Bugs in 16 popular URL parser libraries could be exploited by hackers
Cybercriminals and hackers are constantly probing and testing defenses in order to try and find a way into systems, from which they can wreak havoc. But it’s not just defenses that they’re trying to tackle – it’s also the everyday architecture of the internet that we use. Vulnerabilities have been found in a number of different URL parsing libraries that could enable hackers to cause problems.
Eight separate security issues found by researchers at cybersecurity firms Claroty and Synk could enable hackers to launch several problems from denial-of-service (DoS) conditions, information leaks, and remote code execution (RCE) in various web applications.
All the issues were uncovered in a survey of third-party web packages written in different programming languages, including some of the biggest, most widely-used tools. HTML5 video player Video.js is one of the tools affected, alongside Ruby password authenticator Clearance.
The issues have been found in the URL parsing process, which splits a web address into its core components that route traffic to the relevant part of the world wide web. These are deployed by third-party applications in order to make the re-routing process easier.
Issues with URL parser libraries
“URLs are actually built from five different components: scheme, authority, path, query and a fragment,” researchers from Claroty and Synk wrote in their analysis. “Each component fulfills a different role, be it dictating the protocol for the request, the host which holds the resource, which exact resource should be fetched and more.”
The team analysed 16 different URL parsing libraries, including: urllib (Python), urllib3 (Python), rfc3986 (Python), httptools (Python), curl lib (cURL), Wget, Chrome (Browser), Uri (.NET), URL (Java), URI (Java), parse_url (PHP), url (NodeJS), url-parse (NodeJS), net/url (Go), uri (Ruby), and URI (Perl). They found five separate problems in how the above-mentioned libraries parse their components.
Each of the identified issues can cause problems that result in vulnerable code blocks – whether through overlapping URL parsers introducing vulnerabilities into the software or differing standards that can create inconsistencies not seen as a problem by those tasked with overlooking their cybersecurity.
Big problems ensue
“What is important to understand is that URL syntax is complex and many edge cases could arise when non-standard inputs are given to a URL parser,” says Claroty and Synk.
This is what concerns the researchers quite so much – the idea that these parsers are so ubiquitous that they could cause similar problems to the Log4j vulnerability that has wreaked havoc in recent weeks.
Eight high-security vulnerabilities that come from the URL parsing problems have been discovered in five third-party applications:
- Flask-security open redirect (Python, CVE-2021-23385)
- Flask-security-too open redirect (Python, CVE-2021-32618)
- Flask-User open redirect (Python, CVE-2021-23401)
- Flask-unchained open redirect (Python, CVE-2021-23393)
- Belledonne’s SIP Stack null pointer dereference (DoS) (C, CVE-2021-33056)
- Nagios XI open redirect (PHP, CVE-2021-37352)
- Clearance open redirect (Ruby, CVE-2021-23435)
They also suggest that IT professionals should take mitigating actions to prevent any problems from happening. The key option? Validating URLs to make sure they’re correct and don’t get overlooked.
“The web server validates the given URL and allows only URLs that belong to the same site or to a list of trusted domains,” the researchers say.