Polymorph: Zak Greant's Blog
April 17th, 2007 ( Updated: February 18th, 2008 )

Possible CSRF in Catcloud

Update: This plugin is no longer maintained. I'd recommend using Wordpress' built-in tag cloud functionality or the Simple Tags plugin instead.

Alex over at http://www.buayacorp.com posits (in Spanish) that catcloud is vulnerable to cross-site request forgeries (CSRF) - he may well be right. I've asked him for more information.

Amusingly enough, despite having catcloud on his list of plugins that he doesn't recommend, his site uses catcloud. I hope that this implies that he has a fixed version installed on his site.

I need to give the catcloud code a good cleaning - now seems like a good time. :)

p.s. A Google translation of his post is here.

Link Summary

Tags: , , , , , ,

Related posts

Posted on Tuesday, April 17th, 2007 at 8:10

You can follow any responses to this entry through the RSS 2.0 feed.

You can leave a response, or trackback from your own site.

2 Responses to “Possible CSRF in Catcloud”

  1. alex (1 comments) Says:
    April 17th, 2007 at 11:11

    I'm currently using many plugins of the list, I've fixed most of them but some are still vulnerable :(

    I've send you details about catcloud's bug, if you have any questions, please drop an email.

  2. Polymorph: Catcloud Wordress Plugin Security and Performance Update Says:
    February 18th, 2008 at 18:52

    [...] work for far too long, I've finally fixed the security hole in catcloud that is mentioned here. I've also fixed the very lazily written code that grabbed the list of categories for display [...]

Leave a Reply

Polymorph is powered by Wordpress running on Apache, Ubuntu Linux, MySQL and PHP.

The marvelous illustration of the Mad Hatter is by the late, great John Tenniel.
Like many great parts of our culture, it is in the public domain.

Contact: zak@greant.com | Gnu Privacy Guard Key

Entries (RSS) and Comments (RSS)