pyLoad Unrestricted TLS Verification Disable Vulnerability for Non-Admin Users

A vulnerability in pyLoad versions through 0.5.0b3.dev99 allows authenticated users with the non-admin SETTINGS permission to disable TLS verification for outbound requests. This is achieved by manipulating the 'general.ssl_verify' option, which is not properly restricted by the application's allowlist for security-sensitive settings. As a result, TLS peer and hostname verification are turned off, leaving the application susceptible to man-in-the-middle attacks with forged certificates. This issue is particularly concerning in multi-user deployments where non-admin users can inadvertently weaken the application's security posture.

Impact

Exploitation of this vulnerability allows for man-in-the-middle attacks on all HTTPS downloads and other network operations that rely on TLS verification. An attacker can present forged certificates for any hostname pyLoad accesses, effectively bypassing SSL validation and potentially intercepting or tampering with the data being transferred. This vulnerability also amplifies the impact of a previously reported server-side request forgery (SSRF) vulnerability in pyLoad, reintroducing access to internal services that were supposed to be protected.

Reproduction

To reproduce this vulnerability, log into pyLoad as a user with the non-admin SETTINGS permission. Once logged in, send a request to the 'setConfigValue' API endpoint to disable TLS verification by setting 'general.ssl_verify' to 'off'. After this configuration is saved, any subsequent HTTPS download will be processed without verifying the TLS certificate, allowing an on-path attacker to intercept the request and present a forged certificate for a hostname that pyLoad is fetching from.

Remediation

Users should update to pyLoad version 0.5.0b3.dev100, where this vulnerability has been fixed.