Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Submission + - Zero-day in popular jQuery plugin actively exploited for at least three years (zdnet.com)

generic writes: For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned.

The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp.

The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.

A vulnerability in this plugin would be devastating, as it could open gaping security holes in a lot of platforms installed in a lot of sensitive places.

This worse case scenario is exactly what happened. Earlier this year, Larry Cashdollar, a security researcher for Akamai's SIRT (Security Intelligence Response Team), has discovered a vulnerability in the plugin's source code that handles file uploads to PHP servers.

Cashdollar says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells.

The Akamai researcher says the vulnerability has been exploited in the wild. "I've seen stuff as far back as 2016," the researcher told ZDNet in an interview.

The vulnerability was one of the worst kept secrets of the hacker scene and appears to have been actively exploited, even before 2016.

Cashdollar found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. One of three YouTube videos Cashdollar shared with ZDNet is dated August 2015.

It is pretty clear from the videos that the vulnerability was widely known to hackers, even if it remained a mystery for the infosec community.

But steps are now being taken to address it. The vulnerability received the CVE-2018-9206 identifier earlier this month, a good starting point to get more people paying attention.

All jQuery File Upload versions before 9.22.1 are vulnerable. Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe.

Cashdollar reported the zero-day to Blueimp at the start of the month, who promptly looked into the report.

The developer's investigation identified the true source of the vulnerability not in the plugin's code, but in a change made in the Apache Web Server project dating back to 2010, which indirectly affected the plugin's expected behavior on Apache servers.

The actual issue dates back to November 23, 2010, just five days before Blueimp launched the first version of his plugin. On that day, the Apache Foundation released version 2.3.9 of the Apache HTTPD server.

This version wasn't anything out of the ordinary but it included one major change, at least in terms of security. Starting with this version, the Apache HTTPD server got an option that would allow server owners to ignore custom security settings made to individual folders via .htaccess files. This setting was made for security reasons, was enabled by default, and remained so for all subsequent Apache HTTPD server releases.

Blueimp's jQuery File Upload plugin was coded to rely on a custom .htaccess file to impose security restrictions to its upload folder, without knowing that five days before, the Apache HTTPD team made a breaking change that undermined the plugin's basic design.

"The internet relies on many security controls every day in order to keep our systems, data, and transactions safe and secure," Cashdollar said in a report published today. "If one of these controls suddenly doesn't exist it may put security at risk unknowingly to the users and software developers relying on them."

Since notifying Blueimp about his discovery, Cashdollar has been spending his time investigating the reach of this vulnerability. The first thing he did was to look at all the GitHub forks that have sprouted from the original plugin.

"I did test 1000 out of the 7800 of the plugin's forks from GitHub, and they all were exploitable," Cashdollar told ZDNet. The code he's been using for these tests is available on GitHub, along with a proof-of-concept for the actual flaw.

At this article's publication, of all the projects derived from the original jQuery File Upload plugin, and which the researcher tested, only 36 were not vulnerable.

But there is still lots of work ahead, as many projects remain untested. The researcher has already notified US-CERT of this vulnerability and its possible impact. A next step, Cashdollar told ZDNet, is to reach out to GitHub for help in notifying all plugin fork project owners.

But looking into GitHub forks is only the first step. There are countless web applications where the plugin has been integrated. One example is Tajer, a WordPress plugin that Cashdollar identified as vulnerable. The plugin had very few downloads, and as of today, it has been taken off the official WordPress Plugins repository and is not available for download anymore.

Identifying all affected projects and stomping out this vulnerability will take years. As it's been proven many times in the past, vulnerabilities tend to linger for a long time, especially vulnerabilities in plugins that have been deeply ingrained in more complex projects, such as CRMs, CMSs, blogging platforms, or enterprise solutions.

Submission + - PostgreSQL getting parallel query 1

iamvego writes: A major feature PostgreSQL users have requested for some time now is to have the query planner "parallelize" a query. Now, thanks to Robert Haas and Amit Kapila, this has now materialized in the 9.6 branch. Robert Haas writes in his blog entry that so far it only supports splitting up a sequential scan between multiple workers, but should hopefully be extended to work with multiple partitions before the final release, and much more beside in future releases.

Comment Re:Self directed/managed teams are not new ... (Score 1) 327

this. There are a lot of people in the world who just want a paycheck, as opposed to trying to accomplish something and overcome a challenge. I work with mostly the later, and it's made all the difference. Sometimes it gets weird, but for the most part we enjoy tackling each goal set before us. Sometimes your the visionary, other times your the drone just pushing someone else's idea through.

Comment Re:"What's the matter with your eyes, boy?" (Score 1) 112

Although your comment made me laugh, sometimes it's not that far from the truth. Trying to drive a car after an hour plus run can be a little dangerous sometimes. You can be all sorts of buzzy and distracted for well over an hour after it. From dehydration to exhaustion, there are all sorts of reasons driving can be a bad idea.

Slashdot Top Deals

Men take only their needs into consideration -- never their abilities. -- Napoleon Bonaparte

Working...