Daniel Schwen wrote:
A more (or less) new form of exploit has just been
published [1]. By appending
a Java-Archive (JAR) file to an Image file (JPG/GIF) a hybrid file can be
created which will validate as both a valid JAR and a valid image.
The file can be uploaded to an image host and included as a Java-Applet on any
page on any host. The applet will have privileges to connect back to the
originating host and operate with all the account holders privileges.
Wiki-Bot has been updated to detect them. More exactly, it is now
looking case-insensitively for manifest.mf (a jar without a manifest
would be inocuos, isn't?)
This adds to its duties of verifying the uploaded files type (gif
verification is quite lax, but you won't be able to append anything to a
png without triggering a "wrong png" warning), check for embedded rar
files (very similar to this case) and notification of deleted files
being reupload.
If only the admins joined at #commons-image-uploads ...