Coalition continuously monitors our insureds for new risks which may affect their security.
CVE-2018-9206 documents an actively exploited vulnerability in the jQuery File Uploader plugin responsibly disclosed by researcher Larry Cashdollar to the plugin maintainer on October 9 2018 and more widely disclosed later in October, after the plugin maintainer provided a fix.
Why do you care?
This vulnerability allows attackers to upload and execute files on your server if exploited. Those files could be backdoors, web shells, or anything malicious.
For example, those files could allow command and control over your website, meaning a threat actor could completely control, access, or modify your website. This type of access is commonly used to steal information, host phishing kits to collect credentials of others, deploy ransomware to your customers, or hijack your resources to “mine” cryptocurrencies (known as cryptojacking).
How to solve the problem
The short version:
- Upgrade to the latest version of jQuery File Upload. The first version with a fix is v9.24.1
- Configure your Webserver to not execute files in the upload directory, e.g. with the sample Apache configuration
Again, if you're vulnerable, failure to perform these updates could result in attackers being allowed to upload and execute files on your server.
What is jQuery?
What is jQuery File Uploader?
This very popular jQuery plugin creates a File Upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for the jQuery library. This plugin supports cross-domain, chunked and resumable file uploads and client-side image resizing and works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go etc.) that supports standard HTML form file uploads.