pyLoad Unrestricted Proxy Configuration Vulnerability Allowing Traffic Interception

A vulnerability in pyLoad versions through 0.5.0b3.dev99 allows authenticated users with non-admin SETTINGS permission to redirect all outbound traffic through an attacker-controlled proxy. This is possible because the set_config_value() API method does not properly restrict access to certain proxy configuration options. As a result, every outbound download, captcha fetch, update check, and plugin HTTP call is routed through the attacker's server, enabling interception of sensitive data such as cookies and authentication tokens.

Impact

Exploitation of this vulnerability allows for full interception of all outbound HTTP traffic, including URLs, headers, cookies, request bodies, and response bodies. This traffic can be manipulated, such as injecting poisoned archive files into the extractor pipeline or arbitrary content into update checks. Additionally, if the attacker disables SSL verification, they can intercept HTTPS traffic as well.

Reproduction

To reproduce this vulnerability, log into pyLoad as a user with non-admin SETTINGS permission. Once authenticated, use the API to set the proxy configuration options that are not properly gated by the allowlist. After redirecting the traffic through an attacker-controlled proxy, trigger an outbound download or wait for a scheduled update or captcha fetch. The intercepted request will be visible on the attacker's server.

Remediation

Users should update to pyLoad version 0.5.0b3.dev100, where this vulnerability has been fixed.