Bug 875166 - (CVE-2013-7370) VUL-0: CVE-2013-7370: nodejs: methodOverride Middleware Reflected XSS
VUL-0: CVE-2013-7370: nodejs: methodOverride Middleware Reflected XSS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other openSUSE 13.1
: P3 - Medium : Normal
: ---
Assigned To: Jordi Massaguer
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-04-25 09:33 UTC by Alexander Bergmann
Modified: 2014-04-28 16:49 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-04-25 09:33:29 UTC
The Node Security Project reported the following issue:


Connect is a stack of middleware that is executed in order in each request.

The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override".

Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser.

First fix: escape req.method output

Second fix: whitelist

CVE-2013-7370 was assigned to this issue.

We need fixes for:

openSUSE:12.3 and openSUSE:13.1 + Factory

Comment 1 Swamp Workflow Management 2014-04-25 22:00:11 UTC
bugbot adjusting priority
Comment 3 Jordi Massaguer 2014-04-28 15:09:54 UTC
those patches are for 2.x version. We have a 0.x version in openSUSE. The code mentioned on those patches do not even exist.
Comment 5 Jordi Massaguer 2014-04-28 15:44:02 UTC
This issue is for the connect middleware that comes bundled in nodejs 2.x (connect overrides http.createServer method).

I tried this code with nodejs that comes in openSUSE 13.1:


and the answer is

  Cannot find module 'connect'

This confirms that our nodejs does not include the connect middleware code.

The same for openSUSE 12.3
Comment 7 Jordi Massaguer 2014-04-28 15:44:41 UTC
can we close this bug?
Comment 8 Alexander Bergmann 2014-04-28 16:46:44 UTC
Perfect! Thanks Jordi. I will close this now.
Comment 9 Alexander Bergmann 2014-04-28 16:49:15 UTC
Closing bug, as we're not affected by this issue.