jQuery File Upload Plugin Vulnerable for 8 Years and Only Hackers Knew
Of the thousands of plugins for the jQuery framework, one of the most popular of them harbored for at least three years an oversight in code that eluded the security community, despite public availability of tutorials that explained how it could be exploited.
The bug affects the widely used jQuery File Upload widget and allowed an attacker to upload arbitrary files on web servers, including command shells for sending out commands.
Bug enabled by security upgrade eight years ago
Larry Cashdollar, a security researcher with Akamai’s SIRT (Security Intelligence Response Team), found the flaw while analyzing the widget’s code and was able to upload a web shell and run commands on a test server he set up.
Together with Sebastian Tschan, the developer of the plugin, the researcher discovered that the flaw was caused by a change introduced in Apache 2.3.9, which disabled by default the .htaccess files that stored folder-related security settings. Unless specifically enabled by the administrator, .htaccess files are ignored.
One reason for this was to protect the system configuration of the administrator by disabling users from customizing security settings on individual folders. Another one was to improve performance since the server no longer had to check the .htaccess file when accessing a directory.
After Apache 2.3.9, plugins using .htaccess files to impose access restrictions no longer benefited from the custom folder access security configuration. This was also the case with jQuery File Upload, which adds files to a root directory.
Flaw propagates to other projects
The popularity of jQuery File Upload caused thousands of derivations of the project, many of them carrying the flawed code. There are over 7,800 variations at the moment, and Cashdollar says that there are cases where the vulnerability exists even if the original code was modified to meet custom needs.
The researcher reached this conclusion after checking some of the forks, where he noticed three common variations. He created a proof-of-concept exploit that tries to find one of the differences and uploads a PHP shell.
Exploit described in YouTube videos
jQuery File Upload has been vulnerable for eight years, since the Apache 2.3.9 release in 2010. The coding faux pas did not go unnoticed all this time, and the method for exploiting it has been shared for at least three years. for at least three years.
A video from 2015 is currently available on YoutTube with step-by-step instructions on how to find vulnerable websites and how to deface them. More recent videos are available, too.
Public distribution channels are the last ones a cybercriminal would turn to for documentation, which could suggest that the exploitation method has been distributed on hacker forums before 2015.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: