1# List of fixed vulnerabilities 2 3## Contents 4 5- [Potential vulnerabilities with PHP+ImageMagick](#potential-vulnerabilities-with-phpimagemagick) 6- [Remote code execution vulnerability in the PHP component](#remote-code-execution-vulnerability-in-the-php-component) 7- [Open redirect vulnerability in the GAE components](#open-redirect-vulnerability-in-the-gae-components) 8- [Cross-site scripting vulnerability in the Iframe Transport](#cross-site-scripting-vulnerability-in-the-iframe-transport) 9 10## Potential vulnerabilities with PHP+ImageMagick 11 12> Mitigated: 2018-10-25 (GMT) 13 14The sample [PHP upload handler](server/php/UploadHandler.php) before 15[v9.25.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.25.1) 16did not validate file signatures before invoking 17[ImageMagick](https://www.imagemagick.org/) (via 18[Imagick](https://php.net/manual/en/book.imagick.php)). 19Verifying those 20[magic bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) mitigates 21potential vulnerabilities when handling input files other than `GIF/JPEG/PNG`. 22 23Please also configure ImageMagick to only enable the coders required for 24`GIF/JPEG/PNG` processing, e.g. with the sample 25[ImageMagick config](SECURITY.md#imagemagick-config). 26 27**Further information:** 28 29- Commit containing the mitigation: 30 [fe44d34](https://github.com/blueimp/jQuery-File-Upload/commit/fe44d34be43be32c6b8d507932f318dababb25dd) 31- [ImageTragick](https://imagetragick.com/) 32- [CERT Vulnerability Note VU#332928](https://www.kb.cert.org/vuls/id/332928) 33- [ImageMagick CVE entries](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=imagemagick) 34 35## Remote code execution vulnerability in the PHP component 36 37> Fixed: 2018-10-23 (GMT) 38 39The sample [PHP upload handler](server/php/UploadHandler.php) before 40[v9.24.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.24.1) 41allowed to upload all file types by default. 42This opens up a remote code execution vulnerability, unless the server is 43configured to not execute (PHP) files in the upload directory 44(`server/php/files`). 45 46The provided [.htaccess](server/php/files/.htaccess) file includes instructions 47for Apache to disable script execution, however 48[.htaccess support](https://httpd.apache.org/docs/current/howto/htaccess.html) 49is disabled by default since Apache `v2.3.9` via 50[AllowOverride Directive](https://httpd.apache.org/docs/current/mod/core.html#allowoverride). 51 52**You are affected if you:** 53 541. A) Uploaded jQuery File Upload < `v9.24.1` on a Webserver that executes files 55 with `.php` as part of the file extension (e.g. "example.php.png"), e.g. 56 Apache with `mod_php` enabled and the following directive (_not a recommended 57 configuration_): 58 ```ApacheConf 59 AddHandler php5-script .php 60 ``` 61 B) Uploaded jQuery File Upload < `v9.22.1` on a Webserver that executes files 62 with the file extension `.php`, e.g. Apache with `mod_php` enabled and the 63 following directive: 64 ```ApacheConf 65 <FilesMatch \.php$> 66 SetHandler application/x-httpd-php 67 </FilesMatch> 68 ``` 692. Did not actively configure your Webserver to not execute files in the upload 70 directory (`server/php/files`). 713. Are running Apache `v2.3.9+` with the default `AllowOverride` Directive set 72 to `None` or another Webserver with no `.htaccess` support. 73 74**How to fix it:** 75 761. Upgrade to the latest version of jQuery File Upload. 772. Configure your Webserver to not execute files in the upload directory, e.g. 78 with the [sample Apache configuration](SECURITY.md#apache-config) 79 80**Further information:** 81 82- Commits containing the security fix: 83 [aeb47e5](https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f), 84 [ad4aefd](https://github.com/blueimp/jQuery-File-Upload/commit/ad4aefd96e4056deab6fea2690f0d8cf56bb2d7d) 85- [Full disclosure post on Hacker News](https://news.ycombinator.com/item?id=18267309). 86- [CVE-2018-9206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9206) 87- [OWASP - Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) 88 89## Open redirect vulnerability in the GAE components 90 91> Fixed: 2015-06-12 (GMT) 92 93The sample Google App Engine upload handlers before 94v[9.10.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/9.10.1) 95accepted any URL as redirect target, making it possible to use the Webserver's 96domain for phishing attacks. 97 98**Further information:** 99 100- Commit containing the security fix: 101 [f74d2a8](https://github.com/blueimp/jQuery-File-Upload/commit/f74d2a8c3e3b1e8e336678d2899facd5bcdb589f) 102- [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet) 103 104## Cross-site scripting vulnerability in the Iframe Transport 105 106> Fixed: 2012-08-09 (GMT) 107 108The [redirect page](cors/result.html) for the 109[Iframe Transport](js/jquery.iframe-transport.js) before commit 110[4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a) 111(_fixed in all tagged releases_) allowed executing arbitrary JavaScript in the 112context of the Webserver. 113 114**Further information:** 115 116- Commit containing the security fix: 117 [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a) 118- [OWASP - Cross-site Scripting (XSS)](<https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)>) 119