Bugzilla – Bug 875166
VUL-0: CVE-2013-7370: nodejs: methodOverride Middleware Reflected XSS
Last modified: 2014-04-28 16:49:15 UTC
The Node Security Project reported the following issue: Overview: Connect is a stack of middleware that is executed in order in each request. The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override". Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser. First fix: escape req.method output https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135 Second fix: whitelist https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a CVE-2013-7370 was assigned to this issue. We need fixes for: openSUSE:12.3 and openSUSE:13.1 + Factory References: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting https://bugzilla.redhat.com/show_bug.cgi?id=1091166 http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7370.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7370
bugbot adjusting priority
those patches are for 2.x version. We have a 0.x version in openSUSE. The code mentioned on those patches do not even exist.
This issue is for the connect middleware that comes bundled in nodejs 2.x (connect overrides http.createServer method). I tried this code with nodejs that comes in openSUSE 13.1: require('connect') and the answer is Cannot find module 'connect' This confirms that our nodejs does not include the connect middleware code. The same for openSUSE 12.3
can we close this bug?
Perfect! Thanks Jordi. I will close this now.
Closing bug, as we're not affected by this issue.