Dojo Security Advisory 2014-12-08

Introduction

Several XSS vulnerabilities have been discovered and fixed in the Dojo Toolkit.

Masato Kinugawa discovered a security flaw in the SWF component of the dojox/form/FileUploader widget that allows for cross-site scripting attacks on domains hosting the affected SWF.

After evaluating the disclosed vulnerability, similar additional XSS vulnerabilities were discovered by the Dojo Toolkit security team in other dojox components including dojox/av/FLAudio, dojox/av/FLVideo, and dojox/form/Uploader. A potential XSS vulnerability with a different attack vector was also discovered in dojox/embed/Flash.

Note that these vulnerabilities are isolated to the dojox package; if you publish only the dojo and/or dijit packages, you are not affected by this security advisory and do not need to take any action. We recommend that all users that publish the dojox package upgrade to the latest point release.

Vulnerable

Dojo Toolkit 1.2
Dojo Toolkit 1.3
Dojo Toolkit 1.4.5 and earlier
Dojo Toolkit 1.5.3 and earlier
Dojo Toolkit 1.6.2 and earlier
Dojo Toolkit 1.7.7 and earlier
Dojo Toolkit 1.8.8 and earlier
Dojo Toolkit 1.9.5 and earlier
Dojo Toolkit 1.10.2 and earlier

Patches

New versions of the Dojo Toolkit have been released containing fixes for the vulnerabilities listed in this security advisory:

1.4.6 (patch)
1.5.4 (patch)
1.6.3 (patch)
1.7.8 (patch)
1.8.9 (patch)
1.9.6 (patch)
1.10.3 (patch)

Dojo 1.3 and earlier are end-of-life products. Users running Dojo 1.3 and earlier are urged to upgrade immediately to a more recent version of the toolkit.

Workarounds

1. Delete the SWF files listed under “attack vector” below; and
2. Ensure all user input passed to dojox/embed/Flash is HTML escaped.

Attack vector

http://xxx/dojox/av/resources/audio.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?src=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?videoUrl=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/fileuploader.swf?flashButton=%3A\"))-alert(1);}catch(e){}//%3B
http://xxx/dojox/form/resources/fileuploader.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/uploader.swf?id=\"))-alert(1);}catch(e){}//

Impact

Cross-site scripting.

CVSS Severity (2.0)

CVSS Base Score: 4.3
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Temporal Score: 3.2
CVSS Environmental Score: Not Defined
Modified Impact Subscore: Not Defined
Overall CVSS Score: 3.2

CVSS v2 Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Background

The Adobe Flash Player ExternalInterface API contains a known security issue where backslashes in strings passed to ExternalInterface.call are not correctly escaped by the Flash Player runtime. This enables arbitrary code to be executed if unsanitised user input is passed through ExternalInterface.call. Several SWF files inside the Dojo Toolkit passed unsanitised user data through ExternalInterface.call to console.log and dojo.publish, introducing a cross-site scripting vulnerability.

Additionally, JavaScript code in dojox/embed/Flash performs string building of HTML for injection to the page without ensuring special characters are properly encoded. This allowed arbitrary HTML to be injected onto a page that uses dojox/embed/Flash if unsanitised user input were passed to it.

Timeline

2014-12-03: Initial disclosure.
2014-12-04: Security team notified of issue.
2014-12-08: Patch released and initial announcement.
2014-12-09: Full announcement.

What can I do to prevent this from happening in the future?

There is currently a lot of crufty old code in dojox that is unmaintained or undermaintained. We need more developers that use Dojo and are interested in adopting some of this old code, or developers who want to help us finish Dojo 2 so that we can replace this old code with new code that follows modern best practices for Web development.

If you’re interested in lending a helping hand, please get in touch by posting on the mailing list or visiting us at #dojo on irc.freenode.net. Thanks!