RCE via jQuery File Upload Vulnerability leaves Thousands of Applications at Risk. The popular and commonly used plugin jQuery File Upload by Blueimp includes a vulnerability that feasibly puts 7,800 software applications at risk of attack by remote-code execution (RCE)
jQuery File upload is a widget with multiple file selection, drag&drop support, preview imagines, a progress bar as well as mone, making it a versatile and widely used piece of software. The app works with any server-side platform, for example, Goole, Python, PHP, Ruby on Rails and Java, as well as others that support HTML form file uploads.
Larry Cashdollar, a researcher for Akamai Security Intelligence Response Team (SIRT) did a deep dive into the PHP files in the package and found the concerning security flaw. The two PHP files affected are Upload.php and UploadHandler.php.
Cashdollar states that an attacker would need any authentication to upload files, a major security flaw. This means that when an attacker uploads a PHP or other executable file onto the server, they can then execute commands with web server privileges. Cashdollar adds: “This opens up a whole array of attacks.”
It is possible that an attacker could exploit this vulnerability by uploading a PHP shell, accessing the system and then installing malware with the purpose of extracting data or other nefarious acts.
WIsely Larry notified the develop of jQuery File Upload, Sebastian Tschan when he discovered the issue. A deep dive into the flaw showed that it was introduced when Apache Blueimp’s web server disabled a security control that previously would have blocked this action. The security control was disabled around 2010 when Apache 2.3.9 was introduced, meaning the vulnerability has been live for 8 years.
Blueimp has fixed the issue by releasing a new version of the software that only allows image-file uploads by default.