Friday, March 12, 2010 At 2:11PM
We released an advisory today to Bugtraq regarding a DOM-Based XSS bug I found in the Dojo Toolkit SDK 1.4.1 and earlier versions. The Dojo team was informed on February 19, 2010 and released the fix today along with some other security bugs. If you want some more information on this bug as well as the other bugs that were fixed, see their security bulletin.
The files identified with the XSS issues are primarily designed for testing; however a quick Google search will identify numerous sites that have deployed these files along with the core framework components. Unfortunately, this is evidence of a much larger issue. All too often, test code gets deployed to production and ultimately leads to a security exposure. This is clearly a recipe for disaster!!! Folks, please clean up your web root. You clean up your house when relatives come by, right? You wouldn’t want them tripping over your GI Joe’s and breaking their leg! It’s the same thing, more or less : )
Overview
The Dojo Toolkit is an open source modular JavaScript library/toolkit designed to ease the rapid development of cross platform, JavaScript/Ajax based applications and web sites. Multiple instances of DOM-based Cross Site Scripting (XSS) vulnerabilities were found in the _testCommon.js and runner.html files within the SDK. The XSS vulnerabilities appear to affect all websites that deploy any of the affected SDK files.
More information on DOM-based XSS can be found at OWASP’s site.
Technical Details
File: dojo-release-1.4.1-srcdojo-release-1.4.1-srcdijittests_testCommon.js
1) Data enters via “theme” URL parameter through the window.location.href property.
Line 25: var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/); ..snip..
2) The “theme” variable with user-controllable input is then passed into “themeCss” and “themeCssRtl” which is then passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
Line 54: ..snip.. var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css"); var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css"); document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">'); document.write('<link rel="stylesheet" type="text/css" href="'+themeCssRtl+'">');
File: dojo-release-1.4.1-srcdojo-release-1.4.1-srcutildohrunner.html
1) Data enters via “dojoUrl” or “testUrl” URL parameters through the window.location.search property.
Line 40: var qstr = window.location.search.substr(1); ..snip..
2) The “dojoUrl” and “testUrl” variables with user-controllable input are passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
Line 64: document.write("<scr"+"ipt type='text/javascript' djConfig='isDebug: true' src='"+dojoUrl+"'></scr"+"ipt>"); ..snip.. document.write("<scr"+"ipt type='text/javascript' src='"+testUrl+".js'></scr"+"ipt>");
Proof-of-Concept Exploit
This vulnerability can be exploited against websites that have deployed any of the 145 SDK files which reference _testCommon.js.
Reproduction Request:
http://WebApp/dijit/tests/form/test_Button.html?theme="/><script>alert(/xss/)</script>
(Note: test_Button.html is one of the SDK files that includes the _testCommon.js file)
This vulnerability can be exploited against any website that has deployed the runner.html file.
Reproduction Request:
http://WebApp/util/doh/runner.html?dojoUrl='/>foo</script><'"<script>alert(/xss/)</script>
Recommendation
Update to Dojo Toolkit SDK 1.4.2
Author: Adam Bixby
©Aon plc 2023