A security researcher has discovered a jQuery File Upload Plugin Zero-Day Vulnerability that allows hackers to abuse thousands of sites. The flaw was announced to the public alongside the fact that this plugin as adopted by many services and platforms.
CVE-2018-9206: The jQuery File Upload Plugin Zero-Day Vulnerability Can Be Easily Abused by Hackers
The recent announcement of a jQuery File Upload Plugin zero-day vulnerability has made headlines across both ordinary computer users and specialist communities. The reason for this is the fact that many online services, sites and platforms use this component. According to the published report by the security researcher the package is actively being exploited by computer hackers worldwide.
The jQuery File Upload is one of the most widely used jQuery widgets which allows users to upload files to the respective site — multiple file selection is possible, alongside drag & drop support. This plugin also enables the visualization of progress bars, validation and preview screens, as well as multimedia playback of both audio and video content. The plugin is used across all kinds of environments and platforms which makes the instance very dangerous.
The plugin has been found to place two files which are placed in the “files” directory of the root path of the web server. As an effect of this hackers can upload malware scripts and run commands on the victim hosts. Consequently every site that uses unpatched versions of the jQuery File Upload Plugin is affected. A quick search on the Internet shows that there are numerous tutorials, how-to videos and even recorded demonstrations on teaching malicious actors how to execute attacks.
The security researcher notes that the jQuery behavior is connected to the way the Apache web server handles file operations. The issued CVE-2018-9206 advisory when implemented only allows file uploads to be of the “image” content-type. This prevents shell scripts and other potentially dangerous files to be uploaded or run by the server. The full text of the advisory is the following:
File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.