We released an advisory today to Bugtraq regarding a DOM-Based XSS bug I found in the Dojo Toolkit SDK 1.4.1 and earlier versions. The Dojo team was informed on February 19, 2010 and released the fix today along with some other security bugs. If you want some more information on this bug as well as the other bugs that were fixed, see their security bulletin.
The files identified with the XSS issues are primarily designed for testing; however a quick Google search will identify numerous sites that have deployed these files along with the core framework components. Unfortunately, this is evidence of a much larger issue. All too often, test code gets deployed to production and ultimately leads to a security exposure. This is clearly a recipe for disaster!!! Folks, please clean up your web root. You clean up your house when relatives come by, right? You wouldn't want them tripping over your GI Joe's and breaking their leg! It's the same thing, more or less : )
More information on DOM-based XSS can be found at OWASP's site.
1) Data enters via "theme" URL parameter through the window.location.href property.
var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);
2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl" which is then passed to document.write().
Writing the un-validated data to HTML creates the XSS exposure.
var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css");
var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css");
document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">');
document.write('<link rel="stylesheet" type="text/css" href="'+themeCssRtl+'">');
1) Data enters via "dojoUrl" or "testUrl" URL parameters through the window.location.search property.
var qstr = window.location.search.substr(1);
2) The "dojoUrl" and "testUrl" variables with user-controllable input are passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
This vulnerability can be exploited against websites that have deployed any of the 145 SDK files which reference _testCommon.js.
(Note: test_Button.html is one of the SDK files that includes the _testCommon.js file)
This vulnerability can be exploited against any website that has deployed the runner.html file.
Update to Dojo Toolkit SDK 1.4.2