Headline
GHSA-x698-5hjm-w2m5: pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
Summary
Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages.
Details
Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the Host header to the value of 127.0.0.1:9666.
PoC
The application has middleware that prevents access to several routes by checking whether the Host header has a specific value. We bypassed this restriction.
https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36
#: decorator
def local_check(func):
@wraps(func)
def wrapper(*args, **kwargs):
remote_addr = flask.request.environ.get("REMOTE_ADDR", "0")
http_host = flask.request.environ.get("HTTP_HOST", "0")
if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in (
"127.0.0.1:9666",
"[::1]:9666",
):
return func(*args, **kwargs)
else:
return "Forbidden", 403
return wrapper
Below we see that the ‘/flash/add’ endpoint uses the middleware above.
https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11
@bp.route("/flash/add", methods=["POST"], endpoint="add")
@local_check
def add():
Notice how we are not authorized to access this endpoint when sending a request.
However, if we set the Host header to be 127.0.0.1:9666, we notice the request returns success.
Checking the front end as an admin, we now see that this did indeed succeed.
Impact
An unauthenticated user can perform actions that should only be available to authenticated users.
Summary
Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages.
Details
Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the Host header to the value of 127.0.0.1:9666.
PoC
The application has middleware that prevents access to several routes by checking whether the Host header has a specific value. We bypassed this restriction.
https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36
#: decorator def local_check(func): @wraps(func) def wrapper(*args, **kwargs): remote_addr = flask.request.environ.get("REMOTE_ADDR", “0”) http_host = flask.request.environ.get("HTTP_HOST", “0”)
if remote\_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http\_host in (
"127.0.0.1:9666",
"\[::1\]:9666",
):
return func(\*args, \*\*kwargs)
else:
return "Forbidden", 403
return wrapper
Below we see that the ‘/flash/add’ endpoint uses the middleware above.
https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11
@bp.route(“/flash/add", methods=[“POST”], endpoint="add”) @local_check def add():
Notice how we are not authorized to access this endpoint when sending a request.
However, if we set the Host header to be 127.0.0.1:9666, we notice the request returns success.
Checking the front end as an admin, we now see that this did indeed succeed.
Impact
An unauthenticated user can perform actions that should only be available to authenticated users.
References
- GHSA-x698-5hjm-w2m5
- pyload/pyload@f4e2d12
- https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36
- https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11