Researchers discovered URL-parsing bugs that could impact several web apps. The cybersecurity experts noticed some vulnerabilities borne out of inconsistencies from the affected libraries.
They further warned that these apps could be outlets for data leaks, remote code execution (RCE), and denial-of-service (DoS) attacks.
What is URL Parsing
URL-Parsing Bugs
Before discussing the bugs that hit certain libraries, we should first know the definition of URL parsing. According to Threatpost, it is the process of "breaking down a web address" into various components. Its main goal is to properly align the traffic across different servers.
Many programming languages allow URL parsing libraries to operate. They could do that by importing apps on them to access their functionality.
Per researchers' analysis on Monday, there are five distinct components that URLs are based on. These include the fragment, query, scheme, path, and authority. On top of that, the team said that each of them has designated roles necessary for exacting the resource and other processes.
Related Article: AT&T Networking Devices' Old Flaw Now Exploited by New Malware to Conduct DoS Attacks! Thousands of US Customers Affected
URL Parsing Confusions
From what they found out earlier this week, some loopholes affected the libraries with regards to their parsing.
Upon scrutinizing 16 URL parsing libraries, Synk and Team82 researchers identified five categories of inconsistencies among them. These are the following:
-
Scheme confusion - involves missing Scheme in URLs
-
Slash confusion - involves an irregular number of slashes in URLs
-
Backslash confusion - involves backslashes in URLs
-
URL Encoded Data confusion - involves URLs with Encoded data
-
Scheme Mix-ups - involves URL parsing with a particular scheme that does not require a scheme-specific parser
The report added that two issues on main web applications were seen. These are the specification incompatibility and multiple parsers in use.
In layman's terms, the confusion could result in the appearance of DoS and RCE attacks, as the researchers explained. Moreover, the URL confusion could bypass the Log4J Shell patch which was alarming to all internet users.
8 URL Parsing Bugs
In another report from The Hacker News on Monday, Jan. 10, eight vulnerabilities were discovered by the researchers. The following is a list of URL parsing security bugs that resulted in confusions. They made third-party web apps susceptible to spoofing.
-
Belledonne's SIP Stack (C, CVE-2021-33056)
-
Video.js (JavaScript, CVE-2021-23414)
-
Nagios XI (PHP, CVE-2021-37352)
-
Flask-security (Python, CVE-2021-23385)
-
Flask-security-too (Python, CVE-2021-32618)
-
Flask-unchained (Python, CVE-2021-23393)
-
Flask-User (Python, CVE-2021-23401)
-
Clearance (Ruby, CVE-2021-23435)
How to Avoid Cyberattacks When Working at Home
Last November, Tech Times wrote an article about WFH attacks and how to prevent them. To protect your computers from further harm, here's what you need to do.
First, regularly check your password on your PC and do not share it with others, even with your friends. If you notice an alarming message on your account, immediately contact the authorities to seek help. Ask them if the warning is legitimate or not.
After that, we advise you to change your routers, especially those that are old models. Usually, outdated routers can be easily accessed by hackers.
Last week, we also reported that Google launched a January security patch for the Pixel 911 Android bug. The glitch was reportedly preventing users from calling the emergency hotline.
Read Also: Third Log4J Security Flaw Discovered | Apache Releases Another Patch Update
This article is owned by Tech Times
Written by Joseph Henry
