JQuery File Upload Flaw Highlights Security Challenges with Code Reuse
A serious remote code execution vulnerability in a popular jQuery widget turned out to have widespread implications, as the code has been forked, modified and used in thousands of other projects.
The use of third-party libraries and components in development projects is extremely common with estimates that more than 80 percent of any modern application consists of open source code copied from other projects.
Security researchers have long warned that if this practice is not combined with strong vulnerability tracking and management policies the resulting applications can become rife with unpatched vulnerabilities. Unfortunately, studies have shown few developers and companies keep “bills of materials” for their projects so most of them don’t know which versions of third-party components have been used in their apps.
The recent vulnerability in the jQuery File Upload plug-in, CVE-2018-9206, was found by Akamai researcher Larry Cashdollar and allows attackers to upload web shells and execute malicious commands on web servers. The flaw is the result of Apache deprecating the use of .htaccess files by default, an action that canceled the security controls put in place by the plug-in.
The problem extends way beyond a jQuery-based project because the widget’s code was forked more than 7,800 times on GitHub alone.
“So far, I have found that the code has been packaged for Debian and Ubuntu,” Cashdollar said in a follow-up blog post Oct. 30. “The maintainers of both Linux flavors have already patched the vulnerable code, so any developers using those packages can upgrade them with the package manager.”
“In addition, a fork of the Blueimp project provides a jQuery-File-Upload docker image,” he added. “When installing the docker image, it currently pulls the latest code down from Blueimp’s GitHub repository. However, if you’ve got this docker container running, you should rebuild it to grab a patched version of the software.”
With the help of other researchers, Cashdollar identified more software products that are built on top of the vulnerable plug-in, such as Responsive FileManager, which has also been notified and released a patch.
But the rabbit hole goes deeper than that. The researcher downloaded 1,000 of the widget’s forks from GitHub and tested to see how different they are from the original. He found 15 different versions of Uploadhandler.php and 23 different variations of upload.class.php, two files that are part of the plug-in.
This suggests that some developers modified the original code, but when he tested the 1,000 instances, 970 of them were directly vulnerable and a few others were also vulnerable after some minor tweaks and modifications to the exploit.
Cashdollar is working with GitHub’s support team to find a way to notify the owners of the 7,800 jQuery File Upload forks and to encourage them to patch their code.
Unfortunately, despite these commendable efforts to notify affected projects, this is the kind of vulnerability that will linger on for a very long time. Various flaws that were found years ago in popular image processing libraries, galleries and other web-based components are still exploited to this day.
“I hope the media coverage will help software developers and project owners to check their own code not only for the use of Blueimp’s jQuery-File-Upload but also the reliance on .htaccess as a security control,” Cashdollar said. “My concern is that there are other software projects out there that are relying on .htaccess to protect them when that security control is no longer the default.”
Starting with version 2.3.9, released in 2013, the Apache maintainers disabled support for .htaccess by default to improve performance and prevent users from overriding security features that were configured on the server.
