-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
It seems like the subject as been brought up everywhere (such as English Wikipedia's Village Pump and a Wikinews talk page), but it hasn't been breached on wikitech-l yet. So that's what I'm going to do. It appears, from [[wikinews:Talk:Microsoft Windows metafiles are a vector for computer viruses]] that Commons accepts wmf files masquerading as ogg files. The security of MediaWiki installations on Windows platforms is also dubious.
For information purposes, what are the developers doing about it? - -- Edward Z. Yang Personal: edwardzyang@thewritingpot.com SN:Ambush Commander Website: http://www.thewritingpot.com/ GPGKey:0x869C48DA http://www.thewritingpot.com/gpgpubkey.asc 3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA
At least: * check, whether the antivirus signatures are up-to-date (ClamAV or whatever is used on your servers) * F-Secure (for example) seems to detect them already http://www-f-secure.com http://www.f-secure.com/weblog/
Tom
Edward Z. Yang schrieb:
It seems like the subject as been brought up everywhere (such as English Wikipedia's Village Pump and a Wikinews talk page), but it hasn't been breached on wikitech-l yet. So that's what I'm going to do. It appears, from [[wikinews:Talk:Microsoft Windows metafiles are a vector for computer viruses]] that Commons accepts wmf files masquerading as ogg files. The security of MediaWiki installations on Windows platforms is also dubious.
For information purposes, what are the developers doing about it?
Edward Z. Yang wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
It seems like the subject as been brought up everywhere (such as English Wikipedia's Village Pump and a Wikinews talk page), but it hasn't been breached on wikitech-l yet. So that's what I'm going to do. It appears, from [[wikinews:Talk:Microsoft Windows metafiles are a vector for computer viruses]] that Commons accepts wmf files masquerading as ogg files. The security of MediaWiki installations on Windows platforms is also dubious.
For information purposes, what are the developers doing about it?
MediaWiki allowed the creation of <img> tags for types such as ogg, this is the worst aspect of this vulnerability since it allows infection without user interaction. I've created an initial patch for this and applied it to Wikimedia websites. The only remaining vulnerability that we're aware of is if someone clicks on a link to a file and specifically tells their browser to open it in a program with magic number detection, such as MS Paint.
To be sure though, we're currently working on preventing the uploading of WMF files by magic number detection. Once both of these fixes are committed and backported, we'll do a release.
In the meantime, site administrators can apply the following patch to their 1.5 or 1.6 installations:
http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-January/013086.html
Users of 1.4 should either upgrade to 1.5 or disable uploads.
-- Tim Starling
Tim Starling wrote:
In the meantime, site administrators can apply the following patch to their 1.5 or 1.6 installations:
http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-January/013086.html
Users of 1.4 should either upgrade to 1.5 or disable uploads.
Since the default upload filetype whitelist includes only some image types which are verified at upload time with getimagesize() type checking, the default configuration plus uploads enabled should not allow for such uploads.
If you have added other extensions to the whitelist which aren't recognized internally (eg, OGG), then you should be careful as above.
-- brion vibber (brion @ pobox.com)
wikitech-l@lists.wikimedia.org