[Commons-l] GIFAR vulnerability and commons
Platonides
Platonides at gmail.com
Tue Aug 12 14:14:59 UTC 2008
Daniel Schwen wrote:
> A more (or less) new form of exploit has just been published [1]. By appending
> a Java-Archive (JAR) file to an Image file (JPG/GIF) a hybrid file can be
> created which will validate as both a valid JAR and a valid image.
>
> The file can be uploaded to an image host and included as a Java-Applet on any
> page on any host. The applet will have privileges to connect back to the
> originating host and operate with all the account holders privileges.
Wiki-Bot has been updated to detect them. More exactly, it is now
looking case-insensitively for manifest.mf (a jar without a manifest
would be inocuos, isn't?)
This adds to its duties of verifying the uploaded files type (gif
verification is quite lax, but you won't be able to append anything to a
png without triggering a "wrong png" warning), check for embedded rar
files (very similar to this case) and notification of deleted files
being reupload.
If only the admins joined at #commons-image-uploads ...
More information about the Commons-l
mailing list