Zero-Day In Popular jQuery Plugin Actively Exploited For At Least Three Years (zdnet.com) 44
Slashdot reader generic shares a report from ZDNet: For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned. The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp. The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.
Earlier this year, Larry Cashdollar, a security researcher for Akamai's SIRT (Security Intelligence Response Team), has discovered a vulnerability in the plugin's source code that handles file uploads to PHP servers. Cashdollar says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells. The Akamai researcher says the vulnerability has been exploited in the wild. "I've seen stuff as far back as 2016," the researcher told ZDNet in an interview. The vulnerability was one of the worst kept secrets of the hacker scene and appears to have been actively exploited, even before 2016. Cashdollar found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. One of three YouTube videos Cashdollar shared with ZDNet is dated August 2015. Thankfully, the CVE-2018-9206 identifier was pushed earlier this month to address this issue. "All jQuery File Upload versions before 9.22.1 are vulnerable," reports ZDNet. "Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe."
Earlier this year, Larry Cashdollar, a security researcher for Akamai's SIRT (Security Intelligence Response Team), has discovered a vulnerability in the plugin's source code that handles file uploads to PHP servers. Cashdollar says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells. The Akamai researcher says the vulnerability has been exploited in the wild. "I've seen stuff as far back as 2016," the researcher told ZDNet in an interview. The vulnerability was one of the worst kept secrets of the hacker scene and appears to have been actively exploited, even before 2016. Cashdollar found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. One of three YouTube videos Cashdollar shared with ZDNet is dated August 2015. Thankfully, the CVE-2018-9206 identifier was pushed earlier this month to address this issue. "All jQuery File Upload versions before 9.22.1 are vulnerable," reports ZDNet. "Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe."
Dang IT (Score:2, Funny)
them
haz
finally
founded
it...
Re: (Score:2)
prodigious German developer Sebastian Tschan
Not to be confused with prodigious German action-film actor Jackie Tschan.
This is why (Score:2)
Re: (Score:3)
You cant spends 25 hours daily checking security... you may as well turn it off.
This is the attitude that really messes things up. "We can't be perfect.....why bother?"
The proper security attitude should be, "Maybe we can't be perfect......but we can be pretty good." And sometimes you can be perfect (like you can perfectly avoid SQL injection attacks. That is something that can be done).
Re: (Score:2, Flamebait)
The problem is that javascript is mostly developed by people who have no fucking clue what they're doing. Most of them come from webdesign and when they found out that there's not even a market for a fraction of them, they muscled into the server world.
And now we have this pile of pus on the backend, too.
Re: This is why (Score:2)
Re: (Score:2)
Re:This is why (Score:4, Informative)
Yeah the issue is in a PHP script that comes with a popular jQuery plugin to handle the server side part of the file upload system it provides. I think the PHP script in question was written by the same guy as wrote the jQuery plugin, hence the "Javascript developers are crap" parent comment I guess.
Re: This is why (Score:2)
Wtf? And someone (or rather several someones) thought that "Zero-Day In Popular jQuery Plugin" was a good headline for a story about a crappy PHP script?
This place is really falling apart.
Re: (Score:2)
Just imagine what those webdesigners are building
Good eye. (Score:1)
discovered a vulnerability in the plugin's source code that handles file uploads to PHP servers.
Not quite as bad as it sounds (Score:5, Informative)
The vulnerability is in their PHP code, which is basically sample code. Most projects using the uploader write their own PHP handler for their own specific upload purposes. Only a project that just wants to generically accept all files would consider using their sample PHP code. Verified that my PHP scripts aren't affected despite using the blueimp uploader.
Re: (Score:2)
The vulnerability is in their PHP code, ...
You need say no more.
Re:Not quite as bad as it sounds (Score:5, Informative)
From my understanding, the plugin is very generic, and accepts all files, including PHP scripts and .htaccess files. The idea being that the website developer is supposed to do his own filtering. Of course, some developers will use it blindly and leave this kind of generic file uploader publicly accessible.
Depending on how the code was documented, this is not directly the fault of the plugin developer. 'Seems way overblown in itself. But there sure could be high-profile problematic uses.
Re: (Score:2)
You could make it so the types of files (though how it identifies them is another question) is opt-in. IOW it accepts nothing out of the box.
Re: (Score:2)
Unfortunately, a lot of incompetent coders (and there are a lot of them, not only because this is PHP) do use sample code frequently. I agree that for a competent coder, the whole thing is probably a non-issue, but that is not the reality of things.
Yawn. (Score:1)
Not actually surprised, jquery sucks.
Dum*ss' here's a big fsck you (Score:2)
Unforgivable. A lot of people let this go on for a long time. Sounds truly idiotic
Apache developers are to blame (Score:2)
Accordingly to the article: "Starting with this version [version 2.3.9], the Apache HTTPD server got an option that would allow server owners to ignore custom security settings made to individual folders via .htaccess files. This setting was made for security reasons, was enabled by default, and remained so for all subsequent Apache HTTPD server releases."
I wonder how many other plugins are silently broken due to this change.
If it's been used for three years ... (Score:2)
... it's not zero-day.
It's a critical bug that has gone largely undiscovered. Which is surprising, given the installbase of it's host-code. The hacker probably was careful not to exploit it to openly.
Author of jQuery File Upload here (Score:1)
I've wrote a comment with some background information on Hacker News: https://news.ycombinator.com/i... [ycombinator.com]
Copying the content here for ease-of-use:
The vulnerability is a combination of Apache v.2.3.9's default setting to not read .htaccess files and my mistake of relying on .htaccess to enforce security of the sample PHP upload component.
To give you some context on how this could happen:
Re: (Score:2)
+1 Informative