cbcvebase.
CVE-2018-9206
published 2018-10-11

CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.11%
99.9th percentile
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

Affected

3 ranges
VendorProductVersion rangeFixed in
blueimpblueimp_jquery-file-uploadunspecified – 9.22.0
debianlibjs-jquery-file-upload< libjs-jquery-file-upload 9.25.0-1 (bookworm)libjs-jquery-file-upload 9.25.0-1 (bookworm)
jquery_file_upload_projectjquery_file_upload<= 9.22.0

Detection & IOCsextracted from sources · hover to see the quote

path/jquery-file-upload/server/php/index.php
path/server/php/upload.class.php
path/server/php/UploadHandler.php
path/example/upload.php
pathserver/php/index.php
commandcurl -F "[email protected]" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php
commandcurl -F "files[]=@${MALICIOUS_FILE}" -F "filename=${MALICIOUS_FILE}" "$1/${exploit_path}"
yara
id: CVE-2018-9206
http:
- raw:
  - POST {{path}} HTTP/1.1
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}
    ------WebKitFormBoundary{{randstr}}
    Content-Disposition: form-data; name="files[]"; filename="{{filename}}.php"
    Content-Type: application/x-php
matchers:
- type: dsl
  dsl:
  - "contains(body, '{{md5(hash)}}')"
  - "status_code == 200"
  condition: and
  • Look for multipart/form-data POST requests uploading .php files to known jQuery File Upload handler paths (server/php/index.php, example/upload.php, php/index.php, server/php/UploadHandler.php, server/php/upload.class.php). The Content-Disposition header will contain filename="*.php" and Content-Type: application/x-php.
  • After upload, attackers probe for the uploaded PHP webshell under the /files/ subdirectory relative to the upload handler path (e.g., GET /server/php/files/<filename>.php). Monitor for GET requests to these paths returning HTTP 200.
  • The exploit uses a distinctive User-Agent string. Correlate HTTP logs for this UA combined with POST requests to jQuery File Upload handler paths.
  • The vulnerability is triggered because Apache 2.3.9+ ignores .htaccess files in the upload directory when AllowOverride is set to None, allowing PHP files to be executed. Check Apache configuration for AllowOverride None in directories served by the jQuery File Upload plugin.
  • The exploit script probes for bower.json and package.json to fingerprint the plugin version before exploitation. Monitor for sequential GET requests to bower.json or package.json followed by POST to upload handler paths.
  • The exploit also checks for index.html to detect the plugin's GUI. Monitor for GET requests to /index.html that contain 'jquery file upload' in the response, followed by upload attempts.
  • ·The vulnerability is only exploitable on Apache web servers running version 2.3.9 or later where AllowOverride is set to None (or equivalent), causing the plugin's .htaccess security restrictions to be ignored. Servers with AllowOverride All or explicit directory restrictions may not be exploitable via this path.
  • ·Over 7,800 forks of the jQuery File Upload plugin on GitHub are likely also vulnerable. Detection and patching efforts must account for forked/derivative implementations, not just the canonical blueimp repository.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.