[PoC Video] jQuery-File-Upload: A tale of three vulnerabilities – 10 minute mail

TL;DR Three vulnerabilities in the second most starred Javascript repository on Github which two of them are remote code execution and the third makes it possible to permanently delete any uploaded file made by jQuery-File-Upload. The latter is intended behaviour however our research suggests that user privacy is not respected as content can easily be viewed by external actors.

Disposable mail Crowdsource has been working with three vulnerabilities in jQuery-File-Upload submitted by our security researcher community, and now we’ve implemented these security tests in the Disposable mail tool. Our research found out that jQuery-File-Upload is included in several different platforms and not properly configured. The following Proof of Concept is of CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability and the remote code execution due to ImageTragick. Explanations of all three vulnerabilities follow.

CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability

This first vulnerability has been known for a few years, since 2015. But in 2018 a CVE was finally assigned and the vulnerability was brought to public attention as Thousands of Applications were vulnerable to RCE via jQuery File Upload. The open-source file upload widget, jQuery-File-Upload, is the second most starred Javascript repository on Github, after jQuery JavaScript Library itself. The core of CVE-2018-9206 is a vulnerability within the server configuration and PHP components of the technology and not Javascript. While a RCE in Javascript would be surprising, it’s not as surprising in PHP.

The vulnerability is due to the code relying on Apache’s .htaccess support. This is a way to restrict files being uploaded or executed on an Apache web server.

# The following directives prevent the execution of script files
# in the context of the website.
# They also force the content-type application/octet-stream and
# force browsers to display a download dialog for non-image files.
SetHandler default-handler
ForceType application/octet-stream
Header set Content-Disposition attachment

# The following unsets the forced type and Content-Disposition headers
# for known image files:

ForceType none
Header unset Content-Disposition


<...>

The above .htaccess is included in jQuery-File-Upload and prior to version 9.22.0 it was the only protection against arbitrary file upload. The .htaccess files makes the browser download files with MIME application/octet-stream (for example PHP-files) instead of executing them in the context of the web server. This means that jQuery-File-Upload allowed any files to be uploaded, but not executed on the server, as they trusted the web server to make the check. After the patch, later versions have been changed so that the code checks the type of file being uploaded.

However, the problem is that Apache stopped to enable .htaccess support by default in version 2.3.9, making the only protection useless if not explicitly enabled. If another web server is in use (for example Nginx), there is no protection at all as .htaccess only works in Apache web server.

An attacker can simply upload any file and it will be handled by the web server. This leads to remote code execution as an attacker can upload PHP-files and execute them.

Remote code execution due to ImageTragick

The second jQuery-File-Upload vulnerability was also known within the hacking community for some years and was not publicly known until the technology started to get attention due to CVE-2018-9206, as more people started looking into jQuery-File-Upload’s code base. As the code makes use of ImageMagic, it may be possible to obtain remote code execution with GhostScript (CVE-2016-3714 AKA ImageTragick). This is demonstrated in the video.

An attacker can upload the following GhostScript saved with the whitelisted extensions; PNG, GIF or JPG.

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%ping example.com) currentdevice putdeviceprops

The server will then execute the command ping example.com. Note that GhostScript will look a little bit different depending on the operating system and the ping command works in most environments, making our automatic tests very accurate to detect this vulnerability.

Note that this is a vulnerability in a library that jQuery-File-Upload uses, and not in the code itself.

An intentional but vulnerable feature

The third and last vulnerability found was an insecure direct object reference or IDOR vulnerability. One website owner responded that the issue was actually “intentional behaviour” but many users of jQuery-File-Upload may not know of the behaviour, making it risky to use.

Here’s why: The endpoint where files are uploaded to can be requested with GET and the server will respond with a JSON object containing all the previous uploaded files. This exposes the file names, upload path, thumbnail and whether it is possible to delete the file permanently from the server. The response will look something like:

{"files":[{"name":image.jpg","size":68549,"url":"http://example.com/image.jpg","thumbnailUrl":"http://example.com/thumbnail/image.jpg","deleteUrl":"http://example.com/server/php?file=image.jpg","deleteType":"DELETE"}

With this, a user can now view all the previous uploaded files by requesting the value in the url key. It is also possible to delete any file by sending the DELETE HTTP-method to the value in the deleteUrl key. This can easily be done with cURL:

curl -X DELETE http://example.com/server/php?file=image.jpg

When looking for websites using jQuery-File-Upload I came across a few cases where this “intentional behaviour” probably shouldn’t be “intentional”. One case was a dating site where users naturally uploaded images of themselves. By sending this request, I was able to view the whole user base of uploaded photos. In another case I was able to access all uploaded photos on a website which requires users to verify their identity by uploading a photo of their government ID or passport. I have reached out to Sebastian Tschan (the maintainer of jQuery-File-Upload) and all these websites which I found the vulnerability on.

Remediation

The first two issues have been fixed in the latest version of jQuery-file-upload, and we recommend to update the code to latest version as soon as possible. To remediate the the last vulnerability, you would restrict access to the endpoint where files are uploaded (usually server/php/index.php) if it is important that all the uploaded files should not be publicly viewable.

Do you use jQuery-File-Upload on your web applications and you’re not sure if you have secured the code? You can check the code with Disposable mail now. Just log in here. Not a customer yet? No problem! You can sign up for your account and free trial today.


 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail security updates for 13 December – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

CVE-2018-14912: cgit Path Traversal

A vulnerability in cgit was recently made public by Google Project Zero. After getting it as a submission through Disposable mail Crowdsource we implemented it as a module. More information about the issue can be found here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1627

 CVE-2018-5006: Adobe AEM SSRF via SalesforceSecretServlet

Adobe AEM, also called Adobe Experience Manager, has previously had a few known vulnerabilities. Frans Rosén, one of our security advisors, has done a presentation on this here: https://www.youtube.com/watch?v=_j9ZEIodMDs

However, a new SSRF was released recently, which in addition to all the other research has been implemented to the scanner.

Apache Hadoop RCE

Read more about the story around this vulnerability here: https://securityaffairs.co/wordpress/77565/malware/hadoop-zero-day-exploit-leaked.html

jQuery-File-Upload related vulnerabilities

The last of the three! See the following blog post: https://blog.detectify.com/2018/12/13/jquery-file-upload-a-tale-of-three-vulnerabilities/

 

 

A few of the other things implemented…

  • CVE-2018-9845: Etherpad Authentication Bypass https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9845
  • Exposed Docker configuration file
  • Header-Based SSRF
  • URL-based Authentication Bypass

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.