A zero-day flaw in the popular jQuery File Upload plugin that could affect thousands of projects has been actively...
exploited for at least three years.
Larry Cashdollar, security researcher for the Security Intelligence Response Team at Akamai, discovered the jQuery plugin vulnerability. The plugin is designed to upload files to PHP servers, but Cashdollar found the plugin doesn't require validation and doesn't exclude file types, which enables remote execution exploits of those servers.
After Cashdollar reported the jQuery plugin vulnerability to its creator, Sebastian Tschan, the German developer who goes by the nym "Blueimp," the two worked together and discovered the issue was caused by a change in the Apache HTTPD server. The change was made in Apache version 2.3.9 -- made five days before release of the first version of jQuery File Upload in 2010 -- and it disabled support for .htaccess web server configuration in order to prevent security features from being overridden. Unfortunately, Tschan's plugin relied on .htaccess to implement security controls.
However, Cashdollar said in his report that "Apache had good reasons to disable .htaccess, but their changes left some developers and their projects open to attack, especially if they relied on .htaccess as a security function."
"The internet relies on many security controls every day in order to keep our systems, data, and transactions safe and secure," Cashdollar wrote. "If one of these controls suddenly doesn't exist it may put security at risk unknowingly to the users and software developers relying on them."
The issue was in the source code of the jQuery File Upload plugin, originally developed by Tschan, so the vulnerability could affect many other projects.
According to GitHub, jQuery File Upload is the most starred -- meaning users mark it in order to signal interest and support -- jQuery plugin and also the most forked. Cashdollar said the plugin has been forked more than 7,800 times and could have been built in to thousands of other projects, making it difficult to determine how widespread the jQuery plugin vulnerability could be.
"Unfortunately, there is no way to accurately determine how many of the projects forked from jQuery File Upload are being properly maintained and applying changes as they happen in the master project," Cashdollar wrote. "Also, there is no way to determine where the forked projects are being used in production environments if they're being used in such a way. Moreover, older versions of the project were also vulnerable to the file upload issue, going back to 2010."
Although Cashdollar has credit for discovering the jQuery plugin vulnerability (CVE-2018-9206), it seems to have been an open secret as YouTube videos going back to 2015 show how to exploit the flaw.
"I suspected this vulnerability hadn't gone unnoticed and a quick Google search confirmed that other projects that used this code or possibly code derived from it were vulnerable," Cashdollar wrote. "There are a few Youtube (sic) videos demonstrating the attack for similar software packages."
Tschan patched the plugin in version 9.22.1, but because of the number of forks and other products using the plugin, it's unclear how many other vulnerable programs still exist.