oss-sec mailing list archives

CVE request:Lynx invalid URL parsing with '?'

From: redrain root <rootredrain () gmail com>
Date: Thu, 3 Nov 2016 17:58:14 +0800

I can't find any bugtracker in lynx ,so i will disclose by this mail and
sent to the author dickey () invisible-island net.

redrain (rootredrain () gmail com)
Date:2016-11-03
Version: 2.8.8pre.4、2.8.9dev.8 and earlier
Platform: Linux and Windows
Vendor: http://lynx.browser.org/
Vendor Notified: 2016-11-03


VULNERABILITY
-------------------------

Lynx doesn't parse the authority component of the URL correctly when the
host
name part ends with '?', and could instead be tricked into
connecting to a different host.

Passing in `*http://google.com?@hackdog.me/
<http://google.com?@hackdog.me/>*` <http://example.com/#@evil.com/x.txt> would
wrongly make lynx send a
request to hackdog.me while your browser would connect to google.com given
the same URL.

PoC
------------------------
lynx  "http://google.com?@hackdog.me/";


SOLUTION
-------------------------
follow the RFC and check for domains before send request.



Regards,
redrain

Current thread:

CVE request:Lynx invalid URL parsing with '?' redrain root (Nov 03)
- Re: CVE request:Lynx invalid URL parsing with '?' Leo Famulari (Nov 03)
- Re: CVE request:Lynx invalid URL parsing with '?' cve-assign (Nov 04)
- Re: CVE request:Lynx invalid URL parsing with '?' Thomas Dickey (Nov 04)
- Message not available
  - Re: [FD] [oss-security] CVE request:Lynx invalid URL parsing with '?' Michal Zalewski (Nov 05)