jQuery-File-Upload is the second most starred jQuery project on GitHub, after the jQuery framework itself. The project was recently reported to have a three-year-old arbitrary file upload vulnerability that was fixed in the release of v9.22.2, but another serious command execution vulnerability was found in the VulnSpy team’s review of the code, this vulnerability allows attackers to execute arbitrary system commands by uploading malicious picture files.
Notice: The old title (jQuery-File-Upload <= 9.x Remote Code Execution) had some kind of misleading, this is not really an RCE in jQuery-File-Upload. But jQuery-File-Upload make is easier to exploit, this vulnerability should be more danger than previous RCE, because not everybody use the example code, but they must to use UploadHandler.php.
The Imagick extension is used by default to verify uploaded images in the jQuery-File-Upload upload file /server/php/UploadHandler.php:
We all know that several serious security vulnerabilities in ImageMagick has been disclosed in recent years:
- More Ghostscript Issues: Should we disable PS coders in policy.xml by default?
- CVE Request - multiple ghostscript -dSAFER sandbox problems
- CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename
Therefore, we can directly exploit the vulnerability by uploading pictures containing malicious code. The VulnSpy team has provided an online experimental environment, You can go to the following address to reproduce this vulnerability.
Online Environment: https://www.vulnspy.com/en-jquery-file-upload-below-v9.x-rce/
In File /server/php/UploadHandler.php, change