oss-sec mailing list archives
Re: CVE request - node-connect: methodOverride middleware reflected cross-site scripting
From: cve-assign () mitre org
Date: Mon, 21 Apr 2014 19:16:12 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744374 Package: node-connect The Node Security Project discovered an XSS vulnerability in the node connect module, please fix this bug by upgrading node-connect. https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting https://github.com/senchalabs/connect/issues/831 First fix: https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135 Second fix: https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a Not sure if it needs one or two CVE's (did they do a release in between the fixes?
https://github.com/senchalabs/connect/blob/2.x/History.md 2.8.2 / 2013-07-03 add whitelisting of supported methods to methodOverride() 2.8.1 / 2013-06-27 fix: escape req.method in 404 response https://github.com/senchalabs/connect/blob/2.x/lib/utils.js has: .replace(/&(?!\w+;)/g, '&') .replace(/</g, '<') .replace(/>/g, '>') .replace(/"/g, '"'); CVE-2013-7370: XSS in the Sencha Labs Connect middleware before 2.8.1 for Node.js -- allows attacks via an HTTP request with a crafted method name containing JavaScript code CVE-2013-7371: XSS in the Sencha Labs Connect middleware before 2.8.2 for Node.js -- allows attacks via an HTTP request with a crafted method name containing JavaScript code that doesn't rely on the < character, the > character, or the " character -- vulnerability exists because of an incomplete fix for CVE-2013-7370 - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTVaYyAAoJEKllVAevmvmsqcEH/iDu42BeFf7KXcNWNQx777sK 2ag52t32MigGmY/PASjQhDidHkgzIzLPd3QNYkV4RGxYtn4MQjZP3q/Kex/EFHTv uwQB8LFtc5Ku3y3uxt1jZHWBoy8By3flCFQ+OABQAytbHie5HdY3GUBjHa6bVbqi GRkrlNaTsuFgUCFeCifF2w01RaCmLPpUMkQ2ZHkbyX6J3T1HnLIoQ/W1WnRiFTg3 /7jvpcn880llnsou+8NWEcTXnWj4Di+4fd3Q2r42kDlGj7oHbzcIUVz3Awzd1kSU sbYI1b82Zzw4sjnTewQWRJ8zLBFuP0BO4PtPsR8JgOvO9dKiD5e3Vwpj1PShm/Y= =aLBt -----END PGP SIGNATURE-----
Current thread:
- CVE request - node-connect: methodOverride middleware reflected cross-site scripting Kurt Seifried (Apr 15)
- Re: CVE request - node-connect: methodOverride middleware reflected cross-site scripting cve-assign (Apr 21)