⚠️ List of fixed vulnerabilities
Potential vulnerabilities with PHP+ImageMagick
Mitigated: 2018-10-25 (GMT)
The sample PHP upload handler before v9.25.1 did not validate file signatures before invoking ImageMagick (via Imagick).
Verifying those magic bytes mitigates potential vulnerabilities when handling input files other than
Please also configure ImageMagick to only enable the coders required for
GIF/JPEG/PNG processing, e.g. with the sample ImageMagick config.
- Commit containing the mitigation: fe44d34
- CERT Vulnerability Note VU#332928
- ImageMagick CVE entries
Remote code execution vulnerability in the PHP component
Fixed: 2018-10-23 (GMT)
The sample PHP upload handler before v9.24.1 allowed to upload all file types by default.
This opens up a remote code execution vulnerability, unless the server is configured to not execute (PHP) files in the upload directory (
You are affected if you:
- A) Uploaded jQuery File Upload <
v9.24.1on a Webserver that executes files with
.phpas part of the file extension (e.g. "example.php.png"), e.g. Apache with
mod_phpenabled and the following directive (not a recommended configuration):B) Uploaded jQuery File Upload <
AddHandler php5-script .php
v9.22.1on a Webserver that executes files with the file extension
.php, e.g. Apache with
mod_phpenabled and the following directive:
<FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch>
- Did not actively configure your Webserver to not execute files in the upload directory (
- Are running Apache
v2.3.9+with the default
AllowOverrideDirective set to
Noneor another Webserver with no
How to fix it:
- Upgrade to the latest version of jQuery File Upload.
- Configure your Webserver to not execute files in the upload directory, e.g. with the sample Apache configuration
- Commits containing the security fix: aeb47e5, ad4aefd
- Full disclosure post on Hacker News.
- OWASP - Unrestricted File Upload
Open redirect vulnerability in the GAE components
Fixed: 2015-06-12 (GMT)
The sample Google App Engine upload handlers before v9.10.1 accepted any URL as redirect target, making it possible to use the Webserver's domain for phishing attacks.
- Commit containing the security fix: f74d2a8
- OWASP - Unvalidated Redirects and Forwards Cheat Sheet
Cross-site scripting vulnerability in the Iframe Transport
Fixed: 2012-08-09 (GMT)