Larry Cashdollar, a security researcher with Akamai’s SIRT (Security Intelligence Response Team), found out a vulnerability which impacts the jQuery File Upload plugin, as reported by the Bleeping Computers last week.
The vulnerability received the CVE-2018-9206 identifier earlier this month. This will help people pay a more close attention to this flaw.
Larry discovered the flaw together with Sebastian Tschan, also known as Blueimp, the developer of the plugin. They found out that the flaw was caused by a change introduced in Apache 2.3.9, which disabled by default the .htaccess files that stored folder-related security settings.
The jQuery File Upload plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds and thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.
The 8-year old issue finally found
As per the investigation, the developer identified the true source of the vulnerability not in the plugin’s code, but in a change made in the Apache Web Server project dating back to 2010, which indirectly affected the plugin’s expected behavior on Apache servers.
The actual issue dates back to November 23, 2010, just five days before Blueimp launched the first version of his plugin. On that day, the Apache Foundation released version 2.3.9 of the Apache HTTPD server.
Larry, in an interview with ZDNet, said, “attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells”. “I’ve seen stuff as far back as 2016,” he added. Hackers have been actively exploiting this flaw since 2016 and kept this as low-key without anyone knowing.
Larry found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. This means that the vulnerability was widely known to hackers, even if it remained a mystery for the infosec community.
According to ZDNet, “All jQuery File Upload versions before 9.22.1 are vulnerable. Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe.”
Measures taken against the formerly known ‘CVE-2018-9206’ flaw
Unless specifically enabled by the administrator, .htaccess files would be ignored. The two reasons for doing this were, firstly, to protect the system configuration of the administrator by disabling users from customizing security settings on individual folders. Secondly, to improve performance since the server no longer had to check the .htaccess file when accessing a directory.
After Apache 2.3.9, plugins using .htaccess files to impose access restrictions no longer benefited from the custom folder access security configuration. This was also the case with jQuery File Upload, which adds files to a root directory.
Now tracked as CVE-2018-9206, the coding flaw is no longer present in the latest version of jQuery File Upload. Tschan changed the code to allow only image file types GIF, JPG, JPEG, and PNG by default; he provides instructions on how to enable more content without running a security risk.
Larry said, “I did test 1000 out of the 7800 of the plugin’s forks from GitHub, and they all were exploitable”. The code he’s been using for these tests is available on GitHub, along with a proof-of-concept for the actual flaw.
To know more this in detail, head over to Bleeping Computer’s complete coverage.
Read Next
Upgrade to Git 2.19.1 to avoid a Git submodule vulnerability that causes arbitrary code execution
Implementing Web application vulnerability scanners with Kali Linux [Tutorial]
‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research