pyLoad SSRF Vulnerability via HTTP Redirect Bypass in parse_urls API

A server-side request forgery (SSRF) vulnerability has been identified in pyLoad, a Python-based download manager, in versions prior to 0.5.0b3.dev100. The issue arises because the private IP check, based on the PREREQFUNCTION, was not properly applied to the HTTPRequest used by the parse_urls API. This oversight allows an authenticated attacker to send a URL that redirects to an internal or private IP address, bypassing the is_global_host() validation. The vulnerability exploits the default setting of HTTPRequest to allow private IPs, enabling access to cloud metadata or internal services.

Impact

Exploitation of this vulnerability allows authenticated attackers with ADD permission to perform SSRF attacks, potentially accessing cloud metadata services that could leak sensitive information such as IAM credentials or instance details. The vulnerability also allows access to internal services on private networks or localhost services running on the pyLoad server.

Reproduction

To reproduce this vulnerability, an authenticated user with ADD permission can call the parse_urls API with a URL that redirects to a private IP address. The request will bypass the global host check and follow the redirect to the private IP, accessing any available metadata or services.

Remediation

The vulnerability can be fixed by setting allow_private_ip to False in the RequestFactory.get_url() method, preventing SSRF via redirects. Alternatively, the default value in the HTTPRequest constructor can be changed to False, although this may require auditing other parts of the code that need to access private IPs.