jQuery File Upload Plugin Vulnerability

The big news this week is the discovery of an exploit in the jQuery File Upload plugin, which is the second most downloaded jQuery-related project on Github — behind the jQuery JavaScript library.

Now that CVE-2018-9206 has released, the plugin is out of Zero-Day status, but that doesn't mean that the damage is mitigated. Thousands of projects use jQuery File Upload, including some of the major content management systems (CMS.) So far, the extent of the vulnerabilities reach is unknown, but this long-held hacker secret shows that the perceived safety of popularity isn't justified, and usually these superstar status plugins are some of the first to get hit by hackers.

Let's take a look at the aftermath of this uncovered vulnerability that went undiscovered for over 3 years, and uncover its far-reaching impacts on content management systems and plugins.

A Bug Introduced 8 Years Ago

To say that jQuery File Upload is a popular WordPress plugin is an understatement, but it’s not just WordPress that is being affected by this bug The project has been forked (used) over 7,800 times, which means that there are nearly eight thousand applications that are relying on its framework — a framework that has been vulnerable for over 8 years.

Lawrence Cashdollar, whose team originally found the vulnerability, claims that the problem originated 8 years ago (Apache version 2.3.9) when .htaccess files were disabled by default in order to improve performance. Unfortunately, jQuery File Upload uses .htaccess for its security implementation. At this current point in time, the issue has been resolved in the latest version of jQuery File Upload, but everyone who used the plugin will have to jerry-rig their own fixes or risk remaining vulnerable. This exploit is at danger level red. There are tons of applications that use jQuery upload as their file uploader, so it's a critically dangerous exploit.

Here's the real kicker, this exploit is so old that YouTube videos from 2015 have popped up literally detailing the process, which allows hackers to upload malware and run shell commands on victim's servers.

Let's say that again. There have been YouTube videos detailing the vulnerability for 3 years. We found a few that had dates ranging from 2015 to 2018 with a quick Google search. Who knows how long smaller hacker circles have known about the exploit.

We aren't going to shift blame to anyone, but we will say that this shows a major disconnect between cybersecurity elements across the internet and hackers. How it is that hackers were able to continue abusing a long-standing highly-reputable plugin like jQuery File Upload (which is one of the, if not the, most starred GitHub projects of all-time,) without cybersecurity elements detecting it seems insane. It also shows us that YouTube and other public sources are great places to find current exploits. The hackers aren't just hiding on dark web forums; they're everywhere.

This is a great example of how popularity and mass appeal do not make things less vulnerable — they usually have the opposite effect.

Check out Cashdollar's blog post detailing the exploit here.

Who's Impacted by the Vulnerability?

"I've done some testing against the 1000 forks of the original code and it seems only 36 were not vulnerable." - Lawrence Cashdollar, Security Researcher, Akamai's SIRT

When it comes to the number of applications that are vulnerable, the number is high. We do know that WordPress has a jQuery File Upload reliance, which has caused it numerous issues in the past. In fact, the current tech support scam (Link to Tech Support Article) that's rampaging through WordPress has a jQuery attack vector that's being heavily abused.

What we're going to see — as far as CMSs are concerned — are lingering vulnerabilities for years to come. WordPress has so many third party elements driving it forward that finding all of the ones that relied on jQuery File Upload is going to take some time. Of course, the main issue here is that many of the developers that work on 3rd party WordPress projects may be unaware of the vulnerability and continue to ship these hacker-loved plugins.

Of course, WordPress isn't the only CMS that has a major cybersecurity battle ahead, Drupal is also looking at some significant security issues — which isn't good timing considering the major remote code execution vulnerability that they just faced.

Needless to say, content management systems are going to have a field day finding all of these leaky holes, and we'll be watching for the fallout. Expect a multi-year hackathon coming off of this issue, especially now that it's all over the news.

This exploit is an example of the spider-web impact that a vulnerability can have. Since so many developers rely on GitHub projects for their framework, one exploit can impact thousands of applications, which is exactly what we're seeing.

How to Tell if Your Application is Vulnerable

For website owners, the issue is a little beyond your scope of expertise. Any fixes — at least permanent ones — are going to have to come from the developer's side.

For now, Cashdollar released a proof-of-concept that developers can download on GitHub. It should run a simple exploit on your server and check to see if it contains any vulnerabilities by attempting to upload a simple shell command.

For developers, it's important that you find a way to patch this critical issue.