AIUI, a GIFAR hosted on upload.wikimedia.org marked as a gif file can do anything with cookies that a standard applet could if hosted on upload.wikimedia.org. (if jar were a permitted file type) That *should* be limited to reading (and writing?) cookies for upload.wikimedia.org and .wikimedia.org neither of which have valuable cookies.
Not storing anything valuable under .wikimedia.org is why you have to go through [[special:userlogin]] manually for wikispecies and other smallish wikimedia.org subdomain wikis and you need to load a seperate image on [[special:userlogin]] for each of the larger wikimedia.org subdomains that you want to work automatically but Wikipedias and other projects with their own second level domain have SUL for all languages just by loading a single image; .wikipedia.org, .wikibooks.org, etc. do have valuable cookies.
--Jeremy
[[w:en:user:jeremyb]] (globally with SUL)
On Aug 11, 2008, at 6:41 PM, Daniel Schwen wrote:
Please no scare mongering. Wikimedia sites are not vulnerable to this.
Yeah, sorry, but you know what they say about paranoid admins...
What I wasn't able to reproduce is a file which both passed the upload validation and which was executed by the Sun JRE... though I didn't
Well, that part works: http://commons.wikimedia.org/wiki/Image:Gifar.gif and test page at http://toolserver.org/~dschwen/test.html
try hard once I realize that the use of a different domain for uploading provided strong protection. It might well be that the upload
That is true. So there is no way to get to cookies at all? There are the wikipedia.org centralauth_Token and centralauth_User
would an applet not be able to read those in a browser that supports LiveConnect?
What the applet then would do with the cookies is another story.
[[en:User:Dschwen]] [[de:Benutzer:Dschwen]] [[commons:User:Dschwen]]