pyLoad ClickNLoad Feature Host Header Injection Vulnerability Allowing Unauthorized Access and Actions

A vulnerability in pyLoad's ClickNLoad feature, affecting versions 0.4.20 prior to 0.5.0b3.dev97, allows remote attackers to bypass the local_check decorator through HTTP Host header spoofing. This exploitation grants unauthorized access to localhost-restricted endpoints, enabling the injection of arbitrary downloads, writing files to the storage directory, and executing JavaScript code. The vulnerability arises because the security check improperly relies on the client's Host header, which can be easily manipulated, rather than solely on server-controlled values.

Impact

Exploitation of this vulnerability allows for unauthorized injection of downloads, writing of files to the storage directory, execution of JavaScript in a sandboxed environment, and access to version information and supported URLs.

Reproduction

The vulnerability can be reproduced by sending a request to a pyLoad server with the ClickNLoad feature enabled, using a spoofed Host header that mimics localhost. This can be done with a simple curl command. Once the Host header is spoofed, the request will bypass the local_check decorator, granting access to restricted endpoints. For example, injecting a download through the '/flash/add' endpoint will be successful when the Host header is set to '127.0.0.1:9666'.

Remediation

Users are advised to update to pyLoad version 0.5.0b3.dev97 or later. Additionally, consider implementing authentication for ClickNLoad endpoints, using Flask's request.remote_addr for checks, and adding rate limiting and logging for security monitoring.