Reference report: GHSA-pgpj-v85q-h5fm

This repository contains a docker compose configuration that setups both a pyLoad server and an attacker server that just provides a csrf.html. To test yourself, just run docker composer up (you need to have docker composer installed additionally to docker).

Then, start by going to localhost:8000, which is the pyLoad login page, and login with user pyload and password pyload. Then, go to localhost:8001/csrf.html, this will instantly submit a cross-site request to pyLoad API and add a user called "hacker". You can check that it worked by going to Settings > Users and notice that "hacker" user has been added!