pyLoad Path Traversal Vulnerability Leading to Arbitrary File Deletion

A path traversal vulnerability allowing arbitrary file deletion has been identified in pyLoad versions prior to 0.5.0b3.dev97. This issue arises during password verification of certain encrypted 7z archives, specifically those with non-encrypted headers. The vulnerability occurs because pyLoad improperly handles archive entry names derived from the 7z listing output, treating them as filesystem paths without proper validation. As a result, an attacker can manipulate the entry names to include path traversal sequences, leading to the deletion of files outside the designated extraction directory.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion outside the extraction directory, potentially leading to the removal of important application data. For example, deleting the pyLoad database file causes the application to restore default credentials on the next startup. If the WebUI is accessible over an attacker-reachable network, this could result in account takeover.

Reproduction

The vulnerability can be reproduced by crafting an encrypted 7z archive with a non-encrypted header, including path traversal sequences in the entry names. When this archive is processed by pyLoad during password verification, the application will delete the specified files outside the extraction directory. This can be automated with a provided proof-of-concept script that demonstrates the deletion of a 'victim' file as well as the pyLoad database, which is then restored to default credentials after a restart.

Remediation

Users can upgrade to pyLoad-ng version 0.5.0b3.dev97 to address this vulnerability.