Emerging Threat: Blueimp jQuery-File-Upload Crops Up Again

There is an arbitrary file upload vulnerability affecting jQuery File Upload Plugin in the wild. This code is routinely reused by other software, particularly within CMS plugins, and has a significant potential impact across a large range of target systems.

What is the nature of the threat?

This emerging threat (CVE-2018-9206) is due to an unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0. The jQuery file upload plugin is an upload widget. By default, the plugin has no disallowed file types. Hence a remote unauthenticated attacker could upload arbitrary files to the system.

An arbitrary file upload vulnerability allows unauthenticated attackers to upload any file to the victim server. This is likely to consist of webshells or malware. These malicious payloads could then be used to provide remote control over the victim host and allow further attacks (such as data exfiltration) or lateral movement on to other hosts in the network. This vulnerability allows attackers to eventually take over complete control of a vulnerable host once exploited.

Who does it impact?

This impacts any customer who runs jQuery Plugin code which has implemented the github project code (or code forks) before version 9.22.1. Thus far, there have been no public reports of specific businesses that have been affected by the threat.  

How is Alert Logic protecting me?

Alert Logic customers should refer to the Alert Logic Knowledge Base  for the most current information. Alert Logic has conducted a complete assessment of our infrastructure and our appliance. We have determined that we are not at risk. At this time:

  • Alert Logic Threat Manager, our IDS System, is able to detect this current threat. Signature and incident coverage have been in place since March 2018.
  • *UPDATED*vulnerability scan with jQuery scan signatures is now available as part of Cloud Insight, Threat Manager, and Cloud Defender.
  • Web Security Manager Premier can detect and block this threat, but certain policies need to be in place to minimize false positives. Please reach out to your WSMP SOC analyst for additional information.

What should I do?

Evaluate with software vendors and plugin providers if they have implemented the code in software currently in use and public internet accessible. Update to the latest versions. The code author (BlueImp) has provided a patch which restricts the file upload types which can be made using the code.