[Commons-l] GIFAR vulnerability and commons
Joe Szilagyi
szilagyi at gmail.com
Mon Aug 11 16:46:18 UTC 2008
Is there any circumstance where Commons would validly host a Java file? If
no, could this be filtered out in some way?
Joe
On Mon, Aug 11, 2008 at 9:25 AM, Daniel Schwen <lists at schwen.de> wrote:
> A more (or less) new form of exploit has just been published [1]. By
> appending
> a Java-Archive (JAR) file to an Image file (JPG/GIF) a hybrid file can be
> created which will validate as both a valid JAR and a valid image.
>
> The file can be uploaded to an image host and included as a Java-Applet on
> any
> page on any host. The applet will have privileges to connect back to the
> originating host and operate with all the account holders privileges.
>
> Commons seems to be a target for such an attack. Upload is easy, although
> I'm
> not to sure about the damage potential. I suppose if an administrators
> account would get compromised an applet could be manufactured to mass
> delete
> content or mass block users.
>
> Anyhow. I was just surprised that nobody posted this already.
>
> [1]
>
> http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html
> --
> [[en:User:Dschwen]]
> [[de:Benutzer:Dschwen]]
> [[commons:User:Dschwen]]
>
> _______________________________________________
> Commons-l mailing list
> Commons-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/commons-l
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.wikimedia.org/pipermail/commons-l/attachments/20080811/29f4524c/attachment.htm
More information about the Commons-l
mailing list