Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 21 Apr 2014 19:16:12 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request - node-connect: methodOverride middleware reflected cross-site scripting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744374
> 
> Package: node-connect
> 
> The Node Security Project discovered an XSS vulnerability in the node
> connect module, please fix this bug by upgrading node-connect.
> 
> https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
> https://github.com/senchalabs/connect/issues/831
> 
> First fix:
> https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135
> 
> Second fix:
> https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a
> 
> Not sure if it needs one or two CVE's (did they do a release in
> between the fixes?

https://github.com/senchalabs/connect/blob/2.x/History.md

2.8.2 / 2013-07-03
add whitelisting of supported methods to methodOverride()

2.8.1 / 2013-06-27
fix: escape req.method in 404 response

https://github.com/senchalabs/connect/blob/2.x/lib/utils.js has:
    .replace(/&(?!\w+;)/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;');


CVE-2013-7370: XSS in the Sencha Labs Connect middleware before 2.8.1
               for Node.js

               -- allows attacks via an HTTP request with a crafted method
                  name containing JavaScript code


CVE-2013-7371: XSS in the Sencha Labs Connect middleware before 2.8.2
               for Node.js

               -- allows attacks via an HTTP request with a crafted method
                  name containing JavaScript code that doesn't rely on
                  the < character, the > character, or the " character

               -- vulnerability exists because of an incomplete fix for
                  CVE-2013-7370

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTVaYyAAoJEKllVAevmvmsqcEH/iDu42BeFf7KXcNWNQx777sK
2ag52t32MigGmY/PASjQhDidHkgzIzLPd3QNYkV4RGxYtn4MQjZP3q/Kex/EFHTv
uwQB8LFtc5Ku3y3uxt1jZHWBoy8By3flCFQ+OABQAytbHie5HdY3GUBjHa6bVbqi
GRkrlNaTsuFgUCFeCifF2w01RaCmLPpUMkQ2ZHkbyX6J3T1HnLIoQ/W1WnRiFTg3
/7jvpcn880llnsou+8NWEcTXnWj4Di+4fd3Q2r42kDlGj7oHbzcIUVz3Awzd1kSU
sbYI1b82Zzw4sjnTewQWRJ8zLBFuP0BO4PtPsR8JgOvO9dKiD5e3Vwpj1PShm/Y=
=aLBt
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ