Python URL Parsing Flaw Enables Attacks That Insert Commands Into Webpages

Описание: urlparse has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail. A high-severity security flaw has been disclosed in the Python URL parsing function that could be exploited to bypass domain or protocol filtering methods implemented with a blocklist, ultimately resulting in arbitrary file reads and command execution. The vulnerability can be expected to help SSRF and RCE in a wide range of scenarios. CERT Coordination Center, CERT/CC says in an advisory. Although blocklist is generally considered an inferior choice, there are many scenarios where blocklists still need, Cao said. He emphasizes the importance of this vulnerability

#shorts #techshorts #technews #tech #technology #filtering methods #entire URL #blocklist