~Daniel Friesen(Dantman, Nadir-Seen-Fire) of:
-The Nadir-Point Group (http://nadir-point.com)
--It's Wiki-Tools subgroup (http://wiki-tools.com)
--The ElectronicMe project (http://electronic-me.org)
--Games-G.P.S. (http://ggps.org)
-And Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG)
--Animepedia (http://anime.wikia.com)
--Narutopedia (http://naruto.wikia.com)

Daniel Schwen wrote:
  

Even if Wikimedia is not vulnerable, many other MediaWiki installations
will be.
      

I'm not convinced yet that WikiMedia is not vulnerable!
While at first the upload.wikimedia.org subdomain seemed to offer protection, 
my tests at

http://toolserver.org/~dschwen/test.html

indicate that when using the url 
http://commons.wikimedia.org/wiki/Special:FilePath/Gifar.gif to load the 
applet, it has no rights to connect to upload.wikimedia.org

Unfortunately it is late right now, so I don't have time to confirm if the 
server of origin is indeed set to commons.wikimedia.org as it seems at first 
glance, but if it is then I think I found an attack vector.
    

Does anyone actually use Special:FilePath? This is not the first security
hole opened up by it, and the API could easily serve the same purpose.
Could it be removed?

-- Tim Starling