Affected products ================= easyXDM library < 2.4.19 - http://easyxdm.net/wp/ easyXDM is a Javascript library that enables you as a developer to easily work around the limitation set in place by the Same Origin Policy, in turn making it easy to communicate and expose javascript API's across domain boundaries. Vulnerabilities are fixed in version 2.4.19. All users are advised to upgrade. CVE === CVE-2014-1403 DOM XSS in name.html location.hash value ======================================== Description ----------- EasyXDM uses name.html file to bootstrap cross origin communication between documents. It accepts various parameters in location.hash value, one of which is the URL of the document to load. Value of this parameter is not filtered, allowing to pass javascript: URL that may execute arbitrary Javascript code in context of the domain hosting EasyXDM installation. This vulnerability is described in greater details in [1] Analysis -------- The root cause of the vulnerability is the following code in name.html file: if (location.hash) { // DOM XSS source if (location.hash.substring(1, 2) === "_") { var channel, url, hash = location.href.substring(location.href.indexOf("#") + 3), indexOf = hash.indexOf(","); if (indexOf == -1) { channel = hash; } else { channel = hash.substring(0, indexOf); url = decodeURIComponent(hash.substring(indexOf + 1)); } switch (location.hash.substring(2, 3)) { /... case "3": // NameTransport remote var guest = window.parent.frames[ "easyXDM_" + channel + "_provider" ]; if (!guest) { throw new Error("unable to reference window"); } guest.easyXDM.Fn.get(channel)(window.name); location.href = url + "#_4" + channel + ","; // DOM XSS sink break; Part of location hash, under certain conditions, ends up in location.href assignment, triggering JS execution. Proof of Concept ---------------- Credits ======= Vulnerability found by Krzysztof Kotowicz http://blog.kotowicz.net Timeline ======== - 2013-01-xx - Discovery - 2013-01-10 - Notified project maintainer - 2013-01-19 - Fixed version release - 2013-01-31 - Public disclosure Related links ============= [1] http://blog.kotowicz.net/2014/01/xssing-with-shakespeare-name-calling.html