Описание
pyLoad vulnerable to XSS through insecure CAPTCHA
Summary
An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce.
Details
The vulnerable code resides in
- The
onCaptchaResult()function directly passes CAPTCHA results (sent from the user) intoeval() - No sanitization or validation is performed on this input
- A malicious CAPTCHA result can include JavaScript such as
fetch()orchild_process.exec()in environments using NodeJS - Attackers can fully hijack sessions and pivot to remote code execution on the server if the environment allows it
Reproduction Methods
- Official Source Installation:
- Virtual Environment:
CAPTCHA Endpoint Verification
Technical Clarification:
-
The vulnerable endpoint is actually:
/interactive/captcha -
Complete PoC Request:
- Curl Command Correction:
- Vulnerable Code Location:
The eval() vulnerability is confirmed in:src/pyload/webui/app/static/js/captcha-interactive.user.js
Resources
Пакеты
pyload-ng
< 0.20
0.20
Связанные уязвимости
pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89.
pyload is an open-source Download Manager written in pure Python. An u ...