pyLoad js2py Python Execution
pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code
injection due to the pyimport functionality exposed through the js2py
library. An unauthenticated attacker can issue a crafted POST request to
the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad
by default runs two services, the primary of which is on port 8000 and can
not be used by external hosts. A secondary Click N Load service runs on
port 9666 and can be used remotely without authentication.
https://packetstormsecurity.com/files/171096/pyload_js2py_exec.rb.txt
Wed, 22 Feb 2023 16:38:10 GMT
________________________________
--- The information is for inforamtional purposes only.
* Origin: Read us with
http://winpoint.org JID:
rs@captflint.com (2:467/4.444)