On 18 Dec 2014, at 09:01, Brian Wolff bawolff@gmail.com wrote:
I don't disagree that its a bug, but in order to exploit user would have to: *Convince user to go rather obscure thumb.php page *already have the ability to add javascript to any page on wiki
In which case, why wouldn't evil malicious user just insert javascript on the normal page everyone is looking at. That's both more effective, and probably less noticeable. Thus I don't see how it exposes any new security issues that aren't already present. Of course I may simply just be missing the nature of the "circumstances" that you reference in your comment.
--bawolff
p.s. Given there is now a fix released, I think its important to be able to have frank discussions about security issues. After all, the best way to prevent future security issues is to make sure everyone understands the past issues, so that people don't make the same mistake again.
The circumstances I meant do not involve an administrator with malicious intent.
I agree they should be disclosed, but this particular issue aside, I don't think we should publicly discuss the full HowTo, yet. It's too soon after release.
CVE applies a very strict policy on that as well (maybe too strict). And the same at other trackers, and tech organisations. Feel free to ask me on IRC or elsewhere in private, though.
— Krinkle