On Mon, Aug 11, 2008 at 9:44 PM, Tim Starling <tstarling(a)wikimedia.org> wrote:
Gregory Maxwell wrote:
Please no scare mongering. Wikimedia sites are
not vulnerable to this.
I reproduced the vulnerability the day it hit Slashdot and determined
that it posed no special risk to us.
[...]
The reason that Wikimedia sites are not
vulnerable is that wikimedia
sites confine all user uploaded files to
upload.wikimedia.org which
holds nothing but these files. XSS attacks via uploaded files (which
is what this effectively is, though it's using Java) end up confined
by browser behaviour to only access that particular domain (or IP, in
the case of Java). Since there is nothing worth targeting on that IP
(no login, no cookies, no forms, etc) it couldn't do much.
All the same, I'd rather not have such files on our servers. I'm glad
someone finally reported this, and it would have been nice if you filed a
bug at the time.
Even if Wikimedia is not vulnerable, many other MediaWiki installations
will be.
I wasn't able to produce a SUN JRE executable gif that I could upload
at the time, since anything I got sun to execute failed magin.. but
then again the full exploit was "secret".. So I saw no bug to file.
.... taking another related vulnerability off list then...