Описание
pyLoad allows upload to arbitrary folder lead to RCE
Summary
An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution
Details
example version: 0.5 file:src/pyload/webui/app/blueprints/app_blueprint.py
So, if we can control file in the path "pyload/webui/app/templates" in latest version and path in "module/web/media/js"(the difference is the older version0.4.20 only renders file with extension name ".js"), the render_template func will works like SSTI(server-side template injection) when render the evil file we control.
in /settings page and the choose option general/general, where we can change the download folder.
Also, we can find the pyLoad install folder in /info page
So, we can change the value of Download folder to the template path. Then through /json/add_package we can upload a crafted template file to RCE.
PoC
First login into the admin page, then visit the info page to get the path of pyload installation folder. Second, change the download folder to PYLOAD_INSTALL_DIR/ webui/app/templates/ Third, upload crafted template file through /json/add_package through parameter add_file the content of crafted template file and its filename is "341.html":
Last, visit http://TARGET/render/tmp_341.html to trigger the RCE
Impact
It is a RCE vulnerability and I think it affects all versions. In earlier version 0.4.20, the trigger difference is the pyload installation folder path difference and the upload file must with extension ".js" . The render js code in version 0.4.20:
Пакеты
pyload-ng
<= 0.5.0
Отсутствует
Связанные уязвимости
pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.
pyload is an open-source Download Manager written in pure Python. An a ...