Kindred Security Newsletter

Security Newsletter

22 October 2018

Zero-day in popular jQuery plugin actively exploited for at least three years

For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers. The vulnerability impacts the jQuery File Upload plugin, which is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular and has been integrated into many other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.

The Akamai researcher says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells. The vulnerability has been exploited in the wild. "I've seen stuff as far back as 2016". The developer's investigation identified the true source of the vulnerability not in the plugin's code, but in a change made in the Apache Web Server project dating back to 2010, which indirectly affected the plugin's expected behavior on Apache servers.

Blueimp's jQuery File Upload plugin was coded to rely on a custom .htaccess file to impose security restrictions to its upload folder, without knowing that five days before, the Apache HTTPD team made a breaking change that undermined the plugin's basic design. Identifying all affected projects and stomping out this vulnerability will take years.

Read More on ZDNet

Even More on DarkReading

Facebok: Update on security issues: 30M accounts leaked

Facebook has just announced additional details on last month's data breach. The company now says that only 30 million accounts had their access tokens stolen instead of the 50 million they had originally believed, and of those 30 million, 15 million users just had their emails and phone numbers taken.

Worse, however, is that for 14 million unlucky users, the hackers were able to access both email info and phone numbers plus their "username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches" as well.

In an updated post on Facebook's newsroom, the company says it's working with the FBI, who is actively investigating the situation, and therefore can't reveal who they believe were behind the attack. People can check whether they were affected by visiting Facebook Help Center. In the coming days, they will send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls.

Official Facebook advisory

Even More on TechRadar

Try the hack for yourself on Adversary!

Hacker: I'm logged in. New LibSSH Vulnerability: OK! I believe you.

Newly released versions of the libssh library fix an authentication bypass flaw that grants access to the server by just telling it that the procedure was a success.

The libssh library enables support of the Secure Shell (SSH) protocol in applications, allowing an encrypted connection between clients and servers. Leveraging it is a simple matter of presenting the server with the SSH2_MSG_USERAUTH_SUCCESS message, which shows that the login already occurred without a problem. The server expects the message SSH2_MSG_USERAUTH_REQUEST to start the authentication procedure, but by skipping it an attacker can log in without showing any credentials.

The trick is possible in library versions 0.6 and above, and there is no workaround available, informs an advisory on Thursday from the libssh team. The issue has been addressed in revisions 0.8.4 and 0.7.6 of the library.