Multiple instances of DOM-based Cross Site Scripting (XSS) vulnerabilities were found in the _testCommon.js and runner.html files within the Dojo Toolkit SDK.
Vulnerable Systems:
* Dojo Toolkit versions prior to 1.4.2
Immune Systems:
* Dojo Toolkit SDK version 1.4.2
The XSS vulnerabilities appear to affect all websites that deploy any of the affected SDK files. These files are designed for testing, however a Google search identified numerous sites which have deployed these files along with the core framework components.
If you have Dojo 0.4 through Dojo 1.4 installed on your site, you are strongly encouraged to read all of this message and take immediate action.
We recently had a security review done on the Dojo codebase, and some issues were discovered. Most of the issues were in test files or related PHP files, but there were some issues discovered with a few files used by modules. You are strongly encouraged to remove some files immediately to give yourself the best protection. While we are not aware of any specific exploits, we take security issues very seriously and we encourage you to take quick preventative action.
Quick instructions
Some of the files listed below may not be in your version or build of Dojo. These instructions are listed to be comprehensive across all the Dojo versions.
1. If you use Dojo from the AOL or Google CDN, the issue is already fixed.
2. If you have PHP enabled on your site, turn off PHP for the directories that contain dojo/dijit/dojox. Dojo only used PHP files in some tests and demos, but PHP is not required to use Dojo.
3. Remove the following files:
* util/doh/runner.html - a file used for tests, should not affect production/deployed code.
* dojo/resources/iframe_history.html - in 0.4 it is just iframe_history.html in the dojo directory. This file is used by dojo.back. In Dojo 0.4, it was used by dojo.undo.browser and dojo.io.IframeIO.
* dojox/av/resources/video.swf - used by dojox.av.FLVideo
* dojox/av/resources/audio.swf - used by dojox.av.FLAudio
If you use one of the modules listed above, instead of deleting the files you can do one of the following:
1. Get an updated release with the security fixes.
2. Pull the specific files from one of the updated builds.
If you do your own custom builds, you are encouraged to also get an updated release
Pull Specific Files
If you have your own custom, modified Dojo source and cannot update to the new builds, you can go to the directories listed in the "Updated Builds" section and grab the files you need from the version that most closely matches your version and just copy them over to your distribution.
Some branches do not have all of these files, just replace the files that exist in your distribution:
In addition to grabbing the files listed above, be sure to delete any .php files in the dojo/dijit/dojox directories, if PHP is enabled on your server.
Description of Issues
The main issues that are being fixed in this update:
* Some PHP files did not properly escape input.
Pull Specific Files
If you have your own custom, modified Dojo source and cannot update to the new builds, you can go to the directories listed in the "Updated Builds" section and grab the files you need from the version that most closely matches your version and just copy them over to your distribution.
Some branches do not have all of these files, just replace the files that exist in your distribution:
In addition to grabbing the files listed above, be sure to delete any .php files in the dojo/dijit/dojox directories, if PHP is enabled on your server.
The main issues that are being fixed in this update:
* Some PHP files did not properly escape input.
* Some files could operate like "open redirects". An bad actor could form an URL that looks like it came from a trusted site, but the user would be redirected or load content from the bad actor's site.
* A file exposed a more serious cross-site scripting vulnerability with the possibility of executing code on the domain where the file exists.
* The Dojo build process defaulted to copying over tests and demos, which are normally not needed and just increased the number of files that could be targets of attacks.
Disclosure Timeline:
The vendor (Dojo Foundation) was notified of this issue on February 19, 2010.
The vendor responded by releasing version 1.4.2 on March 12, 2010
