[Commons-l] GIFAR vulnerability and commons
Gregory Maxwell
gmaxwell at gmail.com
Tue Aug 12 04:42:45 UTC 2008
On Mon, Aug 11, 2008 at 9:44 PM, Tim Starling <tstarling at wikimedia.org> wrote:
> Gregory Maxwell wrote:
>> Please no scare mongering. Wikimedia sites are not vulnerable to this.
>>
>> I reproduced the vulnerability the day it hit Slashdot and determined
>> that it posed no special risk to us.
>
> [...]
>
>> The reason that Wikimedia sites are not vulnerable is that wikimedia
>> sites confine all user uploaded files to upload.wikimedia.org which
>> holds nothing but these files. XSS attacks via uploaded files (which
>> is what this effectively is, though it's using Java) end up confined
>> by browser behaviour to only access that particular domain (or IP, in
>> the case of Java). Since there is nothing worth targeting on that IP
>> (no login, no cookies, no forms, etc) it couldn't do much.
>
> All the same, I'd rather not have such files on our servers. I'm glad
> someone finally reported this, and it would have been nice if you filed a
> bug at the time.
>
> Even if Wikimedia is not vulnerable, many other MediaWiki installations
> will be.
I wasn't able to produce a SUN JRE executable gif that I could upload
at the time, since anything I got sun to execute failed magin.. but
then again the full exploit was "secret".. So I saw no bug to file.
.... taking another related vulnerability off list then...
More information about the Commons-l
mailing list