[Commons-l] GIFAR vulnerability and commons
Tim Starling
tstarling at wikimedia.org
Tue Aug 12 01:44:07 UTC 2008
Gregory Maxwell wrote:
> Please no scare mongering. Wikimedia sites are not vulnerable to this.
>
> I reproduced the vulnerability the day it hit Slashdot and determined
> that it posed no special risk to us.
[...]
> The reason that Wikimedia sites are not vulnerable is that wikimedia
> sites confine all user uploaded files to upload.wikimedia.org which
> holds nothing but these files. XSS attacks via uploaded files (which
> is what this effectively is, though it's using Java) end up confined
> by browser behaviour to only access that particular domain (or IP, in
> the case of Java). Since there is nothing worth targeting on that IP
> (no login, no cookies, no forms, etc) it couldn't do much.
All the same, I'd rather not have such files on our servers. I'm glad
someone finally reported this, and it would have been nice if you filed a
bug at the time.
Even if Wikimedia is not vulnerable, many other MediaWiki installations
will be.
-- Tim Starling
More information about the Commons-l
mailing list