pyLoad Server-Side Request Forgery Vulnerability in parse_urls API

A server-side request forgery (SSRF) vulnerability has been identified in pyLoad versions through 0.5.0b3.dev96. The issue arises in the parse_urls API function, which fetches arbitrary URLs via the get_url function using pycurl, without any validation, protocol restrictions, or IP blacklisting. This vulnerability allows authenticated users with ADD permission to make HTTP or HTTPS requests to internal network resources and cloud metadata endpoints, read local files using the file:// protocol, interact with internal services via gopher:// and dict:// protocols, and enumerate the existence of files through an error-based oracle.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal network resources and cloud metadata, reading of local files, interaction with internal services, and exfiltration of data to external servers.

Reproduction

To reproduce this vulnerability, log into pyLoad as a user with ADD permission. The parse_urls API can be called with a URL parameter that is not validated or restricted. This can be done using a curl command that includes the unvalidated URL, such as one pointing to a file on the local filesystem or an internal network resource.

Remediation

Users are advised to update to pyLoad version 0.5.0b3.dev97, where this vulnerability has been patched.