Dojo Security Advisory 2014-12-08

Introduction

Several XSS vulnerabilities have been discovered and fixed in the Dojo Toolkit.

Masato Kinugawa discovered a security flaw in the SWF component of the dojox/form/FileUploader widget that allows for cross-site scripting attacks on domains hosting the affected SWF.

After evaluating the disclosed vulnerability, similar additional XSS vulnerabilities were discovered by the Dojo Toolkit security team in other dojox components including dojox/av/FLAudio, dojox/av/FLVideo, and dojox/form/Uploader. A potential XSS vulnerability with a different attack vector was also discovered in dojox/embed/Flash.

Note that these vulnerabilities are isolated to the dojox package; if you publish only the dojo and/or dijit packages, you are not affected by this security advisory and do not need to take any action. We recommend that all users that publish the dojox package upgrade to the latest point release.

Vulnerable

Dojo Toolkit 1.2
Dojo Toolkit 1.3
Dojo Toolkit 1.4.5 and earlier
Dojo Toolkit 1.5.3 and earlier
Dojo Toolkit 1.6.2 and earlier
Dojo Toolkit 1.7.7 and earlier
Dojo Toolkit 1.8.8 and earlier
Dojo Toolkit 1.9.5 and earlier
Dojo Toolkit 1.10.2 and earlier

Patches

New versions of the Dojo Toolkit have been released containing fixes for the vulnerabilities listed in this security advisory:

1.4.6 (patch)
1.5.4 (patch)
1.6.3 (patch)
1.7.8 (patch)
1.8.9 (patch)
1.9.6 (patch)
1.10.3 (patch)

Dojo 1.3 and earlier are end-of-life products. Users running Dojo 1.3 and earlier are urged to upgrade immediately to a more recent version of the toolkit.

Workarounds

1. Delete the SWF files listed under “attack vector” below; and
2. Ensure all user input passed to dojox/embed/Flash is HTML escaped.

Attack vector

http://xxx/dojox/av/resources/audio.swf?id=\"))-alert(1);}catch(e){}//

http://xxx/dojox/av/resources/video.swf?id=\"))-alert(1);}catch(e){}//

http://xxx/dojox/av/resources/video.swf?src=…?\"))-alert(1);}catch(e){}//

http://xxx/dojox/av/resources/video.swf?videoUrl=…?\"))-alert(1);}catch(e){}//

http://xxx/dojox/form/resources/fileuploader.swf?flashButton=%3A\"))-alert(1);}catch(e){}//%3B

http://xxx/dojox/form/resources/fileuploader.swf?id=\"))-alert(1);}catch(e){}//

http://xxx/dojox/form/resources/uploader.swf?id=\"))-alert(1);}catch(e){}//

Impact

Cross-site scripting.

CVSS Severity (2.0)

CVSS Base Score: 4.3
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Temporal Score: 3.2
CVSS Environmental Score: Not Defined
Modified Impact Subscore: Not Defined
Overall CVSS Score: 3.2

CVSS v2 Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Background

The Adobe Flash Player ExternalInterface API contains a known security issue where backslashes in strings passed to ExternalInterface.call are not correctly escaped by the Flash Player runtime. This enables arbitrary code to be executed if unsanitised user input is passed through ExternalInterface.call. Several SWF files inside the Dojo Toolkit passed unsanitised user data through ExternalInterface.call to console.log and dojo.publish, introducing a cross-site scripting vulnerability.

Additionally, JavaScript code in dojox/embed/Flash performs string building of HTML for injection to the page without ensuring special characters are properly encoded. This allowed arbitrary HTML to be injected onto a page that uses dojox/embed/Flash if unsanitised user input were passed to it.

Timeline

2014-12-03: Initial disclosure.
2014-12-04: Security team notified of issue.
2014-12-08: Patch released and initial announcement.
2014-12-09: Full announcement.

What can I do to prevent this from happening in the future?

There is currently a lot of crufty old code in dojox that is unmaintained or undermaintained. We need more developers that use Dojo and are interested in adopting some of this old code, or developers who want to help us finish Dojo 2 so that we can replace this old code with new code that follows modern best practices for Web development.

If you’re interested in lending a helping hand, please get in touch by posting on the mailing list or visiting us at #dojo on irc.freenode.net. Thanks!

Posted in Announcements | Leave a comment

Autumn 2014 Dojo events

There are a number of Dojo events this autumn. We hope to meet you at one of these events:

Dojo Community Day

Meetups

  • Intern 2. October 9, Nick Nisi, SitePen. London, UK. Free registration required.
  • Intern 2. October 16, Dylan Schiemann, SitePen. Boston, MA. Free registration required

Conferences

  • EdgeConf. September 20, Dylan Schiemann, SitePen. San Francisco. Paid registration required.
  • FullStack. October 23-24, Dylan Schiemann, SitePen. London, UK. Paid registration required

Training Workshops

Let us know if you’re speaking at an event, and we’ll add you to our listings!

Posted in Events | Leave a comment

Dojo community day Switzerland

We recently hosted a Dojo Community Day in Brugg, Switzerland on the Saturday following a week of Dojo workshops. We had about 25 Dojo users and committers join us from England, France, Netherlands, Germany, Romania, Austria, and Switzerland for a fun day of hacking and discussions about current and future directions of Dojo.

Zurich

Continue reading

Posted in Events | 2 Comments

Case study: HPCC Systems

The large companies that use Dojo are widely known. This series features lesser known users of Dojo, and their stories. This time, we interview Gordon Smith from HPCC Systems, a subsidiary of LexisNexis RISK Solutions.

Q: How did you first learn about Dojo?

A: Through Google / Stack Overflow. I suspect my “discovery” of Dojo was a bit different to the norm, as prior to 2013 I had never really done any Web Development. Up until then I was predominantly a C++ Developer, some Java and a smattering of C#. Initially I wanted to knock together a single page proof of concept, consisting of a code editor (CodeMirror), a result view (HTML Table) and an “activity graph” (ActiveX Control) and wanted something that would handle the layout, resizing and ideally something with splitters – after a few searches online I found the Border Container Docs and away I went! Shortly after, I added a Tab Container and switched to using the basic Grid.

ECL Playground

ECL Playground – How the original POC Looks today

Continue reading

Posted in Case Studies | Leave a comment

Case study: FreeNAS

The large companies that use Dojo are widely known. This series features lesser known users of Dojo, and their stories. This time, we interview William Grzybowski from iXsystems, a California-based company and creators of FreeNAS.

FreeNAS Add User

Continue reading

Posted in Case Studies | Leave a comment

Dojo turns (1.)10

Ten years ago, we humbly started a project to create a “next generation DHTML toolkit”, based on an initial email, Selling the future of DHTML. Today, we are pleased to announce the immediate release of Dojo 1.10, our 16th major release of the toolkit!

Release Notes and Documentation

Dojo 1.10 is primarily a stability and bug fix release, with over 275 issues resolved. Read the Dojo 1.10 release notes for the complete list of what’s new and improved in 1.10. API features and enhancements primarily occurred within the following areas:

  • Core (DOM, events, request, WebWorkers, etc.)
  • Dijit
  • dojox/charting and dojox/gfx
  • dojox/app
  • dojox/calendar
  • dojox/mobile (including an iOS 7 theme)
  • dojox/store (offline store supporting WebSQL and IndexedDB support)
  • Uglify 2 support for Dojo builder

The tutorials, reference guide, and API viewer have also been updated for the 1.10 release.

Use Direct from the CDN, or Download

Get the Dojo release that’s right for you. Choose from CDN, optimized builds, or source versions with full demos and utilities.

Get Dojo

dstore

The new dstore project is being worked on as the eventual successor to dojo/store. It works with Dojo 1.8+, but is intended to also define the object store APIs for Dojo 2. Tutorials and documentation will accompany the dstore 1.0 release that is expected in a few weeks. Read the Looking ahead with stores blog post for more details on the direction of this module.

Grids

As reminder, while the source code is still available for DataGrid and EnhancedGrid, these modules are formally deprecated. We instead recommend that you use dgrid or gridx.

dgrid 0.4 is currently under development, and will be the first component to leverage the new dstore API.

Intern

Intern is the replacement for DOH. Work is currently underway to update all DOH tests in Dojo core and Dijit to use Intern, to make it easier to prevent regressions with Dojo 1.x releases. You can learn more about Intern via the Intro to Intern webcast, and also read What’s next for Intern and the 2.0 release that is expected soon.

What’s Next? 1.10.1, 1.11, and 2.0

We continue working on Dojo 2.0. We continue to issue periodic maintenance releases on 1.4+, primarily to fix issues when new browsers are released. We will likely will have a 1.11 release for anything that might change or enhance an API, or backport key improvements made for 2.0.

Thanks!

This release would not have been possible without significant contributions from the Dojo team. Special thanks to everyone who helped make this release possible, including:

  • Adrian Rakovsky
  • Adrian Vasiliu
  • Akira Sudoh
  • Alexander Kaidalov
  • Allen Shiels
  • Avraham Rozenzweig
  • Ben Hockey
  • Benjamin Santalucia
  • Bill Keese
  • Brandon Payton
  • Bryan Forbes
  • Christophe Jolif
  • Chuck Dumont
  • Clement Mathieu
  • Colin Snover
  • Damien Garbarino
  • Damien Mandrioli
  • Dasa Paddock
  • Douglas Hays
  • Dylan Schiemann
  • Ed Chatelain
  • Ed Hager
  • Eduardo Matos
  • Eric Durocher
  • Erwin Verdonk
  • Gabriel Aszalos
  • Gaurav Ramanan
  • Heng Liu
  • Hugh Winkler
  • James Morrin
  • Jochen Schäfer
  • Joerg Sonnenberger
  • Julien Mathevet
  • Justin Bumpus-Barnett
  • Kitson Kelly
  • Kris Zyp
  • Lajos Veres
  • Lamiaa Said
  • Lee Bodzak
  • Lorenzo Solano
  • Mangala Sadhu Sangeet Singh Khalsa
  • Mark Hays
  • Mark Szymanski
  • Matthew Maxwell
  • Mustafa Celik
  • Nick Nisi
  • Pascale Dardailler
  • Patrick Ruzand
  • Peter Kokot
  • Philip Jägenstedt
  • Rawld Gill
  • Scott Davis
  • Sebastien Brunot
  • Sebastien Pereira
  • Semion Chichelnitsky
  • Simon Speich
  • Stephen Davis
  • Stephen Simpson
  • Steve Hearnden
  • Terence Kent
  • Tim Roediger
  • Virgil Ciobanu
  • Vitaly Trushkov
  • Wouter Hager
  • Youngho Cho

We also thank AltoViso, IBM, SitePen, and TimeTrade for their generous contributions of development time and financial support.

Dojo community day!

We’re hosting a free Dojo community day in Switzerland on July 5th, and plan to host similar events in other locations later this year. If you cannot make it to Switzerland, we still encourage you to join us on the #dojo IRC channel (irc.freenode.net) for an afternoon of hacking. We’ll be online from approximately 9am – 6pm in Switzerland. Or join us at another Dojo event this summer.

Thanks!

We hope you’ll find Dojo 1.10 to be exceptionally stable and reliable. Please let us know if you run into any issues by opening a ticket. If you find a problem in the documentation, you can also provide feedback via the link at the bottom of every page. We also encourage you to get involved, to help improve Dojo and to work on Dojo 2.0. We hope you find value in using Dojo 1.10!

Posted in Announcements, News | 7 Comments

Summer 2014 Dojo events

There are a number of Dojo events this summer. We hope to meet you at one of these events:

Dojo Community Day

  • Dojo Community Day. July 5th, Brugg, Switzerland. Free registration required.
  • Dojo Community Day. September 27, Ottawa, ON. Free registration required. Registration details will be announced in July.

Training Workshops

Let us know if you’re speaking at an event, and we’ll add you to our listings!

Posted in Events | Leave a comment

Esri Web Optimizer

Esri, creator of the Dojo-based ArcGIS JavaScript mapping API and ArcGIS Online, has announced the beta release of a new product, the ArcGIS API for JavaScript Web Optimizer, a Dojo-based app for creating Dojo and Esri ArcGIS optimized builds.

Visit the help documentation to view application screenshots.

Posted in Case Studies | Leave a comment

Case Study: Autostore

The large companies that use Dojo are widely known. This series features lesser known users of Dojo, and their stories. This time, we interview Ramil Rakhmetov from PeopleWare, a Belgian company that creates enterprise web applications. Ramil is a JavaScript developer who created the Autostore front-end.

Continue reading

Posted in Case Studies | Leave a comment

Dojo 1.10 release schedule, beta 1 now available

In preparation for the release of Dojo 1.10, trunk is now in feature freeze, which means this code is considered feature complete for Dojo 1.10. The release schedule is currently as follows:

  • May 13: Dojo 1.10.0-beta1
  • May 29: Release candidate 1 (note: if additional beta releases are necessary, each release will push this out by 1 week)
  • June 12: Final release (note: if additional rc releases are necessary, each release will push this out by 1 week)

We encourage you to grab the beta and help us find any bugs or regressions with your code base and report any issues you find by following our contributor workflow.

The documentation for 1.10 has not yet been built, though the API changes from 1.9 are minimal. Work in progress release notes are available to see a highlight of the additions we have made.

Thank you to everyone that has helped make this release a success, including the 61 contributors that have had code land in this release!

Posted in Announcements, News | 8 Comments