A jQuery plugin has been exploitable for 8 years

Different ways of exploiting the flaw have been widely spread too

Out of the thousands of plugins for the jQuery framework, one of the most popular has hosted for at least three years an oversight in the code that remained hidden for the cybersecurity and digital forensics community, despite the availability of tutorials explaining how it could be exploited.

The vulnerability affects the jQuery File Upload widget, widely used, and allows an attacker to load arbitrary files on web servers, including shell commands to send commands.

Security Update enabled vulnerability 8 years ago

Larry Cashdollar, a digital forensics expert, found the flaw by analyzing the widget’s code and was able to load a web shell and execute commands on a test server that he set up.

Along with Sebastian Tschan, the plugin developer, the investigator discovered that the flaw was caused by a change introduced in Apache 2.3.9, which deactivated by default the .htaccess files that stored the security settings related to the folder. Unless the administrator had enabled it manually, the .htaccess files were omitted.

One reason for this was to protect the administrator system configuration by preventing users from customizing security settings in individual folders. Another reason is to improve performance, because the server no longer had to check the .htaccess file when accessing a directory.

After Apache 2.3.9., plugins that use .htaccess files to impose access restrictions no longer benefit from the custom folder access security settings. This was also the case with jQuery File Upload, which adds files to a root directory.

Tracked as CVE-2018-9206, the encoding vulnerability is no longer present in the latest version of jQuery File Upload. Digital forensics experts changed the code to allow only the types of GIF, JPG, JPEG, and PNG image files by default. Tschan provided instructions on how to enable more content without running security risks.

The flaw spread to other projects

The popularity of jQuery File Upload provoked thousands of derivative projects; many of them used the defective code. There are over 7.8k variations at this time, and Cashdollar says there are cases where vulnerabilities are present, even if the original code was modified to meet custom needs.

The investigator came to this conclusion after reviewing some of the forks, where he noticed three common variations. Later he created a proof of concept of the exploit trying to find one of the differences and to load a PHP shell.

“I’ve done some tests with the 1000 branches of the original code and it seems that only 36 were vulnerability-free. I found that they only needed a small modification in the exploit to work in most cases”, says Cashdollar.

jQuery File Upload has remained vulnerable since the launch of Apache 2.3.9., eight years ago. On the other hand, this flaw did not go unnoticed all this time; moreover, the method to exploit it has been widely disseminated for at least three years.

A 2015 video, even available on Youtube, details the instructions on how to find vulnerable websites and how to modify them. More recent vulnerability videos are also available.