CVE-2018-9206: jQuery File Upload Plugin Zero-Day Vulnerability Affects Thousands of Sites
CYBER NEWS

CVE-2018-9206: jQuery File Upload Plugin Zero-Day Vulnerability Affects Thousands of Sites

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

A security researcher has discovered a jQuery File Upload Plugin Zero-Day Vulnerability that allows hackers to abuse thousands of sites. The flaw was announced to the public alongside the fact that this plugin as adopted by many services and platforms.




CVE-2018-9206: The jQuery File Upload Plugin Zero-Day Vulnerability Can Be Easily Abused by Hackers

The recent announcement of a jQuery File Upload Plugin zero-day vulnerability has made headlines across both ordinary computer users and specialist communities. The reason for this is the fact that many online services, sites and platforms use this component. According to the published report by the security researcher the package is actively being exploited by computer hackers worldwide.

The jQuery File Upload is one of the most widely used jQuery widgets which allows users to upload files to the respective site — multiple file selection is possible, alongside drag & drop support. This plugin also enables the visualization of progress bars, validation and preview screens, as well as multimedia playback of both audio and video content. The plugin is used across all kinds of environments and platforms which makes the instance very dangerous.

The plugin has been found to place two files which are placed in the “files” directory of the root path of the web server. As an effect of this hackers can upload malware scripts and run commands on the victim hosts. Consequently every site that uses unpatched versions of the jQuery File Upload Plugin is affected. A quick search on the Internet shows that there are numerous tutorials, how-to videos and even recorded demonstrations on teaching malicious actors how to execute attacks.

Related Story:
Computer hackers are abusing the CVE-2018-7600 Drupal vulnerability using a new exploit called Drupalgeddon2 to take down sites
CVE-2018-7600 Drupal Bug Used in New Attack

The security researcher notes that the jQuery behavior is connected to the way the Apache web server handles file operations. The issued CVE-2018-9206 advisory when implemented only allows file uploads to be of the “image” content-type. This prevents shell scripts and other potentially dangerous files to be uploaded or run by the server. The full text of the advisory is the following:

File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...