Unauthenticated arbitrary file upload in bundled demo endpoint leads to code execution in common deployments

[NomanProdhan]

Component/Path:

• libs/jQuery-File-Upload/server/php/index.php (demo endpoint that instantiates UploadHandler)
• Upload directory: libs/jQuery-File-Upload/server/php/files/
• Upload policy source: libs/jQuery-File-Upload/server/php/UploadHandler.php (accept_file_types => /.+$/i)

Tested Version: v2.7.6
Environment: PHP 8.4.11, served by php -S 127.0.0.1:8000 on Linux

Summary

The repository includes a web-reachable demo upload endpoint (based on BlueImp’s jQuery File Upload). By default, it accepts arbitrary file extensions and stores them under a publicly accessible directory inside the repo. In common deployments where the repository is served as-is (e.g., php -S 127.0.0.1:8000, or web servers that ignore/omit the provided .htaccess controls), an attacker can upload a script file and then request it, resulting in unauthenticated remote code execution (RCE) under the web server user.

This endpoint is independent of RichFilemanager’s core PHP connector (connectors/php/filemanager.php). It does not use RFM’s authentication hooks; it is a bundled demo that becomes exploitable when exposed under the webroot.

Affected Paths & Source Evidence

Demo endpoint (web entry):

• libs/jQuery-File-Upload/server/php/index.php constructs UploadHandler without authentication.

Upload policy (accepts any extension):

• libs/jQuery-File-Upload/server/php/UploadHandler.php
  • accept_file_types => /.+$/i (matches all filenames)

Upload location (web-reachable):

• libs/jQuery-File-Upload/server/php/files/ (the demo’s default upload directory)
  • Repo includes .htaccess to mitigate on Apache only; not honored by php -S and many non-Apache setups.

Attack Vector

1. Send an unauthenticated upload request to the demo endpoint with a benign file to demonstrate arbitrary extension acceptance (e.g., .php).
   Example (safe, non-executing):

curl -s -F 'files[]=@/etc/hosts;filename=test.txt' \
  'http://<host>/libs/jQuery-File-Upload/server/php/'

The response JSON includes a public url to the uploaded file in

2. Public accessibility: The uploaded file is accessible at the returned url.
   In configurations where the server executes scripts in that directory (e.g., when served via php -S), an attacker could upload a script and then request it to achieve RCE.

For public tracking, this report does not include a weaponized payload.

Preconditions

• The repository (including libs/jQuery-File-Upload/server/php/) is served directly under the webroot.
• The web server either executes scripts in the upload directory or ignores the provided Apache-only .htaccess mitigation (e.g., PHP built-in server; Nginx/PHP-FPM without equivalent rules; misconfigured Apache).

No authentication is required; the endpoint does not integrate with RichFilemanager auth hooks.

Not in Scope (clarification)

• The core RichFilemanager connector (connectors/php/filemanager.php) is not required to exploit this issue.
• This is a packaging/exposure problem: the demo uploader is bundled and reachable from the repo webroot by default.

Impact

• CWE-434: Unrestricted Upload of File with Dangerous Type.
• Leads to RCE in configurations where uploaded files in .../files/ are executed as scripts (e.g., PHP built-in server; web servers without an equivalent to the provided .htaccess).