dojo -- cross-site scripting and other vulnerabilities

Description:

The Dojo Toolkit team reports:

Some PHP files did not properly escape input.

Some files could operate like "open redirects". A bad actor could form an URL that looks like it came from a trusted site, but the user would be redirected or load content from the bad actor's site.

A file exposed a more serious cross-site scripting vulnerability with the possibility of executing code on the domain where the file exists.

The Dojo build process defaulted to copying over tests and demos, which are normally not needed and just increased the number of files that could be targets of attacks.

References:

• URL: <http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/>
• URL: <http://osdir.com/ml/bugtraq.security/2010-03/msg00133.html>
• URL: <http://packetstormsecurity.org/1003-exploits/dojo-xss.txt>
• URL: <http://secunia.com/advisories/38964>
• URL: <http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/>

Affects:

• dojo <1.4.2

Disclaimer: The data contained on this page is derived from the VuXML document, please refer to the the original document for copyright information. The author of portaudit makes no claim of authorship or ownership of any of the information contained herein.

If you have found a vulnerability in a FreeBSD port not listed in the database, please contact the FreeBSD Security Team. Refer to "FreeBSD Security Information" for more information.