pyLoad Session Cookie Security Downgrade Vulnerability via Untrusted X-Forwarded-Proto Header Spoofing

A vulnerability in pyLoad, a Python-based download manager, allows for session cookie security downgrades through untrusted X-Forwarded-Proto header manipulation. This issue affects pyLoad versions through 0.4.x. The vulnerability arises because the 'set_session_cookie_secure' before_request handler reads the X-Forwarded-Proto header without validating its origin, then globally modifies the Flask SESSION_COOKIE_SECURE setting. In the multi-threaded Cheroot WSGI server, this creates a race condition where an attacker's request can impact the Secure flag on other users' session cookies, either reducing cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments.

Impact

Exploitation can lead to session cookies being issued without the Secure flag, allowing interception over plain HTTP and enabling session hijacking. Alternatively, on default HTTP deployments, the vulnerability can cause a session denial-of-service by disrupting cookie transmission, silently breaking user sessions.

Reproduction

The vulnerability can be reproduced by sending concurrent requests to a pyLoad backend server that is not behind a trusted proxy. This can be done using a tool like curl to spoof the X-Forwarded-Proto header. In a containerized or Kubernetes deployment, an attacker can flood the backend with requests that downgrade the SESSION_COOKIE_SECURE setting. This will cause legitimate users to receive session cookies without the Secure flag, exposing them to interception over HTTP.

Remediation

Users are advised to update to pyLoad version 0.5.0b3.dev98, where this vulnerability has been fixed.