Akamai Security researcher Larry Cashdollar discovered a three-year-old jQuery plugin vulnerability which could allow remote execution exploits on servers.
The flaw is due to the jQuery plugin designed to upload PHP servers doesn’t require validation nor does it exclude file types, according to an October 18 blog post.
Cashdollar spotted the vulnerability when he used a simple PHP shell file to upload a web shell and run commands on the server.
The vulnerability was created by a change in the Apache HTTPD server that disabled support for .htaccess web server configuration to prevent security features from being overridden. However, the plugin relied on .htaccess to implement security controls.
“The internet relies on many security controls every day in order to keep our systems, data, and transactions safe and secure,” Cashdollar wrote. “If one of these controls suddenly doesn’t exist it may put security at risk unknowingly to the users and software developers relying on them.”
Cashdollar said that while Apache had good intentions to disable the feature, the move left some developers and their project vulnerable to attack, especially if they relied on the feature as a security function.
There is no way to accurately determine how many projects have been affected by this vulnerability as other projects have used the vulnerable code and a few YouTube videos have already been released on how to exploit the flaw.
The issue was patched in version 9.22.1 but Cashdollar noted that because of the number of forks and other products using the plugin, it’s unclear how many other vulnerable programs still exist.