pyload CAPTCHA Processing Vulnerability Leading to Remote Code Execution

A remote code execution vulnerability has been identified in pyload, an open-source download manager written in Python. This issue arises from unsafe JavaScript evaluation in the CAPTCHA processing code, allowing unauthenticated remote attackers to execute arbitrary code in the client browser and potentially on the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. The vulnerability is present in pyload version 0.19 and has been patched in version 0.20.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the client browser, with potential execution on the backend server, depending on the environment. This could lead to session hijacking, credential theft, and full system remote code execution.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/interactive/captcha' endpoint with a crafted CAPTCHA response that includes JavaScript code. This can be done using a tool like curl, by specifying the 'cid' and 'response' parameters. The 'response' parameter should be encoded to include the JavaScript code to be executed.

Remediation

Users can upgrade to pyload version 0.20 to address this vulnerability.