We're tightening up security on the uploads due to exploitable Internet Explorer and Safari bugs that allow for scripting attacks to steal session and saved password cookies.
For the moment uploads are limited to the default extension whitelist: 'png', 'gif', 'jpg', 'jpeg', 'ogg'. Other types of files can't be uploaded to the wikis until we expand it again, but files already uploaded remain accessible.
-- brion vibber (brion @ pobox.com)
On Sep 23, 2004, at 1:09 PM, Brion Vibber wrote:
We're tightening up security on the uploads due to exploitable Internet Explorer and Safari bugs that allow for scripting attacks to steal session and saved password cookies.
Safari's been rendered safe by using application/x-wiki instead of text/plain or application/octet-stream for text and default mime types.
IE 6 -- even on the brand spanking new Windows XP Service Pack 2 -- remains vulnerable to HTML+JavaScript attacks in files with (at least) the following spoofed extensions:
Already blacklisted: * htm html phtml php
Now protected by a validity check at upload time: * png jpg jpeg gif bmp
Still vulnerable, but disallowed by the whitelist for now: * txt pdf ps eps avi mpg mpeg bin class <- not yet protected
The problem is that IE ignores *both* the Content-Type header *and* the file extension if it "recognizes" the extension, and follows the existence of HTML fragments in the first 256 bytes like a weary sailor following a siren to a watery grave.
I'm also running a check on all uploads to find HTML/JavaScript snippets still remaining. Mostly I'm seeing a handful of wiki pages that were accidentally(?) saved as HTML and uploaded with an image file extensions, probably due to clicking 'save' on the wrong thing.
-- brion vibber (brion @ pobox.com)
What about the JPEG bug in Windows/GDI+?
http://www.easynews.com/virus.html
Is there some test that the image file is valid?
Regards, Stephan Walter
Brion Vibber wrote:
We're tightening up security on the uploads due to exploitable Internet Explorer and Safari bugs that allow for scripting attacks to steal session and saved password cookies.
On Sep 28, 2004, at 9:50 AM, Stephan Walter wrote:
What about the JPEG bug in Windows/GDI+?
At least there's a *patch* for that. If you're up on your Windows Updates, IE should not be vulnerable to that AFAIK.
Is there some test that the image file is valid?
There is, but I'm not sure if it catches this problem; I'll have to check.
-- brion vibber (brion @ pobox.com)
On Sep 28, 2004, at 1:44 PM, Brion Vibber wrote:
On Sep 28, 2004, at 9:50 AM, Stephan Walter wrote:
What about the JPEG bug in Windows/GDI+? http://www.easynews.com/virus.html
At least there's a *patch* for that. If you're up on your Windows Updates, IE should not be vulnerable to that AFAIK.
Is there some test that the image file is valid?
There is, but I'm not sure if it catches this problem; I'll have to check.
That particular file ('possibleVirus.jpg') does not pass our validity test, and is thus not accepted for upload. I haven't (yet) scanned existing uploads for this particular vulnerability, but the validity check was up before Easynews's page about the exploit hit slashdot, at least.
Note that this check is new and not yet in a 1.3 release package. Stock 1.3.3 does not check uploads for validity; I will try to get a 1.3.4 package out soon but am fighting with Internet Explorer's other stupidities.
-- brion vibber (brion @ pobox.com)
Stephan Walter wrote:
What about the JPEG bug in Windows/GDI+?
<snip>
Tip: use an updated browser: http://www.mozilla.org/products/firefox/
Ashar Voultoiz wrote:
Tip: use an updated browser: http://www.mozilla.org/products/firefox/
I do use firefox. It's just that I feel sorry for those who dont' ;-)
Stephan
wikitech-l@lists.wikimedia.org