Lucene search
P0casFC7CDA21-82DD-4545-8A66-7C15535C5C73HistoryMar 04, 2022 - 10:29 a.m.
hostname spoofing via javascript
2022-03-0410:29:25
p0cas
www.huntr.dev
16
javascript
node.js
hostname spoofing
security vulnerability
cve-2018-12123
bug bounty
EPSS
0.001
Percentile
47.1%
Description
If use parse-url for security check on url, it is dangerous because hostname spoofing through JavaScript scheme is possible. It also occurred in url.parse() of node.js in 2018, and node.js acknowledged the vulnerability for this. So Node.js has patched it, and there are cases where a CVE was issued after the security release.
sh-3.2$ node -e 'console.log(require("url").parse("javascript://google.com/%0aalert(1)"))'
Url {
protocol: 'javascript:',
slashes: null,
auth: null,
host: null,
port: null,
hostname: null,
hash: null,
search: null,
query: null,
pathname: '//google.com/%0aalert(1)',
path: '//google.com/%0aalert(1)',
href: 'javascript://google.com/%0aalert(1)'
}
sh-3.2$
First of all, the above result is the result of url.parser() of node.js. If hostname is passed, it is recognized as a path.
Proof of Concept
sh-3.2$ node -e 'const parseUrl = require("parse-url"); console.log(parseUrl("javascript://google.com/%0aalert(1)"))'
{
protocols: [ 'javascript' ],
protocol: 'javascript',
port: null,
resource: 'google.com',
user: '',
pathname: '/%0aalert(1)',
hash: '',
search: '',
href: 'javascript://google.com/%0aalert(1)',
query: [Object: null prototype] {}
}
sh-3.2$
But unlike parse-url in node.js, it parses hostname correctly.
Refer to CVE-2018-12123
Related
nessus
nessus
Photon OS 1.0: Nodejs PHSA-2020-1.0-0306
2020-07-14 00:00:00
Photon OS 2.0: Nodejs PHSA-2020-2.0-0210
2020-02-26 00:00:00
F5 Networks BIG-IP : Node.js vulnerabilities (K000137090)
2023-10-02 00:00:00
debiancve
debiancve
CVE-2018-12123
2018-11-28 17:29:00
prion
prion
Design/Logic Flaw
2018-11-28 17:29:00
cbl_mariner
cbl_mariner
CVE-2018-12123 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
cvelist
cvelist
CVE-2018-12123
2018-11-28 17:00:00
redhatcve
redhatcve
CVE-2018-12123
2020-02-02 02:37:48
ubuntucve
ubuntucve
CVE-2018-12123
2018-11-28 00:00:00
veracode
veracode
Hostname Spoofing
2018-11-30 05:49:00
ibm
ibm
nvd
nvd
CVE-2018-12123
2018-11-28 17:29:00
alpinelinux
alpinelinux
CVE-2018-12123
2018-11-28 17:29:00
osv
osv
CVE-2018-12123
2018-11-28 17:29:00
nodejs vulnerabilities
2021-03-15 21:18:37
cve
cve
CVE-2018-12123
2018-11-28 17:29:00
photon
photon
openvas
openvas
Node.js Multiple Vulnerabilities (Nov 2018) - Windows
2018-11-29 00:00:00
Node.js Multiple Vulnerabilities (Nov 2018) - Mac OS X
2018-11-29 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:0118-1)
2021-06-09 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 10.14.1-alt1
2018-11-30 00:00:00
f5
f5
suse
suse
Security update for nodejs8 (important)
2019-01-28 00:00:00
Security update for nodejs4 (important)
2019-01-25 00:00:00
Security update for nodejs6 (important)
2019-02-22 00:00:00
redhat
redhat
(RHSA-2019:1821) Important: rh-nodejs8-nodejs security update
2019-07-22 13:09:06
(RHSA-2019:2939) Important: rh-nodejs10-nodejs security update
2019-09-30 23:10:11
freebsd
freebsd
node.js -- multiple vulnerabilities
2018-11-27 00:00:00
nodejsblog
nodejsblog
November 2018 Security Releases
2018-11-28 00:00:00
ubuntu
ubuntu
Node.js vulnerabilities
2021-03-15 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2019-09-15 16:24:16
gentoo
gentoo
Node.js: Multiple vulnerabilities
2020-03-20 00:00:00