Protocol/Hostname spoofing via Improper Input Validation in medialize/uri.js
Valid
Reported on
Feb 27th 2022
Description
The uri.js doesn't remove whitespace characters from the beginning of the protocol, so it doesn't parse URLs properly. Several methods, including http.get()
, location.href
, and fetch()
, strip the whitespace character in front of the protocol before sending the request.
Proof of Concept
const url = require('urijs');
console.log(new url("\bhttp://google.com"))
// console.log(new url("\bjavascript:alert(1)"))
output
URI {
_string: '',
_parts: {
protocol: undefined,
username: null,
password: null,
hostname: null,
urn: null,
port: null,
path: '\bhttp://google.com',
query: null,
fragment: null,
preventInvalidHostname: false,
duplicateQueryParameters: false,
escapeQuerySpace: true
},
_deferred_build: true
}
Mitigation
function remove_whitespace(url){
const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
url = url.replace(whitespace, '')
return url
}
Write and use a function to remove white space characters as above.
We are processing your report and will contact the
medialize/uri.js
team within 24 hours.
a year ago
Pocas modified the report
a year ago
Pocas modified the report
a year ago
We have contacted a member of the
medialize/uri.js
team and are waiting to hear back
a year ago
We have sent a
follow up to the
medialize/uri.js
team.
We will try again in 7 days.
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
https://github.com/medialize/URI.js/releases/tag/v1.19.9 contains the fix, thanks for the report!
to join this conversation