URL’s you enter into the module parameters include http:// at the start, i.e. they should not begin with www.


How was Joomulus Vulnerable To Cross-Site Scripting?

Joomulus uses SWFObject.js to embed and pass flashvars, both Adobe and Google recommend and support this.

Flashvars are a way of communicating information from your HTML page to the nifty little Joomulus.swf. So PHP outputs your tags, and Javascript and passes them along to ActionScript, which gives you the animated Joomulus tag cloud. The Joomulus tags are passed as HTML links (the TAGs) to the Joomulus swf. If you really know your stuff you could pass along Javascript to your link in the form of a TAG.

You may not want to do this, but a malicious person could embed the swf from your site (lets call it site A) to another site (site B). Then they could manipulate the tags and url, NOT on your site but on site B. Then the user could possibly grab your session ID and access your Joomla site via this (theoretically – no instances of this have been reported in the wild to date).

This could all be fixed with a clever .htaccess file, to stop the swf loading on other domains. However, the most recent Joomulus wont activate links that don’t start with http. Which stops the execution of Javascript or Vbscript on site A and B. The tag will still get rendered (be viewable) but wont be click-able, thus stopping any script from executing. No sensitive information is passed to Joomulus, but it is still recommended to update. Also remember to use http:// for all your links (if you weren’t already).

For The Future
Chinese and Japanese language support is coming folks. Also a K2 version of Joomulus should be out in the next week. It’s already built and in use on a live site, but we want to run a few more tests before releasing it. The K2 prototype can be seen running on Wordwolf – and you can see it is pulling in the K2 content tags.

Roy Tanck has built a prototype for WordPress that supports unicode and we have embedded this below.

NOTE: This is NOT the updated version we are releasing today – the updated version is a security update – stay tuned for new feature releases in April.


 Add your comment
  1. I installed joomulus, unicode is still not working.
    I had old version, now simply install new one, maybe this is what?
    Thank you.

  2. I am new to Joomla and have installed your Joomulus and works well for what it is. I also have a site with wordpress and this cloud is automatically updated with tags. Is this what your next version will be? Im not sure what K2 is, but ill do some reading on it. Thanks for the mod. 🙂

  3. Thanks for updating the current version. It is really great when developers take security issues seriously.

    thanks again!

  4. I’ve installed the patch – works fine, thank you! For future releases, what about a ‘colour option’ (option to define not only name, url, and size, but also the text color, for each tag). Even without that, one of the my favorite extensions!

  5. How did you get all of the different languages to show up in the sample top of these comments? I’d like to use a variety of languages.

  6. Hi,
    I would like to repeat the same question that Grover has asked; How did you get all of the different languages to show up in the sample.
    I’m trying to show cloud-tag in Hindi (India’s national language) language; but joomulus is not showing any tag.

    • Hi again Rashmirathi,
      this is coming, but its not necessarily a total solution. It will work for any one with the correct languages enabled on their computer. So it should be fine for 98% of a sites user base. It is coming! I promise, Roy Tanck is away at the moment. I know he an another PHP developer have been ironing out some bugs on the word press version.

  7. hi, need to change the FONT FAMILY

    INI-FILES !?
    # $Id: en-GB.mod_joomulus.ini Version 2009-01-13 17:15:19Z name $
    # License GNU/GPL

    DESC_JOOMULUS=Joomulus allows you to display your site’s tags using a Flash movie that rotates them in 3D. It works just like a regular tags cloud, but is more visually exciting. This is an IE6 proof version of Joomulus using user defined tags only. This cuts down on server load and is much more relible
    ##### Module Parameters
    MODULE_CLASS_SUFFIX=Module Class Suffix

    DESC_LANGUAGE=Choose language encoding type

    LOAD_SWFOBJECT=Use swfobject
    DESC_LOAD_SWFOBJECT=Use javascript to embed flash. Doing so avoids the IE active-X

    DISPLAY_WIDTH=Display width

    DISPLAY_HEIGHT=Display height

    SCALE_X=Scale X
    DESC_SCALES_X=Scales the width of tagcloud by factor i. If scale_x = scale_y the tagcloud is round, otherwise oval

    SCALE_Y=Scale Y
    DESC_SCALES_Y=Scales the height of tagcloud by factor i. If scale_x = scale_y the tagcloud is round, otherwise oval

    TEXT_COLOR_1=Text Color 1
    DESC_COLOR_1=Text Color 1
    TEXT_COLOR_2=Text Color 2
    DESC_COLOR_2=Text Color 2

    HIGHLIGHT_COLOR=Highlight Color
    DESC_HIGHLIGHT=Set a highlight color (shown if tag is selected).

    FONT_TYPE=Font type
    DESC_FONT=Select your prefered font type

    BACKGROUND_COLOR=Background Color
    DESC_BACKGROUND_COL=Background color of flash movie.

    DESC_SPEED=Speed of the text movement. Warning if it’s set very high it’ll be come hard to select tags.



    • Hi Sam,
      Do you have ftp access to your site? Or access to a file manager? Otherwise I think there is a component called Joomla Explorer which allows your tamper with your sites files, use at your own risk.

  8. Well, a perfect module, works like a charm out of the box (The only one unmodified on my forum).
    BTW: i had to set a margin-top:-20px to the object in css to center the tags’s cloud verticaly.
    Just a little remark: there is a … around the raw urls witch is not at all W3C compliant. I’m sure there is a better way to do it, using an id for exemple.

  9. I am using K2 and I don’t know if I am doing something wrong but I don’t see the advanced paremeters ie like with the regular mod.

  10. Hi,
    Nice module.

  11. Hi,

    Thanks for the security update. Any news on the Chinese language version release date?



  12. On my previous message, the non W3C tags was removed: it is and
    A suggestion: I had made a very simple (and i think usefull) change in the code (admin). If you let the urls empty in custom tags, it use the tag’s name to build a keyword search url…If you use a full URL, the link is used as usual.

  13. Hello how are you?

    I really would like to change the background of my joomulus. I can not change this default as FFFFFF, and I want it then appears instead of a color, I want to display an image. Would that be done or is impossible?. I tried playing the index.html, the xml but it is impossible. Can you tell me how I can do?.

    Thank you very much. Greetings

  14. Hi folks,
    the installation was successful and the cloud is very nice. But I have a question. Is it possible to show the cloud in an article?

    Thanks and greets

  15. Nice module, great work!
    Very useful for me, many thanks!

Leave a Comment

Your email address will not be published.

1 Trackback

  1. Easter News – April Joomlabear Newsletter – Web Edition | Joomla Templates (Pingback)