SecurityvulnsSECURITYVULNS:DOC:23409Multiple DOM-Based XSS in Dojo Toolkit SDK
===========================================================
Multiple DOM-Based XSS in Dojo Toolkit SDK
Public Release Date: 3/12/2010
Adam Bixby - Gotham Digital Science ([email protected])
Affected Software: Dojo Toolkit SDK <= Build 1.4.1
Browser used for testing: IE8 (8.0.7600.16385)
Severity: High
- Summary
===========================================================
The Dojo Toolkit is an open source modular JavaScript library/toolkit designed to ease the rapid
development of cross platform, JavaScript/Ajax based applications and web sites. Multiple instances of
DOM-based Cross Site Scripting (XSS) vulnerabilities were found in the _testCommon.js and runner.html
files within the SDK. The XSS vulnerabilities appear to affect all websites that deploy any of the
affected SDK files. These files are designed for testing, however a Google search identified numerous
sites which have deployed these files along with the core framework components.
More information on DOM-based XSS can be found at http://www.owasp.org/index.php/DOM_Based_XSS.
The vendor (Dojo Foundation) was notified of this issue on February 19, 2010. The vendor responded by
releasing version 1.4.2 on March 12, 2010 and has also issued a security bulletin:
http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/.
===========================================================
2. Technical Details
File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\dijit\tests\_testCommon.js
1) Data enters via "theme" URL parameter through the window.location.href property.
Line 25:
var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);
…snip…
2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl"
which is then passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
Line 54:
…snip…
var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css");
var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css");
document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">');
document.write('<link rel="stylesheet" type="text/css" href="'+themeCssRtl+'">');
===========================================================
File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\util\doh\runner.html
1) Data enters via "dojoUrl" or "testUrl" URL parameters through the window.location.search property.
Line 40:
var qstr = window.location.search.substr(1);
…snip…
2) The "dojoUrl" and "testUrl" variables with user-controllable input are passed to document.write().
Writing the un-validated data to HTML creates the XSS exposure.
Line 64:
document.write("<scr"+"ipt type='text/javascript' djConfig='isDebug: true'
src='"+dojoUrl+"'></scr"+"ipt>");
…snip…
document.write("<scr"+"ipt type='text/javascript' src='"+testUrl+".js'></scr"+"ipt>");
===========================================================
3. Proof-of-Concept Exploit
This vulnerability can be exploited against websites that have deployed any of the 145 SDK files which
reference _testCommon.js.
Reproduction Request:
http://WebApp/dijit/tests/form/test_Button.html?theme="/><script>alert(/xss/)</script>
(Note: test_Button.html is one of the SDK files that includes the _testCommon.js file)
============================================================
This vulnerability can be exploited against any website that has deployed the runner.html file.
Reproduction Request:
http://WebApp/util/doh/runner.html?dojoUrl='/>foo</script><'"<script>alert(/xss/)</script>
===========================================================
4. Recommendation
Update to Dojo Toolkit SDK 1.4.2
===========================================================
5. About Gotham Digital Science
Gotham Digital Science (GDS) is an information security consulting firm that works with clients to
identify, prevent, and manage security risks. For more information on GDS, please contact
[email protected] or visit http://www.gdssecurity.com.