Authorization Bypass Through User-Controlled Key in medialize/uri.js

Valid

Reported on

Feb 14th 2022

Description

Bypass for https://huntr.dev/bounties/1625558772840-medialize/URI.js/

urijs fixed the issue for CVE-2021-3647, however an attacker can still exploit the issue due to case-sensitive checks in the earlier patch. Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp etc. in order to bypass the patch for that bug.

Proof of Concept

var URI = require('urijs');
var url = new URI("HTTPS:///github.com/abc"); 
console.log(url);

OUTPUT:

URI {
  _string: '',
  _parts: {
    protocol: 'HTTPS',
    username: null,
    password: null,
    hostname: null,
    urn: null,
    port: null,
    path: '/github.com/abc',
    query: null,
    fragment: null,
    preventInvalidHostname: false,
    duplicateQueryParameters: false,
    escapeQuerySpace: true
  },
  _deferred_build: true
}

Impact

Bypass host-validation checks, open redirect, SSRF etc. - depends on the usage of urijs

Occurrences

add i modifier for case-insensitive checks

We are processing your report and will contact the medialize/uri.js team within 24 hours. 2 years ago
Rohan Sharma submitted a
patch
2 years ago
Rohan Sharma
2 years ago

Researcher

Submitted the patch and PR: https://github.com/medialize/URI.js/pull/412

Rodney Rehm validated this vulnerability 2 years ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Rodney Rehm
2 years ago

Maintainer

The fix provided by @r0hansh has been published as version 1.19.8 - https://github.com/medialize/URI.js/releases/tag/v1.19.8

Rodney Rehm marked this as fixed in 1.19.8 with commit 6ea641 2 years ago
Rohan Sharma has been awarded the fix bounty
This vulnerability will not receive a CVE
URI.js#L516 has been validated
to join this conversation