{"id":20797537,"url":"https://github.com/rlaphoenix/leakysab-poc","last_synced_at":"2026-03-05T03:33:27.479Z","repository":{"id":115964747,"uuid":"600834841","full_name":"rlaphoenix/LeakySAB-PoC","owner":"rlaphoenix","description":"PoC of 'LeakySAB' a vulnerability allowing extraction of usenet provider password from a SABnzbd instance","archived":false,"fork":false,"pushed_at":"2024-04-22T00:44:17.000Z","size":49,"stargazers_count":11,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-06T18:51:52.438Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rlaphoenix.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-12T18:31:39.000Z","updated_at":"2024-04-22T00:44:20.000Z","dependencies_parsed_at":"2024-11-17T16:36:55.008Z","dependency_job_id":"f50c6ec7-d576-44f4-bd34-b97d33fdb91b","html_url":"https://github.com/rlaphoenix/LeakySAB-PoC","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/rlaphoenix/LeakySAB-PoC","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rlaphoenix%2FLeakySAB-PoC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rlaphoenix%2FLeakySAB-PoC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rlaphoenix%2FLeakySAB-PoC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rlaphoenix%2FLeakySAB-PoC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rlaphoenix","download_url":"https://codeload.github.com/rlaphoenix/LeakySAB-PoC/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rlaphoenix%2FLeakySAB-PoC/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30108653,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T03:32:43.378Z","status":"ssl_error","status_checked_at":"2026-03-05T03:32:22.667Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-17T16:34:21.534Z","updated_at":"2026-03-05T03:33:27.463Z","avatar_url":"https://github.com/rlaphoenix.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# LeakySAB-PoC\r\n\r\nThis is a PoC of 'LeakySAB', a vulnerability allowing extraction of usenet provider password from a SABnzbd instance.\r\nI'm not the first to encounter this vulnerability, but I seemed to have been the first to report it to the SABnzbd team.\r\n\r\nIt is supported and tested on all versions of `2.x` and `3.x` and has not yet been patched. It has not been tested on\r\nversion `1.x`, but likely works.\r\n\r\nThe PoC was privately sent to the SABnzbd team through email and the topic was brought up on GitHub Issues, without\r\nsharing much details publicly. See https://github.com/sabnzbd/sabnzbd/issues/2455. The PoC was released as it looks\r\nas if the team knew of the vulnerability at it's core, but would rather keep it unpatched than add a slight inconvenience\r\nto the user, which is astonishingly ridiculous...\r\n\r\n![image](https://user-images.githubusercontent.com/17136956/218492530-b82bbac5-5aaa-4a61-b0e4-502b71b59855.png)\r\n\r\n## Mitigation\r\n\r\nThere's currently no way to truly prevent this issue. As long as someone can get onto your Web UI, this\r\nexploit will be possible. However, there are some steps you should take to protect yourself as much as possible.\r\n\r\nDon't open your SABnzbd port (port forward) and add authentication to your SABnzbd Web UI. I recommend against\r\nusing the username 'admin' or such. I personally use a completely random string for both the username and password.\r\n\r\nThis will reduce possible attacks to only devices on your local network. However, it's still not impenetrable from\r\nmalware, threat actors getting your SABnzbd API Key, running from a public network or unsafe network, intranet access\r\nattacks (like breaching a personal home/server VPN), or another SABnzbd exploit to bypass auth on SABnzbd Web UIs.\r\n\r\nOf course, these listed threats are very niche and unlikely to happen, and generally out of the scope of SABnzbd.\r\nHowever, I completely refute the SABnzbd teams decision to intentionally leave such a blatant exploit possible when\r\na simple fix could be made. E.g., prevent the host name from being altered once added, or have the user re-enter\r\nthe password if they need to change the host.\r\n\r\n## Usage\r\n\r\nRun `$ python main.py`, this will start a TCP server binded to all available interfaces, on port 8119.\r\n\r\n1. Go to the SABnzbd Server settings page, e.g., `http://127.0.0.1:8080/sabnzbd/config/server/`.\r\n2. Tick the \"Advanced Settings\" check box on the top right of the page.\r\n3. Click \"Show Details\" on the server you wish to reveal the password of.\r\n4. Change the Host to the IP/Hostname of the Server you are running the TCP server on.\r\n5. Change the Port to 8119 and make sure the \"SSL\" check box is unticked.\r\n6. Click the Test Server button. Look at your server's terminal and you should see the Username and Password.\r\n\r\n### API\r\n\r\nA Web Server allowing you to run the exploit by providing the hostname and port of a SABnzbd instance is\r\navailable in [api.py](api.py).\r\n\r\nYou must create a `credentials.db` file and a `credentials` table yourself. Use this Schema:\r\n\r\n```sql\r\nCREATE TABLE \"credentials\" (\r\n\t\"id\"\tINTEGER NOT NULL UNIQUE,\r\n\t\"host\"\tTEXT NOT NULL COLLATE NOCASE,\r\n\t\"port\"\tINTEGER NOT NULL,\r\n\t\"username\"\tTEXT NOT NULL,\r\n\t\"password\"\tTEXT NOT NULL,\r\n\t\"ssl\"\tINTEGER NOT NULL,\r\n\tPRIMARY KEY(\"id\" AUTOINCREMENT),\r\n\tUNIQUE(\"host\",\"port\",\"username\",\"password\")\r\n);\r\n```\r\n\r\n### Troubleshooting\r\n\r\nBefore continuing these troubleshooting steps, make sure you have opened the port `8119` before continuing.\r\nYou can check if the port is opened by going to https://canyouseeme.org on the server to test `8119`.\r\n\r\n### Test Server times out and no connection appears on the Server Terminal\r\n\r\nYou may not have allowed the port or Python in your Firewall. Even though I don't usually have to manually allow\r\nsomething, I too had to manually allow it for it to work. This may be because Windows never gave me the Firewall\r\ndialog on first-run for some reason. You will need to manually allow incoming traffic for the port 8119 in\r\nAdvanced Firewall Settings.\r\n\r\n## License\r\n\r\n\u0026copy; 2023 rlaphoenix \u0026mdash; [Unlicense](LICENSE)\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frlaphoenix%2Fleakysab-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frlaphoenix%2Fleakysab-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frlaphoenix%2Fleakysab-poc/lists"}