Daniel Schwen wrote:
A more (or less) new form of exploit has just been published [1]. By appending a Java-Archive (JAR) file to an Image file (JPG/GIF) a hybrid file can be created which will validate as both a valid JAR and a valid image.
The file can be uploaded to an image host and included as a Java-Applet on any page on any host. The applet will have privileges to connect back to the originating host and operate with all the account holders privileges.
Wiki-Bot has been updated to detect them. More exactly, it is now looking case-insensitively for manifest.mf (a jar without a manifest would be inocuos, isn't?)
This adds to its duties of verifying the uploaded files type (gif verification is quite lax, but you won't be able to append anything to a png without triggering a "wrong png" warning), check for embedded rar files (very similar to this case) and notification of deleted files being reupload.
If only the admins joined at #commons-image-uploads ...