Improper String/Integer Input Validation Leads to the Crashing of Site in pyload/pyload
Jan 5th 2023
If you give the string input in the Start/End time field, then the application will stop working.
Proof of Concept
- Go to "Settings->General-Reconnection"
- Change activated to "on"
- On every input fields place any string for example put: "test"
- Click on save and refresh
- The application will crash
Fix: rm ~/.pyload/settings/pyload.cfg or editing pyload.cfg.
We can crash the application. Changing it with CSRF could lead to leveraging more paths to launch this attack.
A pyload/pyload maintainer validated this vulnerability 2 months ago
Kiran Ghimire has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
A pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev40 with commit a2b1eb 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation