Edward Z. Yang wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
It seems like the subject as been brought up everywhere (such as English Wikipedia's Village Pump and a Wikinews talk page), but it hasn't been breached on wikitech-l yet. So that's what I'm going to do. It appears, from [[wikinews:Talk:Microsoft Windows metafiles are a vector for computer viruses]] that Commons accepts wmf files masquerading as ogg files. The security of MediaWiki installations on Windows platforms is also dubious.
For information purposes, what are the developers doing about it?
MediaWiki allowed the creation of <img> tags for types such as ogg, this is the worst aspect of this vulnerability since it allows infection without user interaction. I've created an initial patch for this and applied it to Wikimedia websites. The only remaining vulnerability that we're aware of is if someone clicks on a link to a file and specifically tells their browser to open it in a program with magic number detection, such as MS Paint.
To be sure though, we're currently working on preventing the uploading of WMF files by magic number detection. Once both of these fixes are committed and backported, we'll do a release.
In the meantime, site administrators can apply the following patch to their 1.5 or 1.6 installations:
http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-January/013086.html
Users of 1.4 should either upgrade to 1.5 or disable uploads.
-- Tim Starling