Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2018-10-09 |
CVE-ID:[CVE-2018-9206] |
CWE: CWE-434 arbitrary file upload |
Download Site: https://github.com/blueimp/jQuery-File-Upload/ |
Vendor: https://github.com/blueimp |
Vendor Notified: 2018-10-09 |
Vendor Contact: blueimp.net, fixed v9.22.1 |
Advisory: http://www.vapidlabs.com/advisory.php?v=204 |
Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads. |
Vulnerability: The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution.
The back end PHP code under server/php/ is used to handle requests from the javascript front end. This code will allow any file type to be uploaded including executable files with .php extensions. The javascript front end sends POST requests to index.php that in turn loads the UploadHandler class from UploadHandler.php. Files are then written to the server/php/files directory.
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: [CVE-2018-9206.png][CVE-2018-9206-result.png] |
Notes: Actively being exploited in the wild. https://github.com/blueimp/jQuery-File-Upload/pull/3514 The author includes a .htaccess under server/php/files that attempt to force the file as a download and change the file extension to .html. .htaccess with comments removed: SetHandler default-handler ForceType application/octet-stream Header set Content-Disposition attachment |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory