Researchers discovered URL-parsing bugs that could impact several web apps. The cybersecurity experts noticed some vulnerabilities borne out of inconsistencies from the affected libraries.
Eight different security vulnerabilities arising from inconsistencies among 16 different URL parsing libraries could allow denial-of-service (DoS) conditions, information leaks, and remote code execution (RCE) in various web applications, researchers are warning.
The bugs were found in third-party web packages written for various languages, and, like Log4Shell and other software-supply chain threats, could have been imported to hundreds or thousands of different web apps and projects. Those afflicted are Flask (a micro web framework written in Python), Video.js (an HTML5 video player), Belledonne (free VoIP and IP video phone), Nagios XI (network and server monitoring), and Clearance (password authentication for Ruby).
What are URL Parsing and Its Confusion
URL parsing is the process of breaking down a web address into its underlying components, to correctly route traffic across different links or into different servers. URL parsing libraries, which are available for various programming languages, are usually imported into applications to fulfill this function.
“The confusion in URL parsing can cause unexpected behavior in the software (e.g., web application), and could be exploited by threat actors to cause denial-of-service conditions, information leaks, or possibly conduct remote code execution attacks,” the researchers said in a report.
According to a combined analysis, security holes crop up thanks to differences in the way each library goes about its parsing activities.
Team82 and Synk examined 16 different URL parsing libraries, including: urllib (Python), urllib3 (Python), rfc3986 (Python), httptools (Python), curl lib (cURL), Wget, Chrome (Browser), Uri (.NET), URL (Java), URI (Java), parse_url (PHP), url (NodeJS), url-parse (NodeJS), net/url (Go), uri (Ruby) and URI (Perl).
With URLs being a fundamental mechanism by which resources — located either locally or on the web — can be requested and retrieved, differences in how the parsing libraries interpret a URL request could pose a significant risk for users.
Across them, they identified five categories of inconsistencies in how these libraries parse components:
- Scheme Confusion: A confusion involving URLs with missing or malformed Scheme
- Slash Confusion: A confusion involving URLs containing an irregular number of slashes
- Backslash Confusion: A confusion involving URLs containing backslashes (\)
- URL Encoded Data Confusion: A confusion involving URLs containing URL Encoded data
- Scheme Mix-ups: A confusion involving parsing a URL belonging to a certain scheme without a scheme-specific parser
URL Parsing Security Flaw
The list of eight flaws discovered are as follows, all of which have since been addressed by respective maintainers —
- Belledonne’s SIP Stack (C, CVE-2021-33056)
- Nagios XI (PHP, CVE-2021-37352)
- Flask-security (Python, CVE-2021-23385)
- Flask-security-too (Python, CVE-2021-32618)
- Flask-unchained (Python, CVE-2021-23393)
- Flask-User (Python, CVE-2021-23401)
- Clearance (Ruby, CVE-2021-23435)
Researchers said to protect applications from URL parsing vulnerabilities, “it is necessary to fully understand which parsers are involved in the whole process [and] the differences between parsers, be it their leniency, how they interpret different malformed URLs, and what types of URLs they support.”