Security Affairs
Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Thousands of applications affected by a zero-day issue in jQuery File Upload plugin

A security researcher discovered a zero-day vulnerability, tracked as CVE-2018-9206, that affects older versions of the jQuery File Upload plugin since 2010. Attackers can exploit the vulnerability to carry out several malicious activities, including defacement, exfiltration, and malware infection. The flaw was reported by the Akamai researcher Larry Cashdollar, he explained that many other packages that include […]

jQuery File Upload plugin

A security researcher discovered a zero-day vulnerability, tracked as CVE-2018-9206, that affects older versions of the jQuery File Upload plugin since 2010.

Attackers can exploit the vulnerability to carry out several malicious activities, including defacement, exfiltration, and malware infection.

The flaw was reported by the Akamai researcher Larry Cashdollar, he explained that many other packages that include the vulnerable code may be affected.

“This package has been included in various other packages and this code included in the projects web accessible path. It’s actively being exploited in the wild,” the researcher told the plugin author.

The jQuery File Upload is a jQuery widget “with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video.”

The plugin is widely adopted by numerous server-side platforms that support standard HTML form file uploads: PHP, Python, Ruby on Rails, Java, Node.js, Go, and others.

Cashdollar discovered two PHP files named upload.php and UploadHandler.php in the package’s source, which contained the file upload code.

The files were uploaded to the files/ directory in the root path of the webserver, so the expert wrote a command line test with curl and a simple PHP shell to confirm that it was possible to upload a web shell and run commands on the server.

$ curl -F “files=@shell.php” http://example.com/jQuery-File-Upload-9.22.0/server/php/index.php

Where shell.php is:

<?php $cmd=$_GET[‘cmd’]; system($cmd);?>

“A browser connection to the test web server with cmd=id returned the user id of the web server’s running process.   I suspected this vulnerability hadn’t gone unnoticed and a quick Google search confirmed that other projects that used this code or possibly code derived from it were vulnerable.  There are a few Youtube videos demonstrating the attack for similar software packages.” wrote the expert

Evert project that leverages the plugin is potentially affected, the researcher pointed out that there are a few Youtube PoC videos demonstrating the exploitation of the attack for similar software packages.

Cashdollar also published a proof-of-concept (PoC) code.

The root cause of the problem is that Apache disabled support for .htaccess in version 2.3.9 to improve performance (the server doesn’t have to check for this file every time it accesses a director) and to prevent users from overriding security features that were configured on the server.

The side effect is that the technical choice left some developers and their projects open to attacks.

In order to address these changes and correct the file upload vulnerability in CVE-2018-9206 in Blueimp, the developer only allows file uploads to be of a content-type image.

“The internet relies on many security controls every day in order to keep our systems, data, and transactions safe and secure.  If one of these controls suddenly doesn’t exist it may put security at risk unknowingly to the users and software developers relying on them.” concludes the expert.

“For software developers reviewing changes to the systems and libraries you rely on during the development of your project is a great idea as well.  In the article above a security control was removed by Apache it not only removed a security control for Blueimp’s Jquery file upload software project but most of all of the forked code branches off of it.  The vulnerability impacted many projects that depend on it from stand-alone web applications to WordPress plugins and other CMSs.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2018-9206, jQuery File Upload plugin )

[adrotate banner=”5″]

[adrotate banner=”13″]