pyLoad Input Validation Vulnerability in Captcha and CNL Blueprint Allowing Cross-Site Scripting

A cross-site scripting (XSS) vulnerability has been identified in pyLoad versions prior to 0.5.0b3.dev91. The issue arises from inadequate input validation in the web interface, specifically within the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This lack of proper validation allowed untrusted user input to be processed unsafely, enabling attackers to inject arbitrary content into the web UI or manipulate request handling. Exploitation of this vulnerability could lead to client-side code execution or other unintended behaviors when a malicious payload is submitted.

Impact

Exploitation of this vulnerability allows for the injection and execution of arbitrary JavaScript in the browser session of a user accessing the pyLoad Web UI. This could enable an attacker to impersonate an administrator, steal authentication cookies or tokens, and perform unauthorized actions on behalf of the victim. The impact is particularly severe if the Web UI is exposed over a network without additional access restrictions, as it allows remote attackers to target users with crafted links or requests that trigger the vulnerability.

Reproduction

To reproduce this vulnerability, run a version of pyLoad prior to the patched version 0.5.0b3.dev91. Access the web UI and navigate to the Captcha or CNL endpoints. Submit a request containing a malicious JavaScript payload in an unvalidated parameter, such as through the '/flash/addcrypted2' endpoint. The injected script will be executed in the client's browser, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to pyLoad version 0.5.0b3.dev91 or later, where this vulnerability has been patched.