-
-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Report] hostname spoofing via url.parse in follow-redirects #235
Comments
Thank you for the very thorough investigation and explanation. We should probably just not support wrapping the hostname in brackets. I'll have a look. |
You may test with this dockerfile that I wrote for testing poc. |
Thanks, working in #236 |
May I request CVE number for this issue? |
Absolutely; too bad that huntr.dev did not work out, they did all of that automatically. Fixed in v1.15.4 btw! |
That versions patches `follow-redirects` package to a version that does not have the following vulnerability - follow-redirects/follow-redirects#235
That versions patches `follow-redirects` package to a version that does not have the following vulnerability - follow-redirects/follow-redirects#235
* Upgrade axios to version 1.6.5 That versions patches `follow-redirects` package to a version that does not have the following vulnerability - follow-redirects/follow-redirects#235 * Upgrade axios to 1.6.8 --------- Co-authored-by: Robert Bagge <rob@satis.ai> Co-authored-by: Shubham <tiwarishubham635@gmail.com>
By the way, I read about Security.md but huntr.dev service has changed to AL/ML open source bugbounty platform. So I couldn't report it to there. Because of that reason, I'm writing it here.
Description
Below is part of
follow-redirects
'sindex.js
code.It checks URL hostname which is startswith
[
character.Which means if the urlObject is
http://[localhost]/
, then it converts tohttp://localhost/
.But actually above code is not vulnerable code.
(Just the idea comes from above code)
The problem comes from below code.
urlToOptions()
function is called afternew URL()
.When
new URL('http://[localhost]')
it throws an error which isInvalid URL
.Then it goes
catch{ }
phrase.At the
catch{ }
phrase, there is vulnerable function which isurl.parse()
.url.parse('http://[localhost]')
sees URL tohttp://localhost
.Let's look at PoC code.
Proof of Concept
Above is Web Server built by express and follow-redirects. If user requests like below.
Server responses
Admin Page
.This is just an example code. There could be other cases using this vulnerability.
And also hostname spoofing does not only affect localhost. It is also possible for other domains.
The main point is that inside of
folow-redirects
module, it uses vulnerable functionurl.parse()
whennew URL()
throws error.url.parse()
functions is now deprecated and it hashostname spoofing
vulnerability.You can check this site for unerstanding.
https://hackerone.com/reports/678487
Impact
Hostname spoofing may cause open redirect, SSRF, etc.
Occurences
https://github.com/follow-redirects/follow-redirects/blob/main/index.js#L503
The text was updated successfully, but these errors were encountered: