Listen to this Post
The vulnerability in pyLoad’s web interface stems from insufficient input validation within the Captcha and Click’N’Load (CNL) endpoints. User-supplied parameters from HTTP requests were not sanitized before being processed by the application logic and reflected in the server’s response. Specifically, the `/flash/addcrypted2` endpoint accepted untrusted input via the `jk` and `crypted` parameters. This input was then embedded directly into the JavaScript code executed on the client side without proper encoding. When a malicious payload, such as a JavaScript function, was submitted in these parameters, the application would unsafely incorporate it into the response. This allowed the attacker’s script to run in the context of the victim’s browser session when they visited the compromised page, leading to a reflected Cross-Site Scripting (XSS) attack.
Platform: pyLoad
Version: pre-commit f9d27f2
Vulnerability: XSS
Severity: Critical
date: 2024-xx-xx
Prediction: 2024-xx-xx
What Undercode Say:
curl "http://127.0.0.1:8000/flash/addcrypted2?jk=function(){alert(document.cookie)}&crypted=12345"
// Malicious payload in 'jk' parameter
function(){stealCookies()}
How Exploit:
Craft a malicious URL with a JavaScript payload in the `jk` parameter. Send the link to a logged-in user. Upon visit, the script executes.
Protection from this CVE
Update to a patched version post-commit f9d27f2. Implement strict input validation and output encoding for all user-controllable parameters.
Impact:
Session hijacking, unauthorized actions, and full admin interface compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
