back to article jQuery? More like preyQuery: File upload tool can be exploited to hijack at-risk websites

A serious vulnerability in a widely used, and widely forked, jQuery file upload plugin may have been exploited for years by hackers to seize control of websites – and is only now patched. Larry Cashdollar, a bug-hunter at Akamai, explained late last week how the security shortcoming, designated CVE-2018-9206, allows a …

  1. MatsSvensson

    That other guy is an idiot

    So, in conclusion:

    1.) Someone wrote a piece of upload code, that allows people to easily upload anything to a server, including executable .php files.

    And the piece of the code that prevented any uploaded php to be executed, was in a .htaccess-file.

    ...and no one would be stupid enough to blindly fuck with the .htaccess-file to mess up security.

    So we're all good here, right?

    2.) Someone made a nice little improvement in the server-code, that turned off the use of .htaccess-files.

    See, it all runs a little faster now!

    ...and no one would be stupid enough to just let anyone upload .php-files to to your server anyway.

    So we're all good here, right?

    3.) Everyone and their uncle put the upload-code on servers running the server-code, and then updated the server-code with the fix, that makes it run little faster.

    And no worries, because we're all good here, right?

    ...

    A little time passed...

    And then the world imploded, and the moon flew off into space.

    And whos fault is it?

    (All together now)

    THE OTHER GUY!

    (Or maybe jQuery? somehow? idk...)

    1. Michael Strorm Silver badge

      Tonight I'm Gonna Party Like It's 1999

      "the moon flew off into space. And whos fault is it?"

      The person who decided it was okay to leave all that dangerously explosive nuclear waste on the far side.

      1. Anonymous Coward
        Anonymous Coward

        "dangerously explosive nuclear waste on the far side"

        Shouldn't that have caused the Moon to crash into Earth, propelling it towards it (really a lot of waste, anyway)? What I really hate of Brit sci-fi of the late 60s-early 70s is the total lack of *science*.

    2. Anonymous Coward
      Anonymous Coward

      Re: That other guy is an idiot

      So, as far as I can tell, and despite the main headline, the fault isn't with jQuery itself, but with someone else's plugin for it that happens to rely on server-side code as well?

      1. Michael Wojcik Silver badge

        Re: That other guy is an idiot

        the fault isn't with jQuery itself, but with someone else's plugin for it that happens to rely on server-side code as well

        Correct. jQuery is crap (though it's much-improved crap, compared to early versions), but in this case the fault is divided between Sebastian Tschan / Blueimp (jQuery File Upload author and maintainer) and Apache.

        I'm inclined to give the lion's share to Apache - disabling .htaccess in the default configuration was really stupid - but Blueimp is not free of blame either. They should be following changes in their dependencies.

        Also, frankly, I am not impressed with a file-upload widget that relies solely on .htaccess for security. (And their "fix" is to restrict the widget to image-file types by default; also not impressive.)

  2. Gene Cash Silver badge

    Larry Cashdollar

    Wonder if we're related...?

    1. Alister

      Re: Larry Cashdollar

      Do you have a British relative called Sterling?

  3. Anonymous Coward
    Anonymous Coward

    I unrestand now the name web....

    Some sticky thin wires to keep it together, and a lot of holes inside...

  4. Tom 38

    Bait much?

    jQuery |= jQuery File Upload

    1. bombastic bob Silver badge
      Flame

      Re: Bait much?

      I've always *HATED* JQuery [and everything associated with it] anyway. I bit the bait. Schadenfreude, I admit it. I still *HATE* JQuery.

      (I wish doxygen would quit using it in generated output files - if there were an option to shut it off, I'd use it)

  5. OldSoCalCoder

    I followed the link by Mr. Cashdollar of Akami to the Apache 2.4 docs. Maybe I'm missing something here, but the doc doesn't say that .htaccess isn't being used any more. It strongly suggests not using .htaccess files, but I don't see it saying 'this is no longer used'.

    1. mosw

      From what I see in the Apache 2.4 documentation (not sure about 2.3.9) support for .htaccess files is determined by the directives applied. So the story is really about bad server configuration rather than any specific problems with jQuery file upload plugin. Clearly the plugin documentation should emphasize that .htaccess support is required.

  6. Claptrap314 Silver badge
    Flame

    Turning off a security feature? WAT?

    See, here's the thing. I'm a dev, not a DBA. I learned about .htaccess about 15 years ago for a project I was on at the time. OF COURSE, if I were to make a new project, I would re-read the docs. But in the back of my head, I already know about .htaccess. Do the current docs still have the warning about .htaccess going away? Are the prominent enough that my brain won't miss them?

    Security is EVERYONE's job. If you do some ****** ** ******** like this, you've made my permanent **** list. The VERY least you can do is to check if the file is there, and refuse to continue if it's being ignored.

    Asterisks because if Linux isn't permitted to call out radioactive waste for what it is, I'm certainly not.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like