pyLoad Authorization Bypass Vulnerability in SSL Configuration

An authorization bypass vulnerability has been identified in pyLoad versions prior to 0.5.0b3.dev97. The issue arises because the ADMIN_ONLY_CORE_OPTIONS authorization set in the set_config_value() function uses incorrect option names for SSL certificate and key file paths. This mismatch allows any user with SETTINGS permission to overwrite these paths, potentially leading to man-in-the-middle attacks. Additionally, the ssl_certchain option was never included in the admin-only set, leaving it completely unprotected.

Impact

Exploitation of this vulnerability allows a non-admin user with SETTINGS permission to replace the SSL certificate and key used by the pyLoad HTTPS server. When the server is restarted, it will use the attacker's certificate and key, enabling interception and decryption of HTTPS traffic, including admin credentials and session tokens. This could lead to unauthorized admin access by exploiting intercepted credentials.

Reproduction

To reproduce this vulnerability, first authenticate as a non-admin user with SETTINGS permission to obtain a session cookie. Then, send a POST request to the 'json/save_config' endpoint, including the incorrect option names 'ssl_certfile' and 'ssl_keyfile' in the request data. After the server restarts, it will load the attacker-controlled certificate and key for HTTPS connections.

Remediation

Users are advised to update to pyLoad version 0.5.0b3.dev97 or later, where this vulnerability has been fixed.