On 18 Dec 2014, at 09:01, Brian Wolff <bawolff(a)gmail.com> wrote:
I don't disagree that its a bug, but in order to
exploit user would have to:
*Convince user to go rather obscure thumb.php page
*already have the ability to add javascript to any page on wiki
In which case, why wouldn't evil malicious user just insert javascript
on the normal page everyone is looking at. That's both more effective,
and probably less noticeable. Thus I don't see how it exposes any new
security issues that aren't already present. Of course I may simply
just be missing the nature of the "circumstances" that you reference
in your comment.
--bawolff
p.s. Given there is now a fix released, I think its important to be
able to have frank discussions about security issues. After all, the
best way to prevent future security issues is to make sure everyone
understands the past issues, so that people don't make the same
mistake again.
The circumstances I meant do not involve an administrator with malicious intent.
I agree they should be disclosed, but this particular issue aside, I don't
think we should publicly discuss the full HowTo, yet. It's too soon after release.
CVE applies a very strict policy on that as well (maybe too strict). And the
same at other trackers, and tech organisations. Feel free to ask me on IRC
or elsewhere in private, though.
— Krinkle