Recently, I noticed some requests hitting our honeypots that appear to attempt to exploit jQuery-File-Upload. jQuery-File-Upload is a popular tool for implementing file uploads. It has been around for a while and has had a few vulnerabilities in the past, but nothing recent as far as I can tell . Allowing users to upload files securely is tricky. And jQuery-File-Upload is tempting faith by allowing uploads into the document root. The walk-through by Kristian Bremberg explaining past jQuery-File-Upload vulnerabilities is an excellent summary of all the things that can go wrong .
Here is a typical request we are seeing currently:
There are a couple of odd things identifying this set of scans:
The scans are currently all coming from 18.104.22.168. The IP address has been active since the beginning of the year. Over that time, different URLs were scanned with a focus on file upload vulnerabilities:
The very first request we saw with this user-agent arrived on August 9th last year and attempted to access the WordPress file manager. Back then, the requests came from a few different IP addresses.
Sadly, we do not know exactly what the attacker is attempting to upload. But it will likely be spam/malware, which is what we often find. The attacker is scanning by hostname instead of IP address as the attacker is likely looking for existing websites with a "decent" reputation to minimize the chance of blocklisting. If you are a developer: Read the blog linked below for a refresher on what can go wrong with file uploads.
May 23rd 2022
|Thread locked Subscribe||
May 23rd 2022
1 month ago