Opened 12 years ago

Last modified 11 years ago

#10773 closed defect

Multiple DOM-Based XSS in Dojo Toolkit SDK — at Initial Version

Reported by: bix Owned by: anonymous
Priority: blocker Milestone: 1.4.2
Component: General Version: 1.4.0
Keywords: DOM XSS Cc:
Blocked By: Blocking:

Description

===========================================================

Multiple DOM-Based XSS in Dojo Toolkit SDK Adam Bixby - Gotham Digital Science ([email protected]…)

Affected Software: Dojo Toolkit SDK <= Build 1.4.1rc1

Browser used for testing: IE8 (8.0.7600.16385)

Severity: High

===========================================================

  1. Summary

===========================================================

The Dojo Toolkit is an open source modular JavaScript? library/toolkit designed to ease the rapid development of cross platform, JavaScript/Ajax? based applications and web sites. Multiple instances of DOM-based Cross Site Scripting (XSS) vulnerabilities were found in the _testCommon.js and runner.html files within the SDK. The XSS vulnerabilities appear to affect all websites that deploy any of the affected SDK files. These files are designed for testing, however a Google search identified numerous sites which have deployed these files along with the core framework components.

More information on DOM-based XSS can be found at http://www.owasp.org/index.php/DOM_Based_XSS.

===========================================================

  1. Technical Details

===========================================================

File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\dijit\tests\_testCommon.js 1) Data enters via "theme" URL parameter through the window.location.href property. Line 25: var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);

..snip..

2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl" which is then passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure. Line 54:

..snip..

var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css"); var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css"); document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">'); document.write('<link rel="stylesheet" type="text/css" href="'+themeCssRtl+'">');

===========================================================

File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\util\doh\runner.html 1) Data enters via "dojoUrl" or "testUrl" URL parameters through the window.location.search property. Line 40: var qstr = window.location.search.substr(1);

..snip..

2) The "dojoUrl" and "testUrl" variables with user-controllable input are passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure. Line 64: document.write("<scr"+"ipt type='text/javascript' djConfig='isDebug: true' src='"+dojoUrl+"'></scr"+"ipt>");

..snip..

document.write("<scr"+"ipt type='text/javascript' src='"+testUrl+".js'></scr"+"ipt>");

===========================================================

  1. Proof-of-Concept Exploit

===========================================================

This vulnerability can be exploited against websites that have deployed any of the 145 SDK files which reference _testCommon.js.

Reproduction Request: http://download.dojotoolkit.org/release-1.4.1/dojo-release-1.4.1/dijit/tests/form/test_Button.html?theme="/><script>alert(/xss/)</script>

(Note: test_Button.html is one of the SDK files that includes the _testCommon.js file)

============================================================

This vulnerability can be exploited against any website that has deployed the runner.html file.

Reproduction Request: http://download.dojotoolkit.org/release-1.4.1/dojo-release-1.4.1/util/doh/runner.html?dojoUrl='/>foo</script><'"<script>alert(/xss/)</script>

===========================================================

  1. Recommendation

===========================================================

A JavaScript? encoding function should be wrapped around the user-controllable variables to ensure that malicious data is properly encoded before rendering in the browser.

===========================================================

  1. About Gotham Digital Science

===========================================================

Gotham Digital Science (GDS) is an information security consulting firm that works with clients to identify, prevent, and manage security risks. For more information on GDS, please contact [email protected]… or visit http://www.gdssecurity.com.

Change History (0)

Note: See TracTickets for help on using tickets.