CVE-2013-7371
cross site scripting vulnerability in connect (npm)
What is CVE-2013-7371 About?
This is a cross-site scripting (XSS) vulnerability in node-connect's methodOverride middleware, stemming from an incomplete fix for a previous XSS flaw. It allows attackers to inject arbitrary client-side script into the 404 error page. Exploitation is straightforward, requiring only a crafted HTTP POST request.
Affected Software
Technical Details
The node-connect 'methodOverride' middleware allows HTTP POST requests to override the standard HTTP method via the _method post key or the x-http-method-override header. Prior to version 2.8.2, this middleware did not validate user input assigned to req.method. As a result, an attacker could inject arbitrary strings, including <script> tags, into req.method. If req.method did not correspond to a recognized HTTP verb, connect would respond with a 404 page containing the string 'Cannot [method] [url]'. Since the injected req.method value was not properly encoded for HTML output in this 404 response, the embedded <script> tag would execute in the victim's browser, leading to a cross-site scripting attack.
What is the Impact of CVE-2013-7371?
Successful exploitation may allow attackers to inject arbitrary client-side scripts, steal session cookies, deface web pages, redirect users to malicious websites, or perform actions as the victim within the application.
What is the Exploitability of CVE-2013-7371?
Exploitation of this vulnerability has low complexity and requires no authentication. An attacker can remotely trigger the XSS by sending a specially crafted HTTP POST request to a vulnerable node-connect application with the methodOverride middleware enabled. The _method POST key or x-http-method-override header must contain the malicious script. No special privileges are required, and the attack is remote. The primary condition is that the target server must be running a vulnerable version of node-connect and have the methodOverride middleware active. The ease of crafting the request increases the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2013-7371?
Available Upgrade Options
- connect
- <2.8.2 → Upgrade to 2.8.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://exchange.xforce.ibmcloud.com/vulnerabilities/92710
- https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135
- https://security-tracker.debian.org/tracker/CVE-2013-7371
- https://exchange.xforce.ibmcloud.com/vulnerabilities/92710
- http://www.openwall.com/lists/oss-security/2014/05/13/1
- https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a
- http://www.openwall.com/lists/oss-security/2014/04/21/2
- https://github.com/senchalabs/connect
- https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
- https://osv.dev/vulnerability/GHSA-6w62-83g6-rfhj
What are Similar Vulnerabilities to CVE-2013-7371?
Similar Vulnerabilities: CVE-2013-7370 , CVE-2015-8854 , CVE-2016-10547 , CVE-2017-7610 , CVE-2017-7611
