[Commons-l] GIFAR vulnerability and commons
Daniel Schwen
lists at schwen.de
Mon Aug 11 16:25:59 UTC 2008
A more (or less) new form of exploit has just been published [1]. By appending
a Java-Archive (JAR) file to an Image file (JPG/GIF) a hybrid file can be
created which will validate as both a valid JAR and a valid image.
The file can be uploaded to an image host and included as a Java-Applet on any
page on any host. The applet will have privileges to connect back to the
originating host and operate with all the account holders privileges.
Commons seems to be a target for such an attack. Upload is easy, although I'm
not to sure about the damage potential. I suppose if an administrators
account would get compromised an applet could be manufactured to mass delete
content or mass block users.
Anyhow. I was just surprised that nobody posted this already.
[1]
http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html
--
[[en:User:Dschwen]]
[[de:Benutzer:Dschwen]]
[[commons:User:Dschwen]]
More information about the Commons-l
mailing list