Changes between Version 1 and Version 3 of Ticket #10773


Ignore:
Timestamp:
Feb 22, 2010, 6:16:42 AM (11 years ago)
Author:
bill
Comment:

I'll check in a fix. Not sure which "encoding function" you are talking about but AFAICT we can just filter out special characters as they shouldn't be occurring in the strings, using replace(). (I did so and the tests all still pass.)

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #10773

    • Property Owner changed from anonymous to bill
    • Property Status changed from new to assigned
  • Ticket #10773 – Description

    v1 v3  
    1 ===========================================================
     1----
    22
    33Multiple DOM-Based XSS in Dojo Toolkit SDK
     
    1111Severity: High
    1212
    13 ===========================================================
     13
     14----
    1415
    15161. Summary
    1617
    17 ===========================================================
     18
     19----
    1820
    1921The Dojo Toolkit is an open source modular JavaScript library/toolkit designed to ease the rapid development of cross platform, JavaScript/Ajax based applications and web sites.  Multiple instances of DOM-based Cross Site Scripting (XSS) vulnerabilities were found in the _testCommon.js and runner.html files within the SDK.  The XSS vulnerabilities appear to affect all websites that deploy any of the affected SDK files.  These files are designed for testing, however a Google search identified numerous sites which have deployed these files along with the core framework components.
     
    2123More information on DOM-based XSS can be found at http://www.owasp.org/index.php/DOM_Based_XSS.
    2224
    23 ===========================================================
    2425
     26----
    25272. Technical Details
    26 ===========================================================
     28----
    2729
    2830File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\dijit\tests\_testCommon.js
    29 1) Data enters via "theme" URL parameter through the window.location.href property.
     31 1) Data enters via "theme" URL parameter through the window.location.href property.
    3032Line 25:
     33{{{
    3134var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);
     35}}}
    3236  ..snip..
    33 2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl" which is then passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
     37
     38 2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl" which is then passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
    3439Line 54:
     40{{{
    3541  ..snip..
    3642var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css");
    3743var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css");
    3844document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">'); document.write('<link rel="stylesheet" type="text/css" href="'+themeCssRtl+'">');
     45}}}
    3946
    40 ===========================================================
     47----
    4148
    4249File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\util\doh\runner.html
    43 1) Data enters via "dojoUrl" or "testUrl" URL parameters through the window.location.search property.
     50 1) Data enters via "dojoUrl" or "testUrl" URL parameters through the window.location.search property.
    4451Line 40:
     52{{{
    4553var qstr = window.location.search.substr(1);
    4654  ..snip..
    47 2) The "dojoUrl" and "testUrl" variables with user-controllable input are passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
     55}}}
     56
     57 2) The "dojoUrl" and "testUrl" variables with user-controllable input are passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
    4858Line 64:
     59{{{
    4960document.write("<scr"+"ipt type='text/javascript' djConfig='isDebug: true' src='"+dojoUrl+"'></scr"+"ipt>");
    5061  ..snip..
    5162document.write("<scr"+"ipt type='text/javascript' src='"+testUrl+".js'></scr"+"ipt>");
     63}}}
    5264
    53 ===========================================================
    5465
     66----
    55673. Proof-of-Concept Exploit
    56 ===========================================================
     68----
    5769
    5870This vulnerability can be exploited against websites that have deployed any of the 145 SDK files which reference _testCommon.js.
     
    6375(Note: test_Button.html is one of the SDK files that includes the _testCommon.js file)
    6476
    65 ============================================================
     77----
    6678
    6779This vulnerability can be exploited against any website that has deployed the runner.html file.
     
    7082http://download.dojotoolkit.org/release-1.4.1/dojo-release-1.4.1/util/doh/runner.html?dojoUrl='/>foo</script><'"<script>alert(/xss/)</script>
    7183
    72 ===========================================================
     84----
     854. Recommendation
     86----
    7387
    74 4. Recommendation
    75 ===========================================================
     88A !JavaScript encoding function should be wrapped around the user-controllable variables to ensure that malicious data is properly encoded before rendering in the browser.
    7689
    77 A JavaScript encoding function should be wrapped around the user-controllable variables to ensure that malicious data is properly encoded before rendering in the browser.
    78