Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Technology

Zero-Day In Popular jQuery Plugin Actively Exploited For At Least Three Years (zdnet.com) 44

Slashdot reader generic shares a report from ZDNet: For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned. The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp. The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.

Earlier this year, Larry Cashdollar, a security researcher for Akamai's SIRT (Security Intelligence Response Team), has discovered a vulnerability in the plugin's source code that handles file uploads to PHP servers. Cashdollar says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells. The Akamai researcher says the vulnerability has been exploited in the wild. "I've seen stuff as far back as 2016," the researcher told ZDNet in an interview. The vulnerability was one of the worst kept secrets of the hacker scene and appears to have been actively exploited, even before 2016. Cashdollar found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. One of three YouTube videos Cashdollar shared with ZDNet is dated August 2015.
Thankfully, the CVE-2018-9206 identifier was pushed earlier this month to address this issue. "All jQuery File Upload versions before 9.22.1 are vulnerable," reports ZDNet. "Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe."
This discussion has been archived. No new comments can be posted.

Zero-Day In Popular jQuery Plugin Actively Exploited For At Least Three Years

Comments Filter:
  • Dang IT (Score:2, Funny)

    by Anonymous Coward

    them

    haz

    finally

    founded

    it...

  • This is why "keeping your patches up to date" is not enough. The problem is not enough focus on security by developers.
    • Re: (Score:2, Flamebait)

      by Opportunist ( 166417 )

      The problem is that javascript is mostly developed by people who have no fucking clue what they're doing. Most of them come from webdesign and when they found out that there's not even a market for a fraction of them, they muscled into the server world.

      And now we have this pile of pus on the backend, too.

  • by Anonymous Coward

    discovered a vulnerability in the plugin's source code that handles file uploads to PHP servers.

  • by Gavagai80 ( 1275204 ) on Friday October 19, 2018 @09:28PM (#57507546) Homepage

    The vulnerability is in their PHP code, which is basically sample code. Most projects using the uploader write their own PHP handler for their own specific upload purposes. Only a project that just wants to generically accept all files would consider using their sample PHP code. Verified that my PHP scripts aren't affected despite using the blueimp uploader.

    • The vulnerability is in their PHP code, ...

      You need say no more.

      • by Anonymous Coward on Saturday October 20, 2018 @01:51AM (#57508056)

        From my understanding, the plugin is very generic, and accepts all files, including PHP scripts and .htaccess files. The idea being that the website developer is supposed to do his own filtering. Of course, some developers will use it blindly and leave this kind of generic file uploader publicly accessible.

        Depending on how the code was documented, this is not directly the fault of the plugin developer. 'Seems way overblown in itself. But there sure could be high-profile problematic uses.

        • You could make it so the types of files (though how it identifies them is another question) is opt-in. IOW it accepts nothing out of the box.

    • by gweihir ( 88907 )

      Unfortunately, a lot of incompetent coders (and there are a lot of them, not only because this is PHP) do use sample code frequently. I agree that for a competent coder, the whole thing is probably a non-issue, but that is not the reality of things.

  • Not actually surprised, jquery sucks.

  • Unforgivable. A lot of people let this go on for a long time. Sounds truly idiotic

  • Accordingly to the article: "Starting with this version [version 2.3.9], the Apache HTTPD server got an option that would allow server owners to ignore custom security settings made to individual folders via .htaccess files. This setting was made for security reasons, was enabled by default, and remained so for all subsequent Apache HTTPD server releases."

    I wonder how many other plugins are silently broken due to this change.

  • ... it's not zero-day.

    It's a critical bug that has gone largely undiscovered. Which is surprising, given the installbase of it's host-code. The hacker probably was careful not to exploit it to openly.

  • I've wrote a comment with some background information on Hacker News: https://news.ycombinator.com/i... [ycombinator.com]

    Copying the content here for ease-of-use:

    The vulnerability is a combination of Apache v.2.3.9's default setting to not read .htaccess files and my mistake of relying on .htaccess to enforce security of the sample PHP upload component.

    To give you some context on how this could happen:

    • As the project name implies, this started as a client-side jQuery plugin, with a dummy PHP script to echo out the uploaded

"If value corrupts then absolute value corrupts absolutely."

Working...