On Mon, Aug 11, 2008 at 11:29 PM, Daniel Schwen <lists(a)schwen.de> wrote:
Even if
Wikimedia is not vulnerable, many other MediaWiki installations
will be.
I'm not convinced yet that WikiMedia is not vulnerable!
While at first the
upload.wikimedia.org subdomain seemed to offer protection,
my tests at
http://toolserver.org/~dschwen/test.html
indicate that when using the url
http://commons.wikimedia.org/wiki/Special:FilePath/Gifar.gif to load the
applet, it has no rights to connect to
upload.wikimedia.org
Unfortunately it is late right now, so I don't have time to confirm if the
server of origin is indeed set to
commons.wikimedia.org as it seems at first
glance, but if it is then I think I found an attack vector.
If there is away around it (via things like the file path redirect)
then it would be very good to figure that out. I hadn't considered
that set of possibilities at all.... if thats the case then it's more
of a concern than just gifar... there are several other ways to upload
browser-executable code (even java)... But it's been the standing
belief that the domain and IP separation provided protection.