0-Day in jQuery Plugin Impacts Thousands of Applications

[silversurfer]

Thousands of projects are possibly impacted by a jQuery File Upload plugin vulnerability that has been actively exploited in the wild, a security researcher has discovered.

jQuery File Upload is a jQuery widget “with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video.” The plugin works with a broad range of server-side platforms that support standard HTML form file uploads: PHP, Python, Ruby on Rails, Java, Node.js, Go, and others.

While analyzing the package’s source, Cashdollar discovered two PHP files named upload.php and UploadHandler.php, which contained the file upload code. Files were saved to the files/ directory in the web server's root path, and the researcher was able to leverage this to upload a web shell and run commands on the server.
“A browser connection to the test web server with cmd=id returned the user id of the web server's running process,” the researcher notes.

Source: https://www.securityweek.com/0-day-jquer...plications