Skip to content

Latest commit

 

History

History
13 lines (10 loc) · 761 Bytes

README.md

File metadata and controls

13 lines (10 loc) · 761 Bytes

CVE-2024-22416

Reference report: GHSA-pgpj-v85q-h5fm

This repository contains a docker compose configuration that setups both a pyLoad server and an attacker server that just provides a csrf.html. To test yourself, just run docker composer up (you need to have docker composer installed additionally to docker).

Then, start by going to localhost:8000, which is the pyLoad login page, and login with user pyload and password pyload. Then, go to localhost:8001/csrf.html, this will instantly submit a cross-site request to pyLoad API and add a user called "hacker". You can check that it worked by going to Settings > Users and notice that "hacker" user has been added!