Is there any circumstance where Commons would validly host a Java file? If no, could this be filtered out in some way?
Joe
On Mon, Aug 11, 2008 at 9:25 AM, Daniel Schwen lists@schwen.de wrote:
A more (or less) new form of exploit has just been published [1]. By appending a Java-Archive (JAR) file to an Image file (JPG/GIF) a hybrid file can be created which will validate as both a valid JAR and a valid image.
The file can be uploaded to an image host and included as a Java-Applet on any page on any host. The applet will have privileges to connect back to the originating host and operate with all the account holders privileges.
Commons seems to be a target for such an attack. Upload is easy, although I'm not to sure about the damage potential. I suppose if an administrators account would get compromised an applet could be manufactured to mass delete content or mass block users.
Anyhow. I was just surprised that nobody posted this already.
[1]
http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online...
[[en:User:Dschwen]] [[de:Benutzer:Dschwen]] [[commons:User:Dschwen]]
Commons-l mailing list Commons-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/commons-l