Security Issue - Cross-Site Scripting with connect.methodOverride() #831

m13 opened this Issue Jun 27, 2013 · 1 comment

2 participants


This middleware overwrite req.method with the req.body['_method'] value. When you don't catch the error it responds with a default error msg: "Cannot [METHOD] [URL]" ( Because this is not enough sanitized, you can force a Cross-Site Scripting in the response:

~ curl "localhost:3000" -d "_method=<script src=></script>"

This is very dangerous because in a server like ExpressJS it won't be handled with a app.all('/*', ...), so all servers using this middleware are vulnerable.

To fix this hole, I don't know if it is better to fix the proto.js#L155 or the middleware.

Sencha Labs member
tj commented Jun 27, 2013

I patched with an escape for now but I'll whitelist the methods as well, it's not a huge vulnerability since you can't easily pass around a POST but doesn't hurt to escape, thanks for the report

@tj tj closed this Jun 27, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment