Please no scare mongering. Wikimedia sites are not vulnerable to this.
Yeah, sorry, but you know what they say about paranoid admins...
What I wasn't able to reproduce is a file which both passed the upload validation and which was executed by the Sun JRE... though I didn't
Well, that part works: http://commons.wikimedia.org/wiki/Image:Gifar.gif and test page at http://toolserver.org/~dschwen/test.html
try hard once I realize that the use of a different domain for uploading provided strong protection. It might well be that the upload
That is true. So there is no way to get to cookies at all? There are the wikipedia.org centralauth_Token and centralauth_User
would an applet not be able to read those in a browser that supports LiveConnect?
What the applet then would do with the cookies is another story.