diff --git a/README.md b/README.md index f8a2b532a..d2f104d5c 100644 --- a/README.md +++ b/README.md @@ -1,25 +1,23 @@ # jQuery File Upload Plugin +## Description +File Upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for jQuery. +Supports cross-domain, chunked and resumable file uploads and client-side image resizing. Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go etc.) that supports standard HTML form file uploads. + +## Demo +[Demo File Upload](https://blueimp.github.io/jQuery-File-Upload/) + ## ⚠️ Security Notice Security related releases: +* [v9.25.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.25.1) Mitigates some [Potential vulnerabilities with PHP+ImageMagick](VULNERABILITIES.md#potential-vulnerabilities-with-php+imagemagick). * [v9.24.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.24.1) Fixes a [Remote code execution vulnerability in the PHP component](VULNERABILITIES.md#remote-code-execution-vulnerability-in-the-php-component). * v[9.10.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/9.10.1) Fixes an [Open redirect vulnerability in the GAE components](VULNERABILITIES.md#open-redirect-vulnerability-in-the-gae-components). * Commit [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a) (*fixed in all tagged releases*) Fixes a [Cross-site scripting vulnerability in the Iframe Transport](VULNERABILITIES.md#cross-site-scripting-vulnerability-in-the-iframe-transport). Please read the [SECURITY](SECURITY.md) document for instructions on how to securely configure your Webserver for file uploads. -## Demo -[Demo File Upload](https://blueimp.github.io/jQuery-File-Upload/) - -## Description -File Upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for jQuery. -Supports cross-domain, chunked and resumable file uploads and client-side image resizing. Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go etc.) that supports standard HTML form file uploads. - ## Setup -⚠️ **Notice:** -Please read the [Security recommendations](SECURITY.md) before setting up the project. - * [How to setup the plugin on your website](https://github.com/blueimp/jQuery-File-Upload/wiki/Setup) * [How to use only the basic plugin (minimal setup guide).](https://github.com/blueimp/jQuery-File-Upload/wiki/Basic-plugin) @@ -27,7 +25,7 @@ Please read the [Security recommendations](SECURITY.md) before setting up the pr * **Multiple file upload:** Allows to select multiple files at once and upload them simultaneously. * **Drag & Drop support:** - Allows to upload files by dragging them from your desktop or filemanager and dropping them on your browser window. + Allows to upload files by dragging them from your desktop or file manager and dropping them on your browser window. * **Upload progress bar:** Shows a progress bar indicating the upload progress for individual files and for all uploads combined. * **Cancelable uploads:** diff --git a/SECURITY.md b/SECURITY.md index afa1da13c..db58f7dd7 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,6 +3,8 @@ For an in-depth understanding of the potential security risks of providing file To securely setup the project to serve uploaded files, please refer to the sample [Secure file upload serving configurations](#secure-file-upload-serving-configurations). +To mitigate potential vulnerabilities in image processing libraries, please refer to the [Secure image processing configurations](#secure-image-processing-configurations). + By default, all sample upload handlers allow only upload of image files, which mitigates some attack vectors, but should not be relied on as the only protection. Please also have a look at the [list of fixed vulnerabilities](VULNERABILITIES.md) in jQuery File Upload, which relates mostly to the sample server-side upload handlers and how they have been configured. @@ -109,3 +111,23 @@ location ^~ /path/to/project/server/php/files { } } ``` + +## Secure image processing configurations +The following configuration mitigates [potential image processing vulnerabilities with ImageMagick](VULNERABILITIES.md#potential-vulnerabilities-with-php+imagemagick) by limiting the attack vectors to a small subset of image types (`GIF/JPEG/PNG`). + +Please also consider using alternative, safer image processing libraries like [libvips](https://github.com/libvips/libvips) or [imageflow](https://github.com/imazen/imageflow). + +## ImageMagick config +It is recommended to disable all non-required ImageMagick coders via [policy.xml](https://wiki.debian.org/imagemagick/security). +To do so, locate the ImageMagick `policy.xml` configuration file and add the following policies: + +```xml + + + + + + + + +``` diff --git a/VULNERABILITIES.md b/VULNERABILITIES.md index f1fe261be..1561a1401 100644 --- a/VULNERABILITIES.md +++ b/VULNERABILITIES.md @@ -1,7 +1,21 @@ # ⚠️ List of fixed vulnerabilities +## Potential vulnerabilities with PHP+ImageMagick +> Mitigated: 2018-10-25 (GMT) + +The sample [PHP upload handler](server/php/UploadHandler.php) before [v9.25.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.25.1) did not validate file signatures before invoking [ImageMagick](https://www.imagemagick.org/) (via [Imagick](http://php.net/manual/en/book.imagick.php)). +Verifying those [magic bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) mitigates potential vulnerabilities when handling input files other than `GIF/JPEG/PNG`. + +Please also configure ImageMagick to only enable the coders required for `GIF/JPEG/PNG` processing, e.g. with the sample [ImageMagick config](SECURITY.md#imagemagick-config). + +**Further information:** +* Commit containing the mitigation: [fe44d34](https://github.com/blueimp/jQuery-File-Upload/commit/fe44d34be43be32c6b8d507932f318dababb25dd) +* [ImageTragick](https://imagetragick.com/) +* [CERT Vulnerability Note VU#332928](https://www.kb.cert.org/vuls/id/332928) +* [ImageMagick CVE entries](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=imagemagick) + ## Remote code execution vulnerability in the PHP component -> Fixed: 2018-10-23 +> Fixed: 2018-10-23 (GMT) The sample [PHP upload handler](server/php/UploadHandler.php) before [v9.24.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.24.1) allowed to upload all file types by default. This opens up a remote code execution vulnerability, unless the server is configured to not execute (PHP) files in the upload directory (`server/php/files`). @@ -33,7 +47,7 @@ The provided [.htaccess](server/php/files/.htaccess) file includes instructions * [OWASP - Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) ## Open redirect vulnerability in the GAE components -> Fixed: 2015-06-12 +> Fixed: 2015-06-12 (GMT) The sample Google App Engine upload handlers before v[9.10.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/9.10.1) accepted any URL as redirect target, making it possible to use the Webserver's domain for phishing attacks. @@ -42,7 +56,7 @@ The sample Google App Engine upload handlers before v[9.10.1](https://github.com * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet) ## Cross-site scripting vulnerability in the Iframe Transport -> Fixed: 2012-08-09 +> Fixed: 2012-08-09 (GMT) The [redirect page](cors/result.html) for the [Iframe Transport](js/jquery.iframe-transport.js) before commit [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a) (*fixed in all tagged releases*) allowed executing arbitrary JavaScript in the context of the Webserver.