Understanding CVE-2023–24329 -Python urlparse Function
First I want to tell you what does what does urlparse do? The URL parsing functions focus on splitting a URL string into its components, or on combining URL components into a URL string.
Description:-
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
So first we look at the code
Now from code we have notice there some host are block which also include “example.com” which we are testing, And we have call two function safeURLOpener(“https://example.com") and safeURLOpener(“ https://example.com"),First function have no space at the start and second function have space at start,both have same hostname
The website https://example.com/ look like :-
So now let’s run the code
My python version is >3.14,So inspite of blocking https://example.com/,if we add space at the beginning it gives us response of https://example.com/
Impact
Due to this issue, attackers can bypass any domain or protocol filtering method implemented with a blocklist. Protocol filtering failures can lead to arbitrary file reads, arbitrary command execution, SSRF, and other problems.
We are done! Great job everyone.
