On Mon, Aug 11, 2008 at 9:25 AM, Daniel Schwen
<lists@schwen.de> wrote:
A more (or less) new form of exploit has just been published [1]. By appending
a Java-Archive (JAR) file to an Image file (JPG/GIF) a hybrid file can be
created which will validate as both a valid JAR and a valid image.
The file can be uploaded to an image host and included as a Java-Applet on any
page on any host. The applet will have privileges to connect back to the
originating host and operate with all the account holders privileges.
Commons seems to be a target for such an attack. Upload is easy, although I'm
not to sure about the damage potential. I suppose if an administrators
account would get compromised an applet could be manufactured to mass delete
content or mass block users.
Anyhow. I was just surprised that nobody posted this already.
[1]
http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html
--
[[en:User:Dschwen]]
[[de:Benutzer:Dschwen]]
[[commons:User:Dschwen]]
_______________________________________________
Commons-l mailing list
Commons-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/commons-l