VULNERABILITIES.md

List of fixed vulnerabilities

Contents

• Potential vulnerabilities with PHP+ImageMagick
• Remote code execution vulnerability in the PHP component
• Open redirect vulnerability in the GAE components
• Cross-site scripting vulnerability in the Iframe Transport

Potential vulnerabilities with PHP+ImageMagick

Mitigated: 2018-10-25 (GMT)

The sample PHP upload handler before v9.25.1 did not validate file signatures before invoking ImageMagick (via Imagick).
Verifying those magic bytes mitigates potential vulnerabilities when handling input files other than GIF/JPEG/PNG.

Please also configure ImageMagick to only enable the coders required for GIF/JPEG/PNG processing, e.g. with the sample ImageMagick config.

Further information:

• Commit containing the mitigation: fe44d34
• ImageTragick
• CERT Vulnerability Note VU#332928
• ImageMagick CVE entries

Remote code execution vulnerability in the PHP component

Fixed: 2018-10-23 (GMT)

The sample PHP upload handler before v9.24.1 allowed to upload all file types by default.
This opens up a remote code execution vulnerability, unless the server is configured to not execute (PHP) files in the upload directory (server/php/files).

The provided .htaccess file includes instructions for Apache to disable script execution, however .htaccess support is disabled by default since Apache v2.3.9 via AllowOverride Directive.

You are affected if you:

1. A) Uploaded jQuery File Upload < v9.24.1 on a Webserver that executes files with .php as part of the file extension (e.g. "example.php.png"), e.g. Apache with mod_php enabled and the following directive (not a recommended configuration):

   AddHandler php5-script .php

   B) Uploaded jQuery File Upload < v9.22.1 on a Webserver that executes files with the file extension .php, e.g. Apache with mod_php enabled and the following directive:

   <FilesMatch \.php$>
     SetHandler application/x-httpd-php
   </FilesMatch>

2. Did not actively configure your Webserver to not execute files in the upload directory (server/php/files).
3. Are running Apache v2.3.9+ with the default AllowOverride Directive set to None or another Webserver with no .htaccess support.

How to fix it:

1. Upgrade to the latest version of jQuery File Upload.
2. Configure your Webserver to not execute files in the upload directory, e.g. with the sample Apache configuration

Further information:

• Commits containing the security fix: aeb47e5, ad4aefd
• Full disclosure post on Hacker News.
• CVE-2018-9206
• OWASP - Unrestricted File Upload

Open redirect vulnerability in the GAE components

Fixed: 2015-06-12 (GMT)

The sample Google App Engine upload handlers before v9.10.1 accepted any URL as redirect target, making it possible to use the Webserver's domain for phishing attacks.

Further information:

• Commit containing the security fix: f74d2a8
• OWASP - Unvalidated Redirects and Forwards Cheat Sheet

Cross-site scripting vulnerability in the Iframe Transport

Fixed: 2012-08-09 (GMT)

The redirect page for the Iframe Transport before commit 4175032 (fixed in all tagged releases) allowed executing arbitrary JavaScript in the context of the Webserver.

Further information:

• Commit containing the security fix: 4175032
• OWASP - Cross-site Scripting (XSS)