This bug affects the popular jQuery File Upload widget. Using the widget, an attacker could easily upload arbitrary files on web servers including command shells for sending out commands!
Bug from 8-years-old security upgrade
A security researcher with Akamai’s SIRT (Security Intelligence Response Team), Larry Cashdollar, identified the flaw when he was analyzing the widget’s code and successfully uploaded a web shell and run commands on a test server.
Together with Sebastian Tschan, the dev of the plugin, the security researcher discovered the flaw was a part of the change in Apache 2.3.9 that disabled the “.htaccess” by default. The file would store folder-related security settings.
The reason for the change was to protect the system config of the admins by disabling the users to customize security settings on individual folders. It was also meant to improve performance since the server didn’t have to check “.htaccess” file while accessing a directory.
After the disabling of checking “.htaccess” files, the jQuery File Upload plugin also no longer benefited from the feature. Then, it would add files to the root directory.
The bug is tracked as CVE-2018-9206.
The impact on the community
The jQuery File Upload plugin was so popular that it got thousands of derivatives and many of them are still carrying the flawed code. There are currently about 7,800 variations. According to Cashdollar, there are still cases where the vulnerability exists even if the original code was changed for meeting customer needs.
The researcher also published a proof-of-concept exploit that exploits the widget and uploads a PHP shell. There’re currently 3 common variations of all the forks of jQuery File Upload.
Thankfully, the bug is fixed in the latest version of the jQuery File Upload. Get the latest version of the widget.
By default, the updated widget allows only image files (JPG, JPEG, GIF, and PNG) to be uploaded by default. For adding other file types, the dev also provides an in-depth guide.