Software makers face a daunting challenge every day with the products they maintain. It’s a game of cat and mouse as hackers continuously poke holes in popular software and developers patch them as they come. The most dangerous of these security holes is what’s known as a zero-day.
As you may very well know, zero-day vulnerabilities are previously unknown software exploits that are already being used by hackers even before the software makers are made aware of them.
However, the latest zero-day flaw that is making the rounds has existed for years without being noticed. It’s highly likely that hackers have already been actively exploiting it for a time.
Read on and see what this latest zero-day discovery is all about.
Zero-day bug found in website plugin
A serious zero-day vulnerability that affects one of the most popular website plugins was recently revealed and it may have existed for eight years without getting noticed.
The website plugin in question is called the jQuery File Upload tool, an add-on used by websites and content management systems (like WordPress) for seamless drag-and-drop file upload support.
If you’ve ever uploaded files, videos, and images to a website, chances are you’ve used this tool before.
Akamai security researcher Larry Cashdollar discovered the flaw while he was analyzing the tool’s website code and he suspects that hackers are already using this vulnerability as a form of attack.
“I suspected this vulnerability hadn’t gone unnoticed and a quick Google search confirmed that other projects that used this code or possibly code derived from it were vulnerable,” Cashdollar noted in his blog post.
In fact, if you search online for this particular flaw, there are numerous YouTube videos dating as far back as 2015 that incorporate the exploit in a number of website attack techniques. One video even has a tutorial on how to find and hack vulnerable websites.
How the flaw works
Based on Cashdollar’s findings, the jQuery File Upload flaw allowed him to run commands on any web server that’s using the plugin.
It turns out that due to an update introduced to the widely used Apache Web Server program in 2010, the script (known as .htacess files) utilized by the tool for securing its folder directories was disabled by default since new versions of the program no longer needed it for security.
This means that after Apache version 2.3.9, web server plugins and add-ons like jQuery File Upload that still relied on .htacess files for directory security are all susceptible to attacks. Anyone who had knowledge of this particular flaw would have allowed them to steal data, install malware, deface a website and even take it over completely.
The fix is in
Thankfully, Cashdollar worked with jQuery File Upload’s developer, Sebastian Tschan, to patch the flaw. Currently, the flaw (designated as CVE-2018-9206) no longer exists in the latest version of jQuery File Upload.
If you’re using the jQuery File Upload plugin for WordPress or your website, make sure you’re on version 9.22.1.
According to the plugin’s Github documentation, the fix now limits file uploads to image files by default. It’s also recommended that webmasters configure their servers to disable file executions in the upload directory for security purposes.
Thousands of plugins are affected too
Although jQuery File Upload itself is already patched against this exploit, the plugin is so popular that it is used by thousands upon thousands of third-party plugins and projects too. This means that there’s still a multitude of website add-ons out there that are vulnerable to the same attack.
This also highlights that changes in open-source software can open up unforeseen security holes that developers can overlook and can endanger web users themselves.
Combine that with how web developers often borrow code and implement open-source components in their projects and it’s not hard to see how security bugs like this can have a widespread domino effect.