A serious vulnerability in a widely used, and widely forked, jQuery file upload plugin may have been exploited for years by hackers to seize control of websites – and is only now patched.

Larry Cashdollar, a bug-hunter at Akamai, explained late last week how the security shortcoming, designated CVE-2018-9206, allows a miscreant to upload and execute arbitrary code as root on a website that uses the vulnerable code with the Apache web server. This would potentially allow an attacker to, among other things, upload and run a webshell to execute commands on the target machine to steal data, change files, distribute malware, and so on.

Cashdollar – real name, he swears – was able to track the flaw down to Sebastian Tschan’s open-source jQuery File Upload tool, and got the developer to fix it in version 9.22.1. However, the infosec bod fears that actually getting that update out to every site and web app relying on the component – as well as its 7,828 forks – could be next to impossible.

Read full news article on The Register