Full Disclosure mailing list archives
[oss-security] CVE request:Lynx invalid URL parsing with '?'
From: redrain root <rootredrain () gmail com>
Date: Thu, 3 Nov 2016 17:58:14 +0800
I can't find any bugtracker in lynx ,so i will disclose by this mail and sent to the author dickey () invisible-island net. redrain (rootredrain () gmail com) Date:2016-11-03 Version: 2.8.8pre.4、2.8.9dev.8 and earlier Platform: Linux and Windows Vendor: http://lynx.browser.org/ Vendor Notified: 2016-11-03 VULNERABILITY ------------------------- Lynx doesn't parse the authority component of the URL correctly when the host name part ends with '?', and could instead be tricked into connecting to a different host. Passing in `*http://google.com?@hackdog.me/ <http://google.com?@hackdog.me/>*` <http://example.com/#@evil.com/x.txt> would wrongly make lynx send a request to hackdog.me while your browser would connect to google.com given the same URL. PoC ------------------------ lynx "http://google.com?@hackdog.me/" SOLUTION ------------------------- follow the RFC and check for domains before send request. Regards, redrain _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [oss-security] CVE request:Lynx invalid URL parsing with '?' redrain root (Nov 04)
- Re: [oss-security] CVE request:Lynx invalid URL parsing with '?' Thomas Dickey (Nov 04)
- Re: [oss-security] CVE request:Lynx invalid URL parsing with '?' Leo Famulari (Nov 04)
- Re: [oss-security] CVE request:Lynx invalid URL parsing with '?' Thomas Dickey (Nov 04)
- Re: [oss-security] CVE request:Lynx invalid URL parsing with '?' Michal Zalewski (Nov 05)