Bug 875166 - (CVE-2013-7370) VUL-0: CVE-2013-7370: nodejs: methodOverride Middleware Reflected XSS
(CVE-2013-7370)
VUL-0: CVE-2013-7370: nodejs: methodOverride Middleware Reflected XSS
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P3 - Medium : Normal
: ---
Assigned To: Jordi Massaguer
Security Team bot
https://smash.suse.de/issue/98280/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-25 09:33 UTC by Alexander Bergmann
Modified: 2014-04-28 16:49 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-04-25 09:33:29 UTC
The Node Security Project reported the following issue:

Overview:

Connect is a stack of middleware that is executed in order in each request.

The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override".

Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser.

First fix: escape req.method output
https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135

Second fix: whitelist
https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a

CVE-2013-7370 was assigned to this issue.

We need fixes for:

openSUSE:12.3 and openSUSE:13.1 + Factory

References:
https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
https://bugzilla.redhat.com/show_bug.cgi?id=1091166
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7370.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7370
Comment 1 Swamp Workflow Management 2014-04-25 22:00:11 UTC
bugbot adjusting priority
Comment 3 Jordi Massaguer 2014-04-28 15:09:54 UTC
those patches are for 2.x version. We have a 0.x version in openSUSE. The code mentioned on those patches do not even exist.
Comment 5 Jordi Massaguer 2014-04-28 15:44:02 UTC
This issue is for the connect middleware that comes bundled in nodejs 2.x (connect overrides http.createServer method).

I tried this code with nodejs that comes in openSUSE 13.1:

   require('connect')

and the answer is

  Cannot find module 'connect'

This confirms that our nodejs does not include the connect middleware code.

The same for openSUSE 12.3
Comment 7 Jordi Massaguer 2014-04-28 15:44:41 UTC
can we close this bug?
Comment 8 Alexander Bergmann 2014-04-28 16:46:44 UTC
Perfect! Thanks Jordi. I will close this now.
Comment 9 Alexander Bergmann 2014-04-28 16:49:15 UTC
Closing bug, as we're not affected by this issue.