Every now and again security researchers stumble on the sort of bad security flaw that reminds us how innocuous-looking aspects of web development can suddenly turn dangerously hostile.
An unnerving example is a vulnerability that Akamai’s Larry Cashdollar stumbled on earlier this year after encountering the hugely popular file upload plugin, jQuery File Upload, used to add user-friendly file upload capabilities like drag and drop to websites and web content management systems, including WordPress.
According to the node.js repository NPM, it’s being downloaded around 1.5 million times per week, which is not surprising given that it’s used by thousands of third-party packages.
The disturbing part wasn’t simply the flaw itself – which would allow an attacker to upload files and run their own command line shell on any affected server – but that it’s a zero day, and that went unnoticed for so long.
The term zero day is sometimes used loosely but the strict definition is that it’s a vulnerability being exploited by cybercriminals for which there is no patch.
In this case the exploitation seems to have been going on for years – a quick search revealed step-through videos (20,000+ views) dating back to 2015 showing how this could be done. The fact it has stayed secret for so long is a bit mysterious.
Fixing a hole
When Cashdollar looked into the flaw more closely with developer Blueimp it turned out the PHP script used by the uploader to define directory security relied on an Apache web server config file known as a .htaccess file.
Website owners can use .htaccess to override aspects of the default web server configuration. However, in November 2010 the out-of-the-box apache configuration was tightened up so that .htaccess files were disabled by default.
Somehow jQuery File Upload’s reliance on a feature that had gone from being on by default to being off by default went unnoticed.
Concludes Cashdollar:
The internet relies on many security controls every day in order to keep our systems, data, and transactions safe and secure. If one of these controls suddenly doesn’t exist it may put security at risk unknowingly to the users and software developers relying on them.
The vulnerability, identified as CVE-2018-9206, is fixed with version 9.22.1 onwards, released on 13 October.
Unfortunately, the sheer number of third-party plug-ins and larger projects using jQuery File Upload means that patching this issue will be a Sisyphean challenge.
Learning?
One observation is that jQuery File Upload should have implemented file upload security at the PHP level, where it could be controlled by the plugin’s authors, rather than relying on server functionality that may or may not have been available.
The second is that just because modern development is about assembling websites from lots of parts doesn’t avoid the issue that someone somewhere must own the problem.
George Mauer (@togakangaroo)
This is silly. jQuery File Upload is a clientside javascript utility – the issue is in a php file. Php is a serverside language.
So yes, there is an issue, and yes it is interesting. But no, its not something that affects everyone using this. It affects only people who were using it with a php backend which they implemented using the sample code provided on the file upload site and with the versions of Apache that had the security settings stripped out.
Anonymous
Thank you John1
this was very timely as my collegue sent your article over recent trust wave scans with jquery version alerts
K
John Bryan CIPP/E
I found this quite educational in a presumably unintended way 8¬)
“Sisyphean challenge”: From Sisyphus, from Ancient Greek Σίσυφος (Sísuphos). Sisyphus was a Greek mythological figure who was doomed to endlessly roll a boulder up a hill in Hades.
Whilst I remember the story I had forgotten the name. I obviously need to brush up on my Greek legends.