nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
jQuery? More like preyQuery: File upload tool can be exploited to hijack at-risk websites

MatsSvensson

That other guy is an idiot

So, in conclusion:

1.) Someone wrote a piece of upload code, that allows people to easily upload anything to a server, including executable .php files.

And the piece of the code that prevented any uploaded php to be executed, was in a .htaccess-file.

...and no one would be stupid enough to blindly fuck with the .htaccess-file to mess up security.

So we're all good here, right?

2.) Someone made a nice little improvement in the server-code, that turned off the use of .htaccess-files.

See, it all runs a little faster now!

...and no one would be stupid enough to just let anyone upload .php-files to to your server anyway.

So we're all good here, right?

3.) Everyone and their uncle put the upload-code on servers running the server-code, and then updated the server-code with the fix, that makes it run little faster.

And no worries, because we're all good here, right?

...

A little time passed...

And then the world imploded, and the moon flew off into space.

And whos fault is it?

(All together now)

THE OTHER GUY!

(Or maybe jQuery? somehow? idk...)

Michael Strorm

Tonight I'm Gonna Party Like It's 1999

"the moon flew off into space. And whos fault is it?"

The person who decided it was okay to leave all that dangerously explosive nuclear waste on the far side.

Anonymous Coward
Anonymous Coward

Re: That other guy is an idiot

So, as far as I can tell, and despite the main headline, the fault isn't with jQuery itself, but with someone else's plugin for it that happens to rely on server-side code as well?

Michael Wojcik
Silver badge

Re: That other guy is an idiot

the fault isn't with jQuery itself, but with someone else's plugin for it that happens to rely on server-side code as well

Correct. jQuery is crap (though it's much-improved crap, compared to early versions), but in this case the fault is divided between Sebastian Tschan / Blueimp (jQuery File Upload author and maintainer) and Apache.

I'm inclined to give the lion's share to Apache - disabling .htaccess in the default configuration was really stupid - but Blueimp is not free of blame either. They should be following changes in their dependencies.

Also, frankly, I am not impressed with a file-upload widget that relies solely on .htaccess for security. (And their "fix" is to restrict the widget to image-file types by default; also not impressive.)

Anonymous Coward
Anonymous Coward

"dangerously explosive nuclear waste on the far side"

Shouldn't that have caused the Moon to crash into Earth, propelling it towards it (really a lot of waste, anyway)? What I really hate of Brit sci-fi of the late 60s-early 70s is the total lack of *science*.

Gene Cash
Silver badge

Larry Cashdollar

Wonder if we're related...?

Alister
Silver badge

Re: Larry Cashdollar

Do you have a British relative called Sterling?

Anonymous Coward
Anonymous Coward

I unrestand now the name web....

Some sticky thin wires to keep it together, and a lot of holes inside...

Tom 38
Silver badge

Bait much?

jQuery |= jQuery File Upload

bombastic bob
Silver badge
Flame

Re: Bait much?

I've always *HATED* JQuery [and everything associated with it] anyway. I bit the bait. Schadenfreude, I admit it. I still *HATE* JQuery.

(I wish doxygen would quit using it in generated output files - if there were an option to shut it off, I'd use it)

OldSoCalCoder

I followed the link by Mr. Cashdollar of Akami to the Apache 2.4 docs. Maybe I'm missing something here, but the doc doesn't say that .htaccess isn't being used any more. It strongly suggests not using .htaccess files, but I don't see it saying 'this is no longer used'.

mosw

From what I see in the Apache 2.4 documentation (not sure about 2.3.9) support for .htaccess files is determined by the directives applied. So the story is really about bad server configuration rather than any specific problems with jQuery file upload plugin. Clearly the plugin documentation should emphasize that .htaccess support is required.

Claptrap314
Bronze badge
Flame

Turning off a security feature? WAT?

See, here's the thing. I'm a dev, not a DBA. I learned about .htaccess about 15 years ago for a project I was on at the time. OF COURSE, if I were to make a new project, I would re-read the docs. But in the back of my head, I already know about .htaccess. Do the current docs still have the warning about .htaccess going away? Are the prominent enough that my brain won't miss them?

Security is EVERYONE's job. If you do some ****** ** ******** like this, you've made my permanent **** list. The VERY least you can do is to check if the file is there, and refuse to continue if it's being ignored.

Asterisks because if Linux isn't permitted to call out radioactive waste for what it is, I'm certainly not.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing