PyLoad version 0.5.0 suffers from an unauthenticated remote code execution vulnerability.
1da79fd53f155f771e35a92c59e86649cc8ac43c4895cbcb08f9ef8dad5414f0pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport functionality exposed through the js2py library. An unauthenticated attacker can issue a crafted POST request to the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad by default runs two services, the primary of which is on port 8000 and can not be used by external hosts. A secondary Click N Load service runs on port 9666 and can be used remotely without authentication.
d86b89ccd29b81ac570725e1b71f96f42350980adb191ce14634207100bc2450
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed