0-Day in jQuery Plugin Impacts Thousands of Applications
#1
Quote:Thousands of projects are possibly impacted by a jQuery File Upload plugin vulnerability that has been actively exploited in the wild, a security researcher has discovered.

jQuery File Upload is a jQuery widget “with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video.” The plugin works with a broad range of server-side platforms that support standard HTML form file uploads: PHP, Python, Ruby on Rails, Java, Node.js, Go, and others.

While analyzing the package’s source, Cashdollar discovered two PHP files named upload.php and UploadHandler.php, which contained the file upload code. Files were saved to the files/ directory in the web server's root path, and the researcher was able to leverage this to upload a web shell and run commands on the server.
“A browser connection to the test web server with cmd=id returned the user id of the web server's running process,” the researcher notes.

Source: https://www.securityweek.com/0-day-jquer...plications
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Adobe Acrobat Reader DC 2025.001.20467
Adobe Acrobat Read...harlan4096 — 06:11
GFYI [Official] CheckMAL's AppCheck Pro...
tweet CheckMAL Secu...dhruv2193 — 17:10
Introducing Advanced Chat Privacy: Enhan...
Introducing Advanc...harlan4096 — 11:49
Brave 1.77.101
Release Channel 1....harlan4096 — 11:48
Opera118.0.5461.60
Hello! We are h...harlan4096 — 11:47

[-]
Birthdays
Today's Birthdays
avatar (50)steakelask
avatar (44)Termoplenka
Upcoming Birthdays
avatar (50)Toligo

[-]
Online Staff
mjcn19's profile mjcn19

>