<div dir="ltr">Is there any circumstance where Commons would validly host a Java file? If no, could this be filtered out in some way?<br><br>Joe<br><br><br><br><div class="gmail_quote">On Mon, Aug 11, 2008 at 9:25 AM, Daniel Schwen <span dir="ltr"><<a href="mailto:lists@schwen.de">lists@schwen.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">A more (or less) new form of exploit has just been published [1]. By appending<br>
a Java-Archive (JAR) file to an Image file (JPG/GIF) a hybrid file can be<br>
created which will validate as both a valid JAR and a valid image.<br>
<br>
The file can be uploaded to an image host and included as a Java-Applet on any<br>
page on any host. The applet will have privileges to connect back to the<br>
originating host and operate with all the account holders privileges.<br>
<br>
Commons seems to be a target for such an attack. Upload is easy, although I'm<br>
not to sure about the damage potential. I suppose if an administrators<br>
account would get compromised an applet could be manufactured to mass delete<br>
content or mass block users.<br>
<br>
Anyhow. I was just surprised that nobody posted this already.<br>
<br>
[1]<br>
<a href="http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html" target="_blank">http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html</a><br>
--<br>
[[en:User:Dschwen]]<br>
[[de:Benutzer:Dschwen]]<br>
[[commons:User:Dschwen]]<br>
<br>
_______________________________________________<br>
Commons-l mailing list<br>
<a href="mailto:Commons-l@lists.wikimedia.org">Commons-l@lists.wikimedia.org</a><br>
<a href="https://lists.wikimedia.org/mailman/listinfo/commons-l" target="_blank">https://lists.wikimedia.org/mailman/listinfo/commons-l</a><br>
</blockquote></div><br>
</div>