Expert Larry Cashdollar of Akamai SIRT (Security Intelligence Response Team) has discovered a dangerous issue CVE-2018-9206 in the popular jQuery File Upload plugin created by German developer Sebastian Tschan, better known as Blueimp. Vulnerable are all plugin versions up to version 9.22.1.
This plugin is the most promoted jQuery project on GitHub after the framework itself, it has over 7800 forks, it is integrated with hundreds if not thousands of different projects, including CMS, CRM, intranet solutions, WordPress plugins, Drupal addons , Joomla components and so on. In fact, the vulnerability in jQuery File Upload could threaten many platforms installed in a wide variety of locations.
Cashdollar explains that a vulnerability in the plugin could be used to upload malicious files, such as backdoors and web shells, to the server. Even worse, the problem is already being exploited by attackers, and this has been happening since at least 2016. On YouTube, you can even find tutorials on exploiting the jQuery File Upload bug, the earliest of which are dated August 2015.
When the specialist notified the developer about the problem, Blueimp carefully studied his report and conducted his own research on the code of his development. As it turned out, the roots of the bug go back to changes in the Apache Web Server that appeared in 2010. These changes indirectly affected and changed the behavior of the plugin on Apache servers.
The fact is that in November 2010, a few days before the release of the first version of jQuery File Upload, the Apache Foundation developers introduced Apache HTTPD version 2.3.9 . This release was nothing special, except for the fact that starting with this version, the Apache HTTPD server has an option that allows the server owner to ignore custom security settings for individual directories made using .htaccess files. This setting was enabled by default.
In turn, jQuery File Upload was designed to rely on a custom .htaccess file containing security restrictions for the upload directory. Then the developer simply did not know that a few days ago the creators of Apache HTTPD made a change to their product that harmed the correct operation of its plugin.
Trying to assess the potential damage from the discovered vulnerability, Larry Keshdollar studied the GitHub forks of the plugin and came to disappointing conclusions. After checking 1000 different solutions out of 7800 available, he found that almost all of them were vulnerable (only 36 projects did not succumb to the vulnerability). The researcher has already published a PoC exploit and the code that he used for testing on GitHub .
This plugin is the most promoted jQuery project on GitHub after the framework itself, it has over 7800 forks, it is integrated with hundreds if not thousands of different projects, including CMS, CRM, intranet solutions, WordPress plugins, Drupal addons , Joomla components and so on. In fact, the vulnerability in jQuery File Upload could threaten many platforms installed in a wide variety of locations.
Cashdollar explains that a vulnerability in the plugin could be used to upload malicious files, such as backdoors and web shells, to the server. Even worse, the problem is already being exploited by attackers, and this has been happening since at least 2016. On YouTube, you can even find tutorials on exploiting the jQuery File Upload bug, the earliest of which are dated August 2015.
When the specialist notified the developer about the problem, Blueimp carefully studied his report and conducted his own research on the code of his development. As it turned out, the roots of the bug go back to changes in the Apache Web Server that appeared in 2010. These changes indirectly affected and changed the behavior of the plugin on Apache servers.
The fact is that in November 2010, a few days before the release of the first version of jQuery File Upload, the Apache Foundation developers introduced Apache HTTPD version 2.3.9 . This release was nothing special, except for the fact that starting with this version, the Apache HTTPD server has an option that allows the server owner to ignore custom security settings for individual directories made using .htaccess files. This setting was enabled by default.
In turn, jQuery File Upload was designed to rely on a custom .htaccess file containing security restrictions for the upload directory. Then the developer simply did not know that a few days ago the creators of Apache HTTPD made a change to their product that harmed the correct operation of its plugin.
Trying to assess the potential damage from the discovered vulnerability, Larry Keshdollar studied the GitHub forks of the plugin and came to disappointing conclusions. After checking 1000 different solutions out of 7800 available, he found that almost all of them were vulnerable (only 36 projects did not succumb to the vulnerability). The researcher has already published a PoC exploit and the code that he used for testing on GitHub .