Edward Z. Yang wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It seems like the subject as been brought up everywhere (such as English
Wikipedia's Village Pump and a Wikinews talk page), but it hasn't been
breached on wikitech-l yet. So that's what I'm going to do. It appears,
from [[wikinews:Talk:Microsoft Windows metafiles are a vector for
computer viruses]] that Commons accepts wmf files masquerading as ogg
files. The security of MediaWiki installations on Windows platforms is
also dubious.
For information purposes, what are the developers doing about it?
MediaWiki allowed the creation of <img> tags for types such as ogg, this
is the worst aspect of this vulnerability since it allows infection
without user interaction. I've created an initial patch for this and
applied it to Wikimedia websites. The only remaining vulnerability that
we're aware of is if someone clicks on a link to a file and specifically
tells their browser to open it in a program with magic number detection,
such as MS Paint.
To be sure though, we're currently working on preventing the uploading
of WMF files by magic number detection. Once both of these fixes are
committed and backported, we'll do a release.
In the meantime, site administrators can apply the following patch to
their 1.5 or 1.6 installations:
http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-January/013086.html
Users of 1.4 should either upgrade to 1.5 or disable uploads.
-- Tim Starling