Hello, welcome to the Tuesday, May 24th, 2020 edition of the Sandtonet Storm Center's

Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

Well, I wrote up a recent attack from our honeypots, and that's an increase in scans for a vulnerability in jQuery file upload.

This is a popular jQuery extension that allows you to upload files.

Has had some vulnerabilities in the past, but the most recent one I found was actually back in

2018.

What's sort of interesting here, aside from the fact that over the last week or so, we all of a sudden saw an increase in scans for a jQuery

file upload is that it appears to be one specific attacker. Not only is it just one IP address doing it,

but it's also a very specific user agent.

And that user agent, we have seen it starting last year,

always looking for various file upload script.

So that appears what this particular attacker is targeting.

Allowing users to upload files is always dangerous in particular like jQuery file upload.

If you allow the uploads into the document route of your web server, or if you feed the files into third-party tools like

Image Magic, for example, for resolution adjustments, or to convert file formats.

And for developers, there's actually a nice blog post back from 2018 with these older

JQuery file upload vulnerabilities that illustrates how some

of these vulnerabilities happen and how they can be exploited.

And Oracle today released a special update for Oracle E Business Suite.

This is noteworthy because typically Oracle only releases security patches once a quarter.

The vulnerability itself does allow the unauthenticated exposure of confidential information,

in particular, PII. Now, a footnote also states that authentication may be required, but well,

...