False Vulnerability Report: jQuery Html5 File Upload Vulnerability
As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.
Recently a report claiming there a vulnerability that allowed the uploading of .php files through the jQuery Html5 File Upload plugin was released. The validity of this report seemed suspect based on the proof of concept provided:
<center> <br><br><br><br><br><br><br><br><br><br><br><br><br> <font face="Iceland" color="red" size="7">jQuery File Upload By Hacker Khan</font><br> <form method="POST" action="target.com/ enctype="multipart/form-data"> <input type="file" name="files[]" /><button>Upload</button>
There is a HTML form in that, but there isn’t even the HTML code to submit the form included. After fixing up the proof of concept, we tried it and found that when we tried to upload a .php file we got the following error “Filetype not allowed”, so it seemed the plugin was properly not allowing a .php file to be uploaded.
Looking at the code confirmed that. Starting on line 367 of the file /UploadHandler.php the file extension is checked:
if (!preg_match($this->options['accept_file_types'], $file->name)) { $file->error = $this->get_error_message('accept_file_types'); return false; }
Filling in the variables in the first line of that, the code looks like:
if (!preg_match(/\.(gif|jpeg|jpg|png)$/i, test.php)) {
So the code checks if the file name ends with .gif, .jpeg, .jpg, or .png by default, which it doesn’t if the extension of the file is .php.
It’s not a false vulnerability report. I prove this right now.
If you download the script now you can find at line 84
// Defines which files (based on their names) are accepted for upload:
‘accept_file_types’ => ‘/.+$/i’,
That means accept_file_types accept .php file right?
You didn’t identify what file you are referring to, but it looks like the file is /UploadHandler.php. Line 84 of that file in version 3.0 is actually:
‘accept_file_types’ => ‘/\.(‘.get_option(‘jqhfu_accepted_file_types’).’)$/i’,
Looking at the older versions that have been tagged, none of them contain the line set that way either.
Where did you download the plugin from?