oss-sec mailing list archives
CVE request:Lynx invalid URL parsing with '?'
From: redrain root <rootredrain () gmail com>
Date: Thu, 3 Nov 2016 17:58:14 +0800
I can't find any bugtracker in lynx ,so i will disclose by this mail and sent to the author dickey () invisible-island net. redrain (rootredrain () gmail com) Date:2016-11-03 Version: 2.8.8pre.4、2.8.9dev.8 and earlier Platform: Linux and Windows Vendor: http://lynx.browser.org/ Vendor Notified: 2016-11-03 VULNERABILITY ------------------------- Lynx doesn't parse the authority component of the URL correctly when the host name part ends with '?', and could instead be tricked into connecting to a different host. Passing in `*http://google.com?@hackdog.me/ <http://google.com?@hackdog.me/>*` <http://example.com/#@evil.com/x.txt> would wrongly make lynx send a request to hackdog.me while your browser would connect to google.com given the same URL. PoC ------------------------ lynx "http://google.com?@hackdog.me/" SOLUTION ------------------------- follow the RFC and check for domains before send request. Regards, redrain
Current thread:
- CVE request:Lynx invalid URL parsing with '?' redrain root (Nov 03)
- Re: CVE request:Lynx invalid URL parsing with '?' Leo Famulari (Nov 03)
- Re: CVE request:Lynx invalid URL parsing with '?' cve-assign (Nov 04)
- Re: CVE request:Lynx invalid URL parsing with '?' Thomas Dickey (Nov 04)
- Message not available
- Re: [FD] [oss-security] CVE request:Lynx invalid URL parsing with '?' Michal Zalewski (Nov 05)