[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [oss-security] CVE request:Lynx invalid URL parsing with '?'
- To: dickey@xxxxxxxxxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx, fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] [oss-security] CVE request:Lynx invalid URL parsing with '?'
- From: redrain root <rootredrain@xxxxxxxxx>
- Date: Thu, 3 Nov 2016 17:58:14 +0800
I can't find any bugtracker in lynx ,so i will disclose by this mail and
sent to the author dickey@xxxxxxxxxxxxxxxxxxxx.
redrain (rootredrain@xxxxxxxxx)
Date:2016-11-03
Version: 2.8.8pre.4、2.8.9dev.8 and earlier
Platform: Linux and Windows
Vendor: http://lynx.browser.org/
Vendor Notified: 2016-11-03
VULNERABILITY
-------------------------
Lynx doesn't parse the authority component of the URL correctly when the
host
name part ends with '?', and could instead be tricked into
connecting to a different host.
Passing in `*http://google.com?@hackdog.me/
<http://google.com?@hackdog.me/>*` <http://example.com/#@evil.com/x.txt> would
wrongly make lynx send a
request to hackdog.me while your browser would connect to google.com given
the same URL.
PoC
------------------------
lynx "http://google.com?@hackdog.me/";
SOLUTION
-------------------------
follow the RFC and check for domains before send request.
Regards,
redrain
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/