src/fileupload/static/lib/jQuery-File-Upload-10.32.0/VULNERABILITIES.md

   1 # List of fixed vulnerabilities
   2
   3 ## Contents
   4
   5 - [Potential vulnerabilities with PHP+ImageMagick](#potential-vulnerabilities-with-phpimagemagick)
   6 - [Remote code execution vulnerability in the PHP component](#remote-code-execution-vulnerability-in-the-php-component)
   7 - [Open redirect vulnerability in the GAE components](#open-redirect-vulnerability-in-the-gae-components)
   8 - [Cross-site scripting vulnerability in the Iframe Transport](#cross-site-scripting-vulnerability-in-the-iframe-transport)
   9
  10 ## Potential vulnerabilities with PHP+ImageMagick
  11
  12 > Mitigated: 2018-10-25 (GMT)
  13
  14 The sample [PHP upload handler](server/php/UploadHandler.php) before
  15 [v9.25.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.25.1)
  16 did not validate file signatures before invoking
  17 [ImageMagick](https://www.imagemagick.org/) (via
  18 [Imagick](https://php.net/manual/en/book.imagick.php)).
  19 Verifying those
  20 [magic bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) mitigates
  21 potential vulnerabilities when handling input files other than `GIF/JPEG/PNG`.
  22
  23 Please also configure ImageMagick to only enable the coders required for
  24 `GIF/JPEG/PNG` processing, e.g. with the sample
  25 [ImageMagick config](SECURITY.md#imagemagick-config).
  26
  27 **Further information:**
  28
  29 - Commit containing the mitigation:
  30   [fe44d34](https://github.com/blueimp/jQuery-File-Upload/commit/fe44d34be43be32c6b8d507932f318dababb25dd)
  31 - [ImageTragick](https://imagetragick.com/)
  32 - [CERT Vulnerability Note VU#332928](https://www.kb.cert.org/vuls/id/332928)
  33 - [ImageMagick CVE entries](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=imagemagick)
  34
  35 ## Remote code execution vulnerability in the PHP component
  36
  37 > Fixed: 2018-10-23 (GMT)
  38
  39 The sample [PHP upload handler](server/php/UploadHandler.php) before
  40 [v9.24.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.24.1)
  41 allowed to upload all file types by default.
  42 This opens up a remote code execution vulnerability, unless the server is
  43 configured to not execute (PHP) files in the upload directory
  44 (`server/php/files`).
  45
  46 The provided [.htaccess](server/php/files/.htaccess) file includes instructions
  47 for Apache to disable script execution, however
  48 [.htaccess support](https://httpd.apache.org/docs/current/howto/htaccess.html)
  49 is disabled by default since Apache `v2.3.9` via
  50 [AllowOverride Directive](https://httpd.apache.org/docs/current/mod/core.html#allowoverride).
  51
  52 **You are affected if you:**
  53
  54 1. A) Uploaded jQuery File Upload < `v9.24.1` on a Webserver that executes files
  55    with `.php` as part of the file extension (e.g. "example.php.png"), e.g.
  56    Apache with `mod_php` enabled and the following directive (_not a recommended
  57    configuration_):
  58    ```ApacheConf
  59    AddHandler php5-script .php
  60    ```
  61    B) Uploaded jQuery File Upload < `v9.22.1` on a Webserver that executes files
  62    with the file extension `.php`, e.g. Apache with `mod_php` enabled and the
  63    following directive:
  64    ```ApacheConf
  65    <FilesMatch \.php$>
  66      SetHandler application/x-httpd-php
  67    </FilesMatch>
  68    ```
  69 2. Did not actively configure your Webserver to not execute files in the upload
  70    directory (`server/php/files`).
  71 3. Are running Apache `v2.3.9+` with the default `AllowOverride` Directive set
  72    to `None` or another Webserver with no `.htaccess` support.
  73
  74 **How to fix it:**
  75
  76 1. Upgrade to the latest version of jQuery File Upload.
  77 2. Configure your Webserver to not execute files in the upload directory, e.g.
  78    with the [sample Apache configuration](SECURITY.md#apache-config)
  79
  80 **Further information:**
  81
  82 - Commits containing the security fix:
  83   [aeb47e5](https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f),
  84   [ad4aefd](https://github.com/blueimp/jQuery-File-Upload/commit/ad4aefd96e4056deab6fea2690f0d8cf56bb2d7d)
  85 - [Full disclosure post on Hacker News](https://news.ycombinator.com/item?id=18267309).
  86 - [CVE-2018-9206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9206)
  87 - [OWASP - Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
  88
  89 ## Open redirect vulnerability in the GAE components
  90
  91 > Fixed: 2015-06-12 (GMT)
  92
  93 The sample Google App Engine upload handlers before
  94 v[9.10.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/9.10.1)
  95 accepted any URL as redirect target, making it possible to use the Webserver's
  96 domain for phishing attacks.
  97
  98 **Further information:**
  99
 100 - Commit containing the security fix:
 101   [f74d2a8](https://github.com/blueimp/jQuery-File-Upload/commit/f74d2a8c3e3b1e8e336678d2899facd5bcdb589f)
 102 - [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
 103
 104 ## Cross-site scripting vulnerability in the Iframe Transport
 105
 106 > Fixed: 2012-08-09 (GMT)
 107
 108 The [redirect page](cors/result.html) for the
 109 [Iframe Transport](js/jquery.iframe-transport.js) before commit
 110 [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a)
 111 (_fixed in all tagged releases_) allowed executing arbitrary JavaScript in the
 112 context of the Webserver.
 113
 114 **Further information:**
 115
 116 - Commit containing the security fix:
 117   [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a)
 118 - [OWASP - Cross-site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)