Security Advisory SA43818 - qooxdoo Cross-Site Scripting and File Disclosure Vulnerabilities

Secunia

Blog

Secunia Advisory SA43818

qooxdoo Cross-Site Scripting and File Disclosure Vulnerabilities

Secunia Advisory

SA43818

Release Date

2011-04-06

Last Update

2011-04-26

Popularity

1,518 view

Comments

1 comment

Criticality level

Moderately critical

Impact

Cross Site Scripting
Exposure of system information
Exposure of sensitive information

Where

From remote

Authentication level

This information is available to Secunia VIM customers

Report reliability

This information is available to Secunia VIM customers

Solution Status

Unpatched

Systems affected

This information is available to Secunia VIM customers

Approve distribution

This information is available to Secunia VIM customers

Remediation status

Secunia VIM

Software:

qooxdoo 1.x

Secunia CVSS Score

This information is available to Secunia VIM Customers

CVE Reference(s)

CVE-2011-1715 CVSS score available to Secunia VIM customers
CVE-2011-1714 CVSS score available to Secunia VIM customers

Description

Two vulnerabilities have been discovered in qooxdoo, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information.

1) Input passed to the "callback" parameter in framework/source/resource/qx/test/jsonp_primitive.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed to the "file" parameter in framework/source/resource/qx/test/part/delay.php is not properly verified before being used to display files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

The vulnerabilities are confirmed in version 1.3. Other versions may also be affected.

Solution
Edit the source code to ensure that input is properly sanitised and verified.

Provided and/or discovered by
Originally reported by AutoSec Tools in eyeOS.

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://www.autosectools.com/Advisories/eyeOS.2.3_Reflected.Cross-site.Scripting_172.html
http://www.autosectools.com/Advisories/eyeOS.2.3_Local.File.Inclusion_173.html

Deep Links
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: qooxdoo Cross-Site Scripting and File Disclosure Vulnerabilities

User

Message

thron7

RE: qooxdoo Cross-Site Scripting and File Disclosure Vulnerabilities

7th Apr, 2011 17:47

Score: 0
Posts: 1
User Since: 7th Apr 2011
System Score: N/A
Location: DE
Last edited on 7th Apr, 2011 17:47

I'm one of the qooxdoo core developers. Both offending files (jsonp_primitive.php and delay.php) are just part of our own unit testing suite, and we use them only in a closed development environment. They appear in the framework's resource folders and in the optimized version of a unit test application. It is just unfortunate that the eyeOS project exposed the entire SDK, including our test suite. Normal users of the qooxdoo SDK, i.e. people building custom applications with qooxdoo, can never be exposed to this because the two files are never included in a user application built with qooxdoo. We will nevertheless mitigate the vulnerabilities, and apologize for any inconveniences.

Was this reply relevant?

-0

Secunia Advisory SA43818

qooxdoo Cross-Site Scripting and File Disclosure Vulnerabilities

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?