Opened 10 years ago

Closed 9 years ago

Last modified 8 years ago

#10478 closed defect (fixed)

several security vulnerabilities found in dojox and dijit

Reported by: Pierre Ernst Owned by: anonymous
Priority: high Milestone: 1.4.1
Component: General Version: 1.3.2
Keywords: Cc:
Blocked By: Blocking:

Description

I may have found several security vulnerabilities in dojox and dijit.
Please provide a way to responsibly disclose them privately.

Thanks

Change History (31)

comment:1 Changed 10 years ago by James Burke

I have sent an inquiry to the person who opened this ticket for more information.

comment:2 Changed 10 years ago by Jared Jurkiewicz

(In [21037]) Fix for potential reflected XSS in some dojox test php files. Only affects php servers and deployments of dojo that include the tests. Fix is escapement of user input to avoid script tag insertion. Also limits opensearch demo php file to redirect only to noted services. refs #10478

comment:3 Changed 10 years ago by Jared Jurkiewicz

(In [21038]) Fix for potential reflected XSS in some dojox test php files. Only affects php servers and deployments of dojo that include the tests. Fix is escapement of user input to avoid script tag insertion. Also limits opensearch demo php file to redirect only to noted services. refs #10478

comment:4 Changed 10 years ago by Jared Jurkiewicz

(In [21040]) Fix for potential reflected XSS in some dojox test php files. Only affects php servers and deployments of dojo that include the tests. Fix is escapement of user input to avoid script tag insertion. refs #10478

comment:5 Changed 10 years ago by Jared Jurkiewicz

Also: [21039]

comment:6 Changed 10 years ago by James Burke

Milestone: tbd1.4.1

Let's try to wrap this one up for 1.4.1

comment:7 Changed 10 years ago by Mike Wilcox

(In [21119]) Refs #10478 - Security update part 1 - Moved php files from resources to tests. Added comments in test files indicating change. File names not yet changed.

comment:8 Changed 10 years ago by Mike Wilcox

(In [21120]) Refs #10478 - Security update part 2 - Renamed php files, adding .disabled.

comment:9 Changed 10 years ago by Mike Wilcox

(In [21121]) Refs #10478 - Security update part 2 - trunk - Renamed php files, adding .disabled. Added comments in test files indicating change.

comment:10 Changed 10 years ago by Mike Wilcox

(In [21122]) Refs #10478 - Security update part 2 - trunk - Renamed php files, adding .disabled. Added comments in test files indicating change.

comment:11 Changed 10 years ago by Jared Jurkiewicz

(In [21131]) More fixes for possible XSS reflection. refs #10478

comment:12 Changed 10 years ago by Jared Jurkiewicz

(In [21132]) Fixing a typo. refs #10478

comment:13 Changed 10 years ago by Jared Jurkiewicz

(In [21133]) More fixes for possible XSS reflection. refs #10478

comment:14 Changed 10 years ago by Jared Jurkiewicz

(In [21134]) More fixes for possible XSS reflection. refs #10478

comment:15 Changed 10 years ago by Jared Jurkiewicz

(In [21135]) More fixes for possible XSS reflection. refs #10478

comment:16 Changed 10 years ago by Mike Wilcox

(In [21142]) Refs #10478 - Prevent FLV from playing in a browser without a widget wrapper.

comment:17 Changed 10 years ago by Mike Wilcox

(In [21143]) Refs #10478 - Prevent FLV from playing in a browser without a widget wrapper.

comment:18 Changed 9 years ago by Adam Peller

ok to close this one?

comment:19 Changed 9 years ago by James Burke

Resolution: fixed
Status: newclosed

Yes, the issues were resolved as part of 1.4.1

comment:20 Changed 9 years ago by James Burke

(In [21469]) Refs #10478

comment:21 Changed 9 years ago by James Burke

(In [21470]) Refs #10478

comment:22 Changed 9 years ago by James Burke

(In [21471]) Refs #10478

comment:23 Changed 9 years ago by James Burke

(In [21481]) Refs #10478

comment:24 Changed 9 years ago by James Burke

(In [21483]) Refs #10478

comment:25 Changed 9 years ago by James Burke

(In [21489]) Refs #10478, for builds make mini option true by default so things like php files and demos are not copied, to reduce exposure to risk in the future.

comment:26 Changed 9 years ago by James Burke

(In [21490]) Refs #10478, for builds make mini option true by default so things like php files and demos are not copied, to reduce exposure to risk in the future. \!strict

comment:27 Changed 9 years ago by Mike Wilcox

(In [21495]) Refs #10478 - patches in AS3 files to fix security vulnerability.

comment:28 Changed 9 years ago by Mike Wilcox

(In [21496]) Refs #10478 - patches in JS files and SWF to fix security vulnerability.

comment:29 Changed 9 years ago by James Burke

(In [21499]) Refs #10478

comment:30 Changed 9 years ago by James Burke

(In [22331]) Adding in a bit extra protection for good measure, refs #10478

comment:31 Changed 8 years ago by Kenneth G. Franqueiro

(In [23823]) Removing cLOG.php which got committed with the new Upload, perhaps by accident. It is simply a copy of cLOG.php.disabled which is how we ship the test PHP files to mitigate security concerns (see #10478).

Note: See TracTickets for help on using tickets.