On Mon, Aug 11, 2008 at 11:29 PM, Daniel Schwen lists@schwen.de wrote:
Even if Wikimedia is not vulnerable, many other MediaWiki installations will be.
I'm not convinced yet that WikiMedia is not vulnerable! While at first the upload.wikimedia.org subdomain seemed to offer protection, my tests at
http://toolserver.org/~dschwen/test.html
indicate that when using the url http://commons.wikimedia.org/wiki/Special:FilePath/Gifar.gif to load the applet, it has no rights to connect to upload.wikimedia.org
Unfortunately it is late right now, so I don't have time to confirm if the server of origin is indeed set to commons.wikimedia.org as it seems at first glance, but if it is then I think I found an attack vector.
If there is away around it (via things like the file path redirect) then it would be very good to figure that out. I hadn't considered that set of possibilities at all.... if thats the case then it's more of a concern than just gifar... there are several other ways to upload browser-executable code (even java)... But it's been the standing belief that the domain and IP separation provided protection.