pyLoad Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability has been identified in pyLoad, a Python-based download manager, in versions through 0.5.0b3.dev79. The issue arises from inadequate sanitization of package folder names, which allows for writing files outside the designated download directory. The vulnerability is exploited by creating a package with a malicious folder name that bypasses the sanitization process, leaving behind '..' sequences that the operating system can resolve to access unintended file paths. This flaw could potentially be used to overwrite system files or clutter directories with downloaded content.

Impact

Exploitation of this vulnerability allows authenticated users with ADD permission to write files outside the normal download directory, potentially overwriting system files or cluttering system directories with unwanted content.

Reproduction

To reproduce this vulnerability, first install pyLoad and start it in the background with the default credentials. After logging in, create a package using the API that includes a folder name containing the pattern '....//', which exploits the insufficient sanitization by leaving '..' sequences intact. Once the package is created, set the folder name to the malicious payload. When a file is downloaded, it will be written to the manipulated path, taking advantage of the unresolved '..' sequences.

Remediation

Users can upgrade to pyLoad version 0.5.0b3.dev100 or later, where this vulnerability has been patched.