{"id":"GHSA-mqpq-2p68-46fv","summary":"pyload Unauthenticated Flask Configuration Leakage vulnerability","details":"### Summary\nAny unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable.\n\n### Details\nAny unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable.\n\n### PoC\nRun `pyload` in the default configuration by running the following command\n```\npyload\n```\n\nNow browse to `http://localhost:8000/render/info.html`. Notice how the Flask configuration gets displayed.\n![PoC](https://user-images.githubusercontent.com/44903767/294522246-4cc19c49-b315-4926-8fd6-ec3c3fdb7c1f.png)\n\nI was quite amused by this finding. I think it's a very interesting coming together of things that is so unlikely to happen. Below I will detail my process a bit more.\n\nI was looking through the code to see how the authorization mechanism is implemented when I spotted this route, which can be accessed by any unauthenticated actor\n- https://github.com/pyload/pyload/blob/57d81930edb59177c60830ad8ac36a91d0ec4c4e/src/pyload/webui/app/blueprints/app_blueprint.py#L33C1-L37C51\n```python\n@bp.route(\"/render/\u003cpath:filename\u003e\", endpoint=\"render\")\ndef render(filename):\n    mimetype = mimetypes.guess_type(filename)[0] or \"text/html\"\n    data = render_template(filename)\n    return flask.Response(data, mimetype=mimetype)\n ```\n\nThis route allows me to load in any of the predefined templates. However, these templates will be lacking any form of context, and as such it doesn't seem too useful. That is until I loaded the `info.html` template and scrolled down, revealing the Flask config. This was purely accidental, and I did not understand why it happened, until I looked at the template\n\n- https://github.com/pyload/pyload/blob/57d81930edb59177c60830ad8ac36a91d0ec4c4e/src/pyload/webui/app/templates/info.html#L64C1-L67C10\n```python\n    \u003ctr\u003e\n        \u003ctd\u003e{{ _(\"Config folder:\") }}\u003c/td\u003e\n        \u003ctd\u003e{{ config }}\u003c/td\u003e\n    \u003c/tr\u003e\n```\n\nIn Flask, every template always gets the Flask config passed to it as the `config` variable. In the normal execution of this template, this value gets overwritten in the function below, but since we're calling it and bypassing this function altogether, it doesn't get overwritten. Would this variable not be named config and named `configuration` or `Config` instead, then this exploit wouldn't work. The likelihood of this occurring is so small, but it seems to have happened here.\n\n- https://github.com/pyload/pyload/blob/57d81930edb59177c60830ad8ac36a91d0ec4c4e/src/pyload/webui/app/blueprints/app_blueprint.py#L450C1-L461C51\n```python\n    context = {\n        \"python\": sys.version,\n        \"os\": \" \".join((os.name, sys.platform) + extra),\n        \"version\": api.get_server_version(),\n        \"folder\": PKGDIR,\n        \"config\": api.get_userdir(),\n        \"download\": conf[\"general\"][\"storage_folder\"][\"value\"],\n        \"freespace\": format.size(api.free_space()),\n        \"webif\": conf[\"webui\"][\"port\"][\"value\"],\n        \"language\": conf[\"general\"][\"language\"][\"value\"],\n    }\n    return render_template(\"info.html\", **context)\n ```\n\n### Impact\nDepending on the how the Flask config data is used, it could have detrimental consequences for the security. It's crucial to keep the `SECRET_KEY` secret and never expose it in your code or configuration files.\n","aliases":["CVE-2024-21644"],"modified":"2024-02-16T08:22:52.053161Z","published":"2024-01-08T15:40:39Z","related":["CVE-2024-21644"],"database_specific":{"severity":"HIGH","github_reviewed":true,"github_reviewed_at":"2024-01-08T15:40:39Z","nvd_published_at":"2024-01-08T14:15:47Z","cwe_ids":["CWE-284"]},"references":[{"type":"WEB","url":"https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21644"},{"type":"WEB","url":"https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40"},{"type":"PACKAGE","url":"https://github.com/pyload/pyload"}],"affected":[{"package":{"name":"pyload-ng","ecosystem":"PyPI","purl":"pkg:pypi/pyload-ng"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.5.0b3.dev77"}]}],"versions":["0.5.0a5.dev528","0.5.0a5.dev532","0.5.0a5.dev535","0.5.0a5.dev536","0.5.0a5.dev537","0.5.0a5.dev539","0.5.0a5.dev540","0.5.0a5.dev545","0.5.0a5.dev562","0.5.0a5.dev564","0.5.0a5.dev565","0.5.0a6.dev570","0.5.0a6.dev578","0.5.0a6.dev587","0.5.0a7.dev596","0.5.0a8.dev602","0.5.0a9.dev615","0.5.0a9.dev629","0.5.0a9.dev632","0.5.0a9.dev641","0.5.0a9.dev643","0.5.0a9.dev655","0.5.0a9.dev806","0.5.0b1.dev1","0.5.0b1.dev2","0.5.0b1.dev3","0.5.0b1.dev4","0.5.0b1.dev5","0.5.0b2.dev10","0.5.0b2.dev11","0.5.0b2.dev12","0.5.0b2.dev9","0.5.0b3.dev13","0.5.0b3.dev14","0.5.0b3.dev17","0.5.0b3.dev18","0.5.0b3.dev19","0.5.0b3.dev20","0.5.0b3.dev21","0.5.0b3.dev22","0.5.0b3.dev24","0.5.0b3.dev26","0.5.0b3.dev27","0.5.0b3.dev28","0.5.0b3.dev29","0.5.0b3.dev30","0.5.0b3.dev31","0.5.0b3.dev32","0.5.0b3.dev33","0.5.0b3.dev34","0.5.0b3.dev35","0.5.0b3.dev38","0.5.0b3.dev39","0.5.0b3.dev40","0.5.0b3.dev41","0.5.0b3.dev42","0.5.0b3.dev43","0.5.0b3.dev44","0.5.0b3.dev45","0.5.0b3.dev46","0.5.0b3.dev47","0.5.0b3.dev48","0.5.0b3.dev49","0.5.0b3.dev50","0.5.0b3.dev51","0.5.0b3.dev52","0.5.0b3.dev53","0.5.0b3.dev54","0.5.0b3.dev57","0.5.0b3.dev60","0.5.0b3.dev62","0.5.0b3.dev64","0.5.0b3.dev65","0.5.0b3.dev66","0.5.0b3.dev67","0.5.0b3.dev68","0.5.0b3.dev69","0.5.0b3.dev70","0.5.0b3.dev71","0.5.0b3.dev72","0.5.0b3.dev73","0.5.0b3.dev74","0.5.0b3.dev75","0.5.0b3.dev76"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-mqpq-2p68-46fv/GHSA-mqpq-2p68-46fv.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}