Author of jQuery File Upload here (Score 1)

I've wrote a comment with some background information on Hacker News: https://news.ycombinator.com/i...

Copying the content here for ease-of-use:

The vulnerability is a combination of Apache v.2.3.9's default setting to not read .htaccess files and my mistake of relying on .htaccess to enforce security of the sample PHP upload component.

To give you some context on how this could happen:

• As the project name implies, this started as a client-side jQuery plugin, with a dummy PHP script to echo out the uploaded file
• Over time, I added a couple of sample server-side upload components, including two for Google App Engine (Python + Golang) - which I used for the demo - and one for PHP, which I never used myself in production
• I used the PHP component for local tests with various possible file uploads, including very large files and chunked uploads, which required enabling all file types for upload. My thinking was that allowing all file types for upload is not critical as long as the handling of those files is properly configured.
• Prior to adding the .htaccess file, I mistakenly assumed developers would configure their Apache server themselves so that no PHP scripts would be executed in the uploads folder. It was only added in this commit: https://github.com/blueimp/jQu...
• The Apache servers I tested with always had support for .htaccess enabled, so I never bothered to check that the default Apache configuration since version 2.3.9 actually disabled it
• The original .htaccess configuration didn't even prevent script execution in all Apache configurations and had to be fixed, see: https://github.com/blueimp/jQu...

Looking back, there are a couple of things that I should have done differently:

• Move out the server-side components into separate repositories
• Inform users better about file upload security - see https://github.com/blueimp/jQu...
• Never assume people actually read information about security
• Never rely on .htaccess for security configurations in Apache
• Make sure that published code is secure in all default configurations
• Never allow all file types for upload by default, even if it is secure in your configuration
• Recommend users to not upload files in the same root as their executable web application
• Always follow security best practices, even if it makes setup for users more difficult

I wanted to make it really simple for users to install a generic and secure file upload service with a great user interface. Unfortunately, security best practices and ease-of-use are often at odds to each other.

Bonus info:

• The client-side component had a cross-site scripting vulnerability in the Iframe Transport HTML site back in 2012: https://github.com/blueimp/jQu...
• The App Engine components had an open redirect vulnerability back in 2015: https://github.com/blueimp/jQu...