A researcher discovered a remote code execution (RCE) vulnerability present for more than 7 years in the jQuery File Upload plugin, used by thousands of websites.

The bug was found while parsing two PHP files, Upload.php and UploadHandler.php. The expert said that a quick test using curl commands and a simple script written in PHP confirmed the possibility of uploading files and executing commands on the server. The failure is further aggravated by the fact that the attacker does not need any authentication to perform such an action.

The flaw was introduced when Apache turned off the security control of .htacceess files that were used by the plugin for file access control. In addition to allowing malicious files to be uploaded as malware, the failure allows you to gain access to the web server system, move sideways across the network, deface web pages, and use the site as a command and control server for a botnet.

The vulnerability was cataloged as CVE-2018–9206.

.   .   .