0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Dojo Toolkit SDK v1.4.1 Cross Site Scripting Vulnerability

Author

Adam Bixby

Risk

[

Security Risk Unsored

]

0day-ID

0day-ID-9669

Category

web applications

Date add

16-03-2010

Platform

unsorted

==========================================================
Dojo Toolkit SDK v1.4.1 Cross Site Scripting Vulnerability
==========================================================

===========================================================
Multiple DOM-Based XSS in Dojo Toolkit SDK 
Public Release Date: 3/12/2010
Adam Bixby - Gotham Digital Science (labs@gdssecurity.com) 
Affected Software:  Dojo Toolkit SDK <= Build 1.4.1 
Browser used for testing: IE8 (8.0.7600.16385)
Severity: High
===========================================================
1. Summary
===========================================================

The Dojo Toolkit is an open source modular JavaScript library/toolkit designed to ease the rapid development of cross platform, JavaScript/Ajax based applications and web sites.  Multiple instances of DOM-based Cross Site Scripting (XSS) vulnerabilities were found in the _testCommon.js and runner.html files within the SDK.  The XSS vulnerabilities appear to affect all websites that deploy any of the affected SDK files.  These files are designed for testing, however a Google search identified numerous sites which have deployed these files along with the core framework components.

More information on DOM-based XSS can be found at http://www.owasp.org/index.php/DOM_Based_XSS.

The vendor (Dojo Foundation) was notified of this issue on February 19, 2010.  The vendor responded by releasing version 1.4.2 on March 12, 2010 and has also issued a security bulletin: http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/.
 

===========================================================
2. Technical Details
===========================================================

File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\dijit\tests\_testCommon.js
1) Data enters via "theme" URL parameter through the window.location.href property.
Line 25:
var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);
  ..snip..
2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl" which is then passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
Line 54:
  ..snip..
var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css");
var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css");
document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">'); 
document.write('<link rel="stylesheet" type="text/css" href="'+themeCssRtl+'">');
 

===========================================================

File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\util\doh\runner.html
1) Data enters via "dojoUrl" or "testUrl" URL parameters through the window.location.search property.
Line 40:
var qstr = window.location.search.substr(1);
  ..snip..
2) The "dojoUrl" and "testUrl" variables with user-controllable input are passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
Line 64:
document.write("<scr"+"ipt type='text/javascript' djConfig='isDebug: true' src='"+dojoUrl+"'></scr"+"ipt>");
  ..snip..
document.write("<scr"+"ipt type='text/javascript' src='"+testUrl+".js'></scr"+"ipt>");


===========================================================
3. Proof-of-Concept Exploit
===========================================================

This vulnerability can be exploited against websites that have deployed any of the 145 SDK files which reference _testCommon.js.

Reproduction Request:
http://WebApp/dijit/tests/form/test_Button.html?theme="/><script>alert(/xss/)</script>

(Note: test_Button.html is one of the SDK files that includes the _testCommon.js file)

============================================================

This vulnerability can be exploited against any website that has deployed the runner.html file.

Reproduction Request:
http://WebApp/util/doh/runner.html?dojoUrl='/>foo</script><'"<script>alert(/xss/)</script>
 

===========================================================
4. Recommendation
===========================================================

Update to Dojo Toolkit SDK 1.4.2

===========================================================



#  0day.today [2024-07-05]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Dojo Toolkit SDK v1.4.1 Cross Site Scripting Vulnerability

Report Error

Report Error